diff --git a/.bazelversion b/.bazelversion index 93c8ddab9..eab246c06 100644 --- a/.bazelversion +++ b/.bazelversion @@ -1 +1 @@ -7.6.0 +7.3.2 diff --git a/.github/actions/artifact_download/action.yml b/.github/actions/artifact_download/action.yml index e3cf3d1f8..148adc258 100644 --- a/.github/actions/artifact_download/action.yml +++ b/.github/actions/artifact_download/action.yml @@ -28,7 +28,7 @@ runs: run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT" - name: Download the artifact - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ inputs.name }} path: ${{ steps.tempdir.outputs.directory }} diff --git a/.github/actions/artifact_upload/action.yml b/.github/actions/artifact_upload/action.yml index 2ef3e85a8..50974a9fd 100644 --- a/.github/actions/artifact_upload/action.yml +++ b/.github/actions/artifact_upload/action.yml @@ -69,7 +69,7 @@ runs: done - name: Upload archive as artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.name }} path: ${{ steps.tempdir.outputs.directory }}/archive.7z diff --git a/.github/actions/build_cli/action.yml b/.github/actions/build_cli/action.yml index 8daf1e0d3..87fd1d055 100644 --- a/.github/actions/build_cli/action.yml +++ b/.github/actions/build_cli/action.yml @@ -79,7 +79,7 @@ runs: # once it has the functionality - name: Install Cosign if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Install Rekor if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' diff --git a/.github/actions/build_micro_service/action.yml b/.github/actions/build_micro_service/action.yml index 84813d865..e7da91e77 100644 --- a/.github/actions/build_micro_service/action.yml +++ b/.github/actions/build_micro_service/action.yml @@ -42,7 +42,7 @@ runs: - name: Docker metadata id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository }}/${{ inputs.name }} @@ -62,7 +62,7 @@ runs: - name: Build and push container image id: build-micro-service - uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: . file: ${{ inputs.dockerfile }} diff --git a/.github/actions/cdbg_deploy/action.yml b/.github/actions/cdbg_deploy/action.yml index a51c54b6a..b82a67226 100644 --- a/.github/actions/cdbg_deploy/action.yml +++ b/.github/actions/cdbg_deploy/action.yml @@ -61,7 +61,7 @@ runs: - name: Login to AWS (IAM service principal) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM aws-region: eu-central-1 @@ -80,7 +80,7 @@ runs: - name: Login to AWS (Cluster service principal) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster aws-region: eu-central-1 diff --git a/.github/actions/check_measurements_reproducibility/action.yml b/.github/actions/check_measurements_reproducibility/action.yml deleted file mode 100644 index 184e1221f..000000000 --- a/.github/actions/check_measurements_reproducibility/action.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Check measurements reproducibility -description: Check if the measurements of a given release are reproducible. - -inputs: - version: - type: string - description: The version of the measurements that are downloaded from the CDN. - required: true - ref: - type: string - description: The git ref to check out. You probably want this to be the tag of the release you are testing. - required: true - -runs: - using: "composite" - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ inputs.ref }} - path: ./release - - - name: Set up bazel - uses: ./.github/actions/setup_bazel_nix - with: - useCache: "false" - nixTools: | - systemdUkify - jq - jd-diff-patch - moreutils - - - name: Allow unrestricted user namespaces - shell: bash - run: | - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0 - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0 - - - name: Build images - id: build-images - shell: bash - run: | - set -euo pipefail - - # Build required binaries - pushd release - bazel build //image/system:stable - echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT" - popd - - - name: Download measurements - shell: bash - run: | - curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json - - - name: Cleanup release measurements and generate our own - shell: bash - run: | - ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}" - - - name: Compare measurements - shell: bash - run: | - ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}" diff --git a/.github/actions/check_measurements_reproducibility/compare_measurements.sh b/.github/actions/check_measurements_reproducibility/compare_measurements.sh deleted file mode 100755 index 5077a05f2..000000000 --- a/.github/actions/check_measurements_reproducibility/compare_measurements.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash -# no -e since we need to collect errors later -# no -u since it interferes with checking associative arrays -set -o pipefail -shopt -s extglob - -declare -A errors - -for directory in "$1"/system/!(mkosi_wrapper.sh); do - dirname="$(basename "$directory")" - attestationVariant="$(echo "$dirname" | cut -d_ -f2)" - - echo "Their measurements for $attestationVariant:" - ts " " < "$attestationVariant"_their-measurements.json - echo "Own measurements for $attestationVariant:" - ts " " < "$attestationVariant"_own-measurements.json - - diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)" - if [[ -n $diff ]]; then - errors["$attestationVariant"]="$diff" - fi -done - -for attestationVariant in "${!errors[@]}"; do - echo "Failed to reproduce measurements for $attestationVariant:" - echo "${errors["$attestationVariant"]}" | ts " " -done - -if [[ ${#errors[@]} -ne 0 ]]; then - exit 1 -fi diff --git a/.github/actions/check_measurements_reproducibility/create_measurements.sh b/.github/actions/check_measurements_reproducibility/create_measurements.sh deleted file mode 100755 index 4cabd5df0..000000000 --- a/.github/actions/check_measurements_reproducibility/create_measurements.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail -shopt -s extglob - -for directory in "$1"/system/!(mkosi_wrapper.sh); do - dirname="$(basename "$directory")" - csp="$(echo "$dirname" | cut -d_ -f1)" - attestationVariant="$(echo "$dirname" | cut -d_ -f2)" - - # This jq filter selects the measurements for the correct CSP and attestation variant - # and then removes all `warnOnly: true` measurements. - jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \ - ' - .list.[] - | select( - .attestationVariant == $attestation_variant - and (.csp | ascii_downcase) == $csp - ) - | .measurements - | to_entries - | map(select(.value.warnOnly | not)) - | from_entries - | del(.[] .warnOnly) - ' \ - measurements.json > "$attestationVariant"_their-measurements.json - - bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json -done diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index caec827d6..63cddf9d8 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -257,9 +257,9 @@ runs: continue-on-error: true uses: ./.github/actions/artifact_upload with: - name: debug-logs-${{ inputs.artifactNameSuffix }} - path: | - *.log + name: serial-logs-${{ inputs.artifactNameSuffix }} + path: > + !(terraform).log encryptionSecret: ${{ inputs.encryptionSecret }} - name: Prepare terraform state folders @@ -268,12 +268,9 @@ runs: run: | mkdir to-zip cp -r constellation-terraform to-zip - # constellation-iam-terraform is optional - if [ -d constellation-iam-terraform ]; then - cp -r constellation-iam-terraform to-zip - fi + cp -r constellation-iam-terraform to-zip rm -f to-zip/constellation-terraform/plan.zip - rm -rf to-zip/*/.terraform + rm -rf to-zip/constellation-terraform/.terraform to-zip/constellation-iam-terraform/.terraform - name: Upload terraform state if: always() diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index c09148efa..9ae79efd2 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -67,7 +67,7 @@ runs: - name: Login to AWS (Cluster role) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster aws-region: eu-central-1 diff --git a/.github/actions/constellation_iam_create/action.yml b/.github/actions/constellation_iam_create/action.yml index 6df998872..a6607d982 100644 --- a/.github/actions/constellation_iam_create/action.yml +++ b/.github/actions/constellation_iam_create/action.yml @@ -42,15 +42,6 @@ inputs: gcpZone: description: "The GCP zone to deploy Constellation in." required: false - # - # STACKIT specific inputs - # - stackitZone: - description: "The STACKIT zone to deploy Constellation in." - required: false - stackitProjectID: - description: "The STACKIT project ID to deploy Constellation in." - required: false runs: using: "composite" @@ -102,7 +93,6 @@ runs: --tf-log=DEBUG \ --yes ${extraFlags} - # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix - name: Constellation iam create gcp shell: bash if: inputs.cloudProvider == 'gcp' @@ -114,13 +104,3 @@ runs: --update-config \ --tf-log=DEBUG \ --yes - - - name: Set STACKIT-specific configuration - shell: bash - if: inputs.cloudProvider == 'stackit' - env: - STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }} - run: | - yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml - yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml - yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml diff --git a/.github/actions/constellation_iam_destroy/action.yml b/.github/actions/constellation_iam_destroy/action.yml index 98109d740..e89dd7c5d 100644 --- a/.github/actions/constellation_iam_destroy/action.yml +++ b/.github/actions/constellation_iam_destroy/action.yml @@ -23,7 +23,7 @@ runs: - name: Login to AWS (IAM role) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM aws-region: eu-central-1 diff --git a/.github/actions/container_registry_login/action.yml b/.github/actions/container_registry_login/action.yml index 929af6361..1c0e5d50f 100644 --- a/.github/actions/container_registry_login/action.yml +++ b/.github/actions/container_registry_login/action.yml @@ -17,7 +17,7 @@ runs: steps: - name: Use docker for logging in if: runner.os != 'macOS' - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ inputs.registry }} username: ${{ inputs.username }} diff --git a/.github/actions/container_sbom/action.yml b/.github/actions/container_sbom/action.yml index 983fb344e..a100f3f6e 100644 --- a/.github/actions/container_sbom/action.yml +++ b/.github/actions/container_sbom/action.yml @@ -19,7 +19,7 @@ runs: steps: - name: Install Cosign if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download Syft & Grype uses: ./.github/actions/install_syft_grype diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml index 78abb5146..294367dbf 100644 --- a/.github/actions/deploy_logcollection/action.yml +++ b/.github/actions/deploy_logcollection/action.yml @@ -67,7 +67,7 @@ runs: # Make sure that helm is installed # This is not always the case, e.g. on MacOS runners - name: Install Helm - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: v3.9.0 diff --git a/.github/actions/download_release_binaries/action.yml b/.github/actions/download_release_binaries/action.yml index 6b5604c24..a336a5e43 100644 --- a/.github/actions/download_release_binaries/action.yml +++ b/.github/actions/download_release_binaries/action.yml @@ -5,51 +5,51 @@ runs: using: "composite" steps: - name: Download CLI binaries darwin-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-darwin-amd64 - name: Download CLI binaries darwin-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-darwin-arm64 - name: Download CLI binaries linux-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-linux-amd64 - name: Download CLI binaries linux-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-linux-arm64 - name: Download CLI binaries windows-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-windows-amd64 - name: Download Terraform module - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-module - name: Download Terraform provider binary darwin-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-darwin-amd64 - name: Download Terraform provider binary darwin-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-darwin-arm64 - name: Download Terraform provider binary linux-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-linux-amd64 - name: Download Terraform provider binary linux-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-linux-arm64 diff --git a/.github/actions/e2e_attestationconfigapi/action.yml b/.github/actions/e2e_attestationconfigapi/action.yml index 9ffad3040..02ec28084 100644 --- a/.github/actions/e2e_attestationconfigapi/action.yml +++ b/.github/actions/e2e_attestationconfigapi/action.yml @@ -19,7 +19,7 @@ runs: uses: ./.github/actions/setup_bazel_nix - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI aws-region: eu-west-1 diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml index ee741c19f..d55a4c214 100644 --- a/.github/actions/e2e_benchmark/action.yml +++ b/.github/actions/e2e_benchmark/action.yml @@ -32,9 +32,9 @@ runs: steps: - name: Setup python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: - python-version: "3.13" + python-version: "3.10" - name: Install kubestr shell: bash @@ -166,7 +166,7 @@ runs: encryptionSecret: ${{ inputs.encryptionSecret }} - name: Assume AWS role to retrieve and update benchmarks in S3 - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks aws-region: us-east-2 diff --git a/.github/actions/e2e_benchmark/evaluate/requirements.txt b/.github/actions/e2e_benchmark/evaluate/requirements.txt index fa4ee448b..ea9316757 100644 --- a/.github/actions/e2e_benchmark/evaluate/requirements.txt +++ b/.github/actions/e2e_benchmark/evaluate/requirements.txt @@ -1,3 +1,3 @@ -numpy ==2.2.6 -matplotlib ==3.10.3 -Pillow ==11.2.1 \ No newline at end of file +numpy ==1.26.4 +matplotlib ==3.8.3 +Pillow ==10.3.0 \ No newline at end of file diff --git a/.github/actions/e2e_cleanup_timeframe/action.yml b/.github/actions/e2e_cleanup_timeframe/action.yml index c77be2431..bfe40cbf3 100644 --- a/.github/actions/e2e_cleanup_timeframe/action.yml +++ b/.github/actions/e2e_cleanup_timeframe/action.yml @@ -11,18 +11,12 @@ inputs: azure_credentials: description: "Credentials authorized to create Constellation on Azure." required: true - openStackCloudsYaml: - description: "The contents of ~/.config/openstack/clouds.yaml" - required: false - stackitUat: - description: "The UAT for STACKIT" - required: false runs: using: "composite" steps: - name: Authenticate AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy aws-region: eu-central-1 @@ -37,16 +31,6 @@ runs: with: service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com" - - name: Login to OpenStack - uses: ./.github/actions/login_openstack - with: - clouds_yaml: ${{ inputs.openStackCloudsYaml }} - - - name: Login to STACKIT - uses: ./.github/actions/login_stackit - with: - serviceAccountToken: ${{ inputs.stackitUat }} - - name: Install tools uses: ./.github/actions/setup_bazel_nix with: diff --git a/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh b/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh index 0796ae1a0..a88e714c5 100755 --- a/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh +++ b/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh @@ -2,7 +2,7 @@ # get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date. function get_e2e_test_ids_on_date { - ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | (contains("e2e") or contains("Release")) and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)" + ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)" echo "${ids}" } @@ -11,23 +11,24 @@ function download_tfstate_artifact { gh run download "$1" -p "terraform-state-*" -R edgelesssys/constellation > /dev/null } -# delete_terraform_resources runs terraform destroy on the given folder. -function delete_terraform_resources { - delete_err=0 - if pushd "${1}/${2}"; then - # Workaround for cleaning up Azure resources - # We include a data source that is only used to generate output - # If this data source is deleted before we call terraform destroy, - # terraform will first try to evaluate the data source and fail, - # causing the destroy to fail as well. - sed -i '/data "azurerm_user_assigned_identity" "uaid" {/,/}/d' main.tf - sed -i '/output "user_assigned_identity_client_id" {/,/}/d' outputs.tf - - terraform init > /dev/null || delete_err=1 # first, install plugins - terraform destroy -auto-approve || delete_err=1 - popd || exit 1 +# delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder. +function delete_resources { + if [[ -d "$1/constellation-terraform" ]]; then + cd "$1/constellation-terraform" || exit 1 + terraform init > /dev/null || exit 1 # first, install plugins + terraform destroy -auto-approve || exit 1 + cd ../../ || exit 1 + fi +} + +# delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder. +function delete_iam_config { + if [[ -d "$1/constellation-iam-terraform" ]]; then + cd "$1/constellation-iam-terraform" || exit 1 + terraform init > /dev/null || exit 1 # first, install plugins + terraform destroy -auto-approve || exit 1 + cd ../../ || exit 1 fi - return "${delete_err}" } # check if the password for artifact decryption was given @@ -41,7 +42,7 @@ artifact_pwd=${ENCRYPTION_SECRET} shopt -s nullglob start_date=$(date "+%Y-%m-%d") -end_date=$(date --date "-4 day" "+%Y-%m-%d") +end_date=$(date --date "-7 day" "+%Y-%m-%d") dates_to_clean=() # get all dates of the last week @@ -84,25 +85,13 @@ export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache" echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}" echo "[*] deleting resources" -error_occurred=0 for directory in ./terraform-state-*; do echo " deleting resources in ${directory}" - if ! delete_terraform_resources "${directory}" "constellation-terraform"; then - echo "[!] deleting resources failed" - error_occurred=1 - fi + delete_resources "${directory}" echo " deleting IAM configuration in ${directory}" - if ! delete_terraform_resources "${directory}" "constellation-iam-terraform"; then - echo "[!] deleting IAM resources failed" - error_occurred=1 - fi + delete_iam_config "${directory}" echo " deleting directory ${directory}" rm -rf "${directory}" done -if [[ ${error_occurred} -ne 0 ]]; then - echo "[!] Errors occurred during resource deletion." - exit 1 -fi - exit 0 diff --git a/.github/actions/e2e_emergency_ssh/action.yml b/.github/actions/e2e_emergency_ssh/action.yml deleted file mode 100644 index 81712956a..000000000 --- a/.github/actions/e2e_emergency_ssh/action.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: Emergency ssh -description: "Verify that an emergency ssh connection can be established." - -inputs: - kubeconfig: - description: "The kubeconfig file for the cluster." - required: true - -runs: - using: "composite" - steps: - - name: Test emergency ssh - shell: bash - env: - KUBECONFIG: ${{ inputs.kubeconfig }} - run: | - set -euo pipefail - - # Activate emergency ssh access to the cluster - pushd ./constellation-terraform - echo "emergency_ssh = true" >> terraform.tfvars - terraform apply -auto-approve - lb="$(terraform output -raw loadbalancer_address)" - popd - - # write ssh config - cat > ssh_config < ~/.stackit/credentials.json diff --git a/.github/actions/notify_stackit/action.yml b/.github/actions/notify_stackit/action.yml deleted file mode 100644 index 2e64fdac5..000000000 --- a/.github/actions/notify_stackit/action.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Notify STACKIT -description: "Notify STACKIT about test failure" -inputs: - slackToken: - description: "Slack access token." - required: true -runs: - using: "composite" - steps: - - name: Notify STACKIT - env: - SLACK_TOKEN: ${{ inputs.slackToken }} - shell: bash - run: | - curl -X POST \ - -H "Authorization: Bearer $SLACK_TOKEN" \ - -H "Content-type: application/json; charset=utf-8" \ - -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \ - https://slack.com/api/chat.postMessage diff --git a/.github/actions/publish_helmchart/action.yml b/.github/actions/publish_helmchart/action.yml index 3c26fbad7..6e8a9f762 100644 --- a/.github/actions/publish_helmchart/action.yml +++ b/.github/actions/publish_helmchart/action.yml @@ -29,7 +29,7 @@ runs: echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT - name: Create pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: path: helm branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}" diff --git a/.github/actions/select_image/action.yml b/.github/actions/select_image/action.yml index 6af36480d..e36e145ed 100644 --- a/.github/actions/select_image/action.yml +++ b/.github/actions/select_image/action.yml @@ -18,7 +18,7 @@ runs: using: "composite" steps: - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 diff --git a/.github/actions/setup_bazel_nix/action.yml b/.github/actions/setup_bazel_nix/action.yml index 1066e5d34..87a2d1802 100644 --- a/.github/actions/setup_bazel_nix/action.yml +++ b/.github/actions/setup_bazel_nix/action.yml @@ -75,7 +75,6 @@ runs: echo "$RUNNER_ARCH not supported" exit 1 fi - echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT" echo "::endgroup::" - name: Install current Bash on macOS @@ -114,9 +113,9 @@ runs: - name: Install nix if: steps.check_inputs.outputs.nixPreinstalled == 'false' - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install" + install_url: "https://releases.nixos.org/nix/nix-2.25.2/install" - name: Set $USER if not set shell: bash @@ -221,7 +220,7 @@ runs: { tools, repository, rev }: let repoFlake = builtins.getFlake ("github:" + repository + "/" + rev); - nixpkgs = repoFlake.inputs.nixpkgs; + nixpkgs = repoFlake.inputs.nixpkgsUnstable; pkgs = import nixpkgs { system = builtins.currentSystem; }; toolPkgs = map (p: pkgs.${p}) tools; in diff --git a/.github/actions/terraform_apply/action.yml b/.github/actions/terraform_apply/action.yml index edf4fb26f..ffb893934 100644 --- a/.github/actions/terraform_apply/action.yml +++ b/.github/actions/terraform_apply/action.yml @@ -29,9 +29,6 @@ runs: "gcpSEVSNP") attestationVariant="gcp-sev-snp" ;; - "qemuVTPM") - attestationVariant="qemu-vtpm" - ;; *) echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)" exit 1 @@ -47,7 +44,7 @@ runs: } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -109,16 +106,6 @@ runs: project_id = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)" service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)") } - openstack = { - cloud = "stackit" - clouds_yaml_path = "~/.config/openstack/clouds.yaml" - floating_ip_pool_id = "970ace5c-458f-484a-a660-0903bcfd91ad" - deploy_yawol_load_balancer = true - yawol_image_id = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be" - yawol_flavor_id = "3b11b27e-6c73-470d-b595-1d85b95a8cdf" - network_id = "$(yq '.infrastructure.networkID' constellation-state.yaml)" - subnet_id = "$(yq '.infrastructure.subnetID' constellation-state.yaml)" - } network_config = { ip_cidr_node = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)" ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)" diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml index 140844fdd..18dd61280 100644 --- a/.github/actions/upload_terraform_module/action.yml +++ b/.github/actions/upload_terraform_module/action.yml @@ -15,7 +15,7 @@ runs: zip -r terraform-module.zip terraform-module - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: terraform-module path: terraform-module.zip diff --git a/.github/workflows/aws-snp-launchmeasurement.yml b/.github/workflows/aws-snp-launchmeasurement.yml index 8e72cffb6..1c2c981a2 100644 --- a/.github/workflows/aws-snp-launchmeasurement.yml +++ b/.github/workflows/aws-snp-launchmeasurement.yml @@ -17,11 +17,11 @@ jobs: path: constellation - name: Install Nix - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31 + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - name: Download Firmware release id: download-firmware - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 + uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11 with: repository: aws/uefi latest: true diff --git a/.github/workflows/build-ccm-gcp.yml b/.github/workflows/build-ccm-gcp.yml index 1954f242c..75e8ce0a7 100644 --- a/.github/workflows/build-ccm-gcp.yml +++ b/.github/workflows/build-ccm-gcp.yml @@ -29,9 +29,9 @@ jobs: fetch-depth: 0 - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: false - name: Install Crane @@ -76,7 +76,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/edgelesssys/cloud-provider-gcp @@ -113,7 +113,7 @@ jobs: - name: Build and push container image id: build - uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: ./cloud-provider-gcp push: ${{ github.ref_name == 'main' }} diff --git a/.github/workflows/build-gcp-guest-agent.yml b/.github/workflows/build-gcp-guest-agent.yml index bcd766a1f..f5b734f00 100644 --- a/.github/workflows/build-gcp-guest-agent.yml +++ b/.github/workflows/build-gcp-guest-agent.yml @@ -85,7 +85,7 @@ jobs: - name: Docker meta id: meta if: steps.needs-build.outputs.out == 'true' - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent @@ -114,7 +114,7 @@ jobs: - name: Build and push container image if: steps.needs-build.outputs.out == 'true' id: build - uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: ./guest-agent file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile diff --git a/.github/workflows/build-os-image-scheduled.yml b/.github/workflows/build-os-image-scheduled.yml index e42c2ebfa..b4376d67b 100644 --- a/.github/workflows/build-os-image-scheduled.yml +++ b/.github/workflows/build-os-image-scheduled.yml @@ -65,9 +65,9 @@ jobs: token: ${{ secrets.CI_COMMIT_PUSH_PR }} - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: false - name: Determine version @@ -97,7 +97,7 @@ jobs: run: rm -f internal/attestation/measurements/measurement-generator/generate - name: Create pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: "image/automated/update-measurements-${{ github.run_number }}" base: main diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 50783089a..f19419ead 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -147,7 +147,7 @@ jobs: useCache: "false" - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 @@ -167,12 +167,6 @@ jobs: with: clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }} - - name: Allow unrestricted user namespaces - shell: bash - run: | - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0 - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0 - - name: Build and upload id: build shell: bash diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml index 598a64445..d9f97cfaa 100644 --- a/.github/workflows/check-links.yml +++ b/.github/workflows/check-links.yml @@ -25,7 +25,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Link Checker - uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1 + uses: lycheeverse/lychee-action@f81112d0d2814ded911bd23e3beaa9dda9093915 # v2.1.0 with: args: "--config ./.lychee.toml './**/*.md' './**/*.html'" fail: true diff --git a/.github/workflows/check-measurements-reproducibility.yml b/.github/workflows/check-measurements-reproducibility.yml deleted file mode 100644 index 3a91eda81..000000000 --- a/.github/workflows/check-measurements-reproducibility.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Check measurements reproducibility -on: - workflow_dispatch: - inputs: - version: - type: string - description: The version of the measurements that are downloaded from the CDN. - required: true - ref: - type: string - description: The git ref to check out. You probably want this to be the tag of the release you are testing. - required: true - -jobs: - check-reproducibility: - runs-on: ubuntu-24.04 - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ inputs.ref || github.ref }} - - - name: Check reproducibility - uses: ./.github/actions/check_measurements_reproducibility - with: - version: ${{ github.event.inputs.version }} - ref: ${{ github.event.inputs.ref }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8c77ddacb..5ffd4cd78 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,13 +38,13 @@ jobs: - name: Setup Go environment if: matrix.language == 'go' - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: false - name: Initialize CodeQL - uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: languages: ${{ matrix.language }} @@ -63,6 +63,6 @@ jobs: echo "::endgroup::" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/docs-vale.yml b/.github/workflows/docs-vale.yml index bb6331ce5..a9f58cc04 100644 --- a/.github/workflows/docs-vale.yml +++ b/.github/workflows/docs-vale.yml @@ -29,4 +29,3 @@ jobs: with: files: docs/docs fail_on_error: true - version: 3.9.3 diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 84b696afb..c77719367 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -92,8 +92,8 @@ jobs: cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} - name: Upload CLI as artifact (unix) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os != 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os != 'windows' }} with: name: constellation-${{ matrix.os }}-${{ matrix.arch }} path: | @@ -101,8 +101,8 @@ jobs: build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig - name: Upload CLI as artifact (windows) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os == 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os == 'windows' }} with: name: constellation-${{ matrix.os }}-${{ matrix.arch }} path: | @@ -149,16 +149,16 @@ jobs: targetArch: ${{ matrix.arch }} - name: Upload Terraform Provider Binary as artifact (unix) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os != 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os != 'windows' }} with: name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} path: | build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} - name: Upload Terraform Provider Binary as artifact (windows) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os == 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os == 'windows' }} with: name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} path: | @@ -227,7 +227,7 @@ jobs: uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom @@ -261,7 +261,7 @@ jobs: ref: ${{ inputs.ref || github.head_ref }} - name: Install Cosign - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download Syft & Grype uses: ./.github/actions/install_syft_grype @@ -296,13 +296,13 @@ jobs: COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} - name: Upload Constellation CLI SBOM - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: constellation.spdx.sbom path: constellation.spdx.sbom - name: Upload Constellation CLI SBOM's signature - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: constellation.spdx.sbom.sig path: constellation.spdx.sbom.sig @@ -316,14 +316,14 @@ jobs: - provenance-subjects # This must not be pinned to digest. See: # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}" provenance-verify: runs-on: ubuntu-24.04 env: - SLSA_VERIFIER_VERSION: "2.7.0" + SLSA_VERIFIER_VERSION: "2.5.1" needs: - build-cli - provenance @@ -340,12 +340,12 @@ jobs: uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom - name: Download provenance - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.provenance.outputs.provenance-name }} @@ -418,17 +418,17 @@ jobs: uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom - name: Download Constellation CLI SBOM's signature - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom.sig - name: Download Constellation provenance - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.provenance.outputs.provenance-name }} @@ -472,7 +472,7 @@ jobs: - name: Create release with artifacts id: create-release # GitHub endorsed release project. See: https://github.com/actions/create-release - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: draft: true generate_release_notes: true @@ -487,7 +487,7 @@ jobs: terraform-module.zip - name: Create Terraform provider release with artifcats - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: draft: true generate_release_notes: false diff --git a/.github/workflows/e2e-cleanup.yml b/.github/workflows/e2e-cleanup-weekly.yml similarity index 74% rename from .github/workflows/e2e-cleanup.yml rename to .github/workflows/e2e-cleanup-weekly.yml index 67e5bf0ff..e8e5ffa92 100644 --- a/.github/workflows/e2e-cleanup.yml +++ b/.github/workflows/e2e-cleanup-weekly.yml @@ -1,10 +1,10 @@ -name: e2e cleanup +name: e2e weekly cleanup on: schedule: - - cron: "0 0 * * *" # At 00:00 every day + - cron: "0 0 * * 0" # At 00:00 every Sunday UTC workflow_dispatch: - + jobs: cleanup: @@ -22,5 +22,3 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }} - openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }} - stackitUat: ${{ secrets.STACKIT_CI_UAT }} diff --git a/.github/workflows/e2e-mini.yml b/.github/workflows/e2e-mini.yml index bf0cf1cad..7e03ffd53 100644 --- a/.github/workflows/e2e-mini.yml +++ b/.github/workflows/e2e-mini.yml @@ -34,7 +34,7 @@ jobs: ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }} - name: Azure login OIDC - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 644fc6d95..5e36add52 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -45,7 +45,7 @@ jobs: fail-fast: false max-parallel: 5 matrix: - kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor. + kubernetesVersion: ["1.28"] # should be default attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"] test: ["sonobuoy quick"] @@ -164,7 +164,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Azure login OIDC - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/e2e-test-internal-lb.yml b/.github/workflows/e2e-test-internal-lb.yml index ab36cec4a..cee93f7eb 100644 --- a/.github/workflows/e2e-test-internal-lb.yml +++ b/.github/workflows/e2e-test-internal-lb.yml @@ -23,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run." @@ -41,6 +41,7 @@ on: required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." + default: "1.28" required: true cliVersion: description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." diff --git a/.github/workflows/e2e-test-marketplace-image.yml b/.github/workflows/e2e-test-marketplace-image.yml index 28e8e9310..760df932b 100644 --- a/.github/workflows/e2e-test-marketplace-image.yml +++ b/.github/workflows/e2e-test-marketplace-image.yml @@ -23,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run." @@ -41,6 +41,7 @@ on: required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." + default: "1.28" required: true cliVersion: description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." diff --git a/.github/workflows/e2e-test-provider-example.yml b/.github/workflows/e2e-test-provider-example.yml index 43eacd005..df52b2341 100644 --- a/.github/workflows/e2e-test-provider-example.yml +++ b/.github/workflows/e2e-test-provider-example.yml @@ -154,7 +154,7 @@ jobs: - name: Login to AWS (IAM + Cluster role) if: steps.determine.outputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform aws-region: eu-central-1 diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index 9ab1ebbe1..dce7c9913 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -39,25 +39,11 @@ jobs: fail-fast: false max-parallel: 9 matrix: - test: - - "sonobuoy full" - - "verify" - - "recover" - - "lb" - - "autoscaling" - - "perf-bench" - - "malicious join" - - attestationVariant: - - "gcp-sev-es" - - "gcp-sev-snp" - - "azure-sev-snp" - - "azure-tdx" - - "aws-sev-snp" - kubernetes-version: ["v1.31"] - clusterCreation: ["cli"] - runner: ["ubuntu-24.04"] include: + # + # Tests on ubuntu runner + # + # sonobuoy full test on all k8s versions - test: "sonobuoy full" attestationVariant: "gcp-sev-es" @@ -111,12 +97,206 @@ jobs: runner: "ubuntu-24.04" clusterCreation: "cli" - # s3proxy test on latest k8s version - - test: "s3proxy" + - test: "sonobuoy full" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.31" + kubernetes-version: "v1.28" runner: "ubuntu-24.04" clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # verify test on latest k8s version + - test: "verify" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # recover test on latest k8s version + - test: "recover" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # lb test on latest k8s version + - test: "lb" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # autoscaling test on latest k8s version + - test: "autoscaling" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # perf-bench test on latest k8s version + - test: "perf-bench" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # s3proxy test on latest k8s version + - test: "s3proxy" + refStream: "ref/main/stream/debug/?" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # malicious join test on latest k8s version + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" # # Tests on macOS runner @@ -125,12 +305,12 @@ jobs: # TODO(3u13r): Update verify test to work on MacOS runners # - test: "verify" # attestationVariant: "azure-sev-snp" - # kubernetes-version: "v1.31" - # runner: "macos-latest" + # kubernetes-version: "v1.30" + # runner: "macos-12" - test: "recover" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.31" - runner: "macos-latest" + kubernetes-version: "v1.30" + runner: "macos-12" clusterCreation: "cli" runs-on: ${{ matrix.runner }} permissions: @@ -162,7 +342,7 @@ jobs: - name: Set up gcloud CLI (macOS) if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS' - uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4 + uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 - name: Run E2E test id: e2e_test @@ -229,7 +409,7 @@ jobs: fail-fast: false max-parallel: 1 matrix: - fromVersion: ["v2.23.1"] + fromVersion: ["v2.19.3"] attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] name: Run upgrade tests secrets: inherit diff --git a/.github/workflows/e2e-test-stackit.yml b/.github/workflows/e2e-test-stackit.yml deleted file mode 100644 index 1977d09cc..000000000 --- a/.github/workflows/e2e-test-stackit.yml +++ /dev/null @@ -1,153 +0,0 @@ -name: e2e test STACKIT - -on: - workflow_dispatch: - schedule: - - cron: "0 0 * * *" # Every day at midnight. - -jobs: - find-latest-image: - name: Find latest image - runs-on: ubuntu-24.04 - permissions: - id-token: write - contents: read - outputs: - image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }} - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Select relevant image - id: select-image-action - uses: ./.github/actions/select_image - with: - osImage: "ref/release/stream/stable/?" - - - name: Relabel output - id: relabel-output - shell: bash - run: | - ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2) - stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4) - - echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT" - - e2e-stackit: - strategy: - fail-fast: false - max-parallel: 6 - matrix: - kubernetesVersion: [ "1.29", "1.30", "1.31" ] - clusterCreation: [ "cli", "terraform" ] - test: [ "sonobuoy quick" ] - runs-on: ubuntu-24.04 - permissions: - id-token: write - checks: write - contents: read - packages: write - actions: write - needs: [find-latest-image] - steps: - - name: Check out repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Setup bazel - uses: ./.github/actions/setup_bazel_nix - with: - nixTools: terraform - - - name: Run E2E test - id: e2e_test - uses: ./.github/actions/e2e_test - with: - workerNodesCount: "1" - controlNodesCount: "1" - cloudProvider: stackit - attestationVariant: qemu-vtpm - osImage: ${{ needs.find-latest-image.outputs.image-release-stable }} - isDebugImage: false - cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }} - kubernetesVersion: ${{ matrix.kubernetesVersion }} - awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} - awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} - awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} - gcpProject: constellation-e2e - gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" - gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" - test: ${{ matrix.test }} - azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} - azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} - registry: ghcr.io - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPassword: ${{ secrets.COSIGN_PASSWORD }} - cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} - fetchMeasurements: false - clusterCreation: ${{ matrix.clusterCreation }} - s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} - s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} - encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }} - stackitUat: ${{ secrets.STACKIT_CI_UAT }} - stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }} - - - name: Always terminate cluster - if: always() - uses: ./.github/actions/constellation_destroy - with: - kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - clusterCreation: ${{ matrix.clusterCreation }} - cloudProvider: stackit - azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} - gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" - - - name: Always delete IAM configuration - if: always() - uses: ./.github/actions/constellation_iam_destroy - with: - cloudProvider: stackit - azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} - gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" - - - name: Update tfstate - if: always() - env: - GH_TOKEN: ${{ github.token }} - uses: ./.github/actions/update_tfstate - with: - name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }} - runID: ${{ github.run_id }} - encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - - - name: Notify about failure - if: | - failure() && - github.ref == 'refs/heads/main' && - github.event_name == 'schedule' - continue-on-error: true - uses: ./.github/actions/notify_e2e_failure - with: - projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }} - refStream: "ref/release/stream/stable/?" - test: ${{ matrix.test }} - kubernetesVersion: ${{ matrix.kubernetesVersion }} - provider: stackit - attestationVariant: qemu-vtpm - clusterCreation: ${{ matrix.clusterCreation }} - - - name: Notify STACKIT - if: | - failure() && - github.ref == 'refs/heads/main' && - github.event_name == 'schedule' - continue-on-error: true - uses: ./.github/actions/notify_stackit - with: - slackToken: ${{ secrets.SLACK_TOKEN }} diff --git a/.github/workflows/e2e-test-terraform-provider.yml b/.github/workflows/e2e-test-terraform-provider.yml index c7aa5a0e5..3c465ab97 100644 --- a/.github/workflows/e2e-test-terraform-provider.yml +++ b/.github/workflows/e2e-test-terraform-provider.yml @@ -23,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run." @@ -41,6 +41,7 @@ on: required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." + default: "1.28" required: true releaseVersion: description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref." diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 1b6deb5fb..587abd129 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -10,7 +10,7 @@ jobs: strategy: fail-fast: false matrix: - refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"] + refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"] name: Find latest image runs-on: ubuntu-24.04 permissions: @@ -51,33 +51,6 @@ jobs: # Tests on main-debug refStream # - # Emergency SSH test on latest k8s version - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "azure-tdx" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.30" - clusterCreation: "cli" - # Sonobuoy full test on latest k8s version - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" @@ -116,55 +89,56 @@ jobs: - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" + # verify test on latest k8s version - test: "verify" refStream: "ref/main/stream/debug/?" @@ -316,27 +290,27 @@ jobs: - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "azure-tdx" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" runs-on: ubuntu-24.04 @@ -446,7 +420,7 @@ jobs: fail-fast: false max-parallel: 1 matrix: - fromVersion: ["v2.23.1"] + fromVersion: ["v2.19.3"] attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] name: Run upgrade tests secrets: inherit @@ -479,7 +453,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Azure login OIDC - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 46efa290d..6efdd03b5 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -16,7 +16,6 @@ on: - "azure-sev-snp" - "azure-tdx" - "aws-sev-snp" - - "stackit-qemu-vtpm" default: "azure-sev-snp" required: true runner: @@ -24,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run. The conformance test is only supported for clusterCreation=cli." @@ -40,12 +39,11 @@ on: - "recover" - "malicious join" - "s3proxy" - - "emergency ssh" - "nop" required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." - default: "1.30" + default: "1.29" required: true cliVersion: description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." @@ -139,7 +137,6 @@ jobs: workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }} controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }} cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} - attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }} steps: - name: Split nodeCount id: split-nodeCount @@ -164,12 +161,6 @@ jobs: attestationVariant="${{ inputs.attestationVariant }}" cloudProvider="${attestationVariant%%-*}" - # special case for STACKIT, as there's no special attestation variant for it - if [[ "${cloudProvider}" == "stackit" ]]; then - attestationVariant="qemu-vtpm" - fi - - echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT" echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" find-latest-image: @@ -233,7 +224,7 @@ jobs: - name: Set up gcloud CLI (macOS) if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS' - uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4 + uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 - name: Run manual E2E test id: e2e_test @@ -242,7 +233,7 @@ jobs: workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }} controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }} cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} - attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }} + attestationVariant: ${{ inputs.attestationVariant }} machineType: ${{ inputs.machineType }} regionZone: ${{ inputs.regionZone }} gcpProject: constellation-e2e @@ -271,9 +262,6 @@ jobs: marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }} - stackitUat: ${{ secrets.STACKIT_CI_UAT }} - stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index cd7c6bc1b..5e50ec87e 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -268,13 +268,13 @@ jobs: push: true - name: Upload CLI binary # is needed for the cleanup step - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: constellation-upgrade-${{ inputs.attestationVariant }} path: build/constellation - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 @@ -296,7 +296,7 @@ jobs: - name: Login to AWS (IAM role) if: needs.generate-input-parameters.outputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM aws-region: eu-central-1 @@ -347,7 +347,7 @@ jobs: - name: Login to AWS (Cluster role) if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster aws-region: eu-central-1 @@ -424,7 +424,7 @@ jobs: ref: ${{ inputs.gitRef }} - name: Download CLI - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-upgrade-${{ inputs.attestationVariant }} path: build diff --git a/.github/workflows/e2e-windows.yml b/.github/workflows/e2e-windows.yml index ad4acb877..26ee8833b 100644 --- a/.github/workflows/e2e-windows.yml +++ b/.github/workflows/e2e-windows.yml @@ -45,14 +45,14 @@ jobs: push: true - name: Upload CLI artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: path: build/constellation.exe name: "constell-exe" e2e-test: name: E2E Test Windows - runs-on: windows-2025 + runs-on: windows-2022 needs: build-cli steps: - name: Checkout @@ -61,7 +61,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download CLI artifact - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: "constell-exe" diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml index 73fe2c3b1..1d46df5c9 100644 --- a/.github/workflows/on-release.yml +++ b/.github/workflows/on-release.yml @@ -142,7 +142,7 @@ jobs: - uses: ./.github/actions/setup_bazel_nix - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 diff --git a/.github/workflows/purge-main.yml b/.github/workflows/purge-main.yml index 5a64705c4..b2d9403c9 100644 --- a/.github/workflows/purge-main.yml +++ b/.github/workflows/purge-main.yml @@ -23,7 +23,7 @@ jobs: ref: ${{ github.head_ref }} - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 08e09da18..2db0f9eee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -118,7 +118,7 @@ jobs: sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml - name: Create docs pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: ${{ env.BRANCH }} base: main @@ -239,22 +239,6 @@ jobs: stream: "stable" ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - check-measurements-reproducibility: - name: Check measurements reproducibility - needs: [verify-inputs, os-image] - runs-on: ubuntu-24.04 - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - - - name: Check reproducibility - uses: ./.github/actions/check_measurements_reproducibility - with: - version: ${{ inputs.version }} - ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - update-hardcoded-measurements: name: Update hardcoded measurements (in the CLI) needs: [verify-inputs, os-image] @@ -271,9 +255,9 @@ jobs: ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: true - name: Build generateMeasurements tool diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index 41aca0ac3..d0faa32b7 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -13,9 +13,6 @@ on: workflow_dispatch: schedule: - cron: "45 06 * * 1" # Every Monday at 6:45am - pull_request: - paths: - - .github/workflows/reproducible-builds.yml jobs: build-binaries: @@ -51,16 +48,15 @@ jobs: - name: Setup dependencies (eccentric) if: matrix.deps == 'eccentric' run: | - bazelVersion=$(cat .bazelversion) + version=$(cat .bazelversion) mkdir -p "$HOME/.local/bin" - curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64" + curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$version/bazel-$version-linux-x86_64" chmod a+x "$HOME/.local/bin/bazel" echo "$HOME/.local/bin" >> "$GITHUB_PATH" - curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.4.2/nix-installer-x86_64-linux # renovate:github-release - nixVersion=$(cat .nixversion) + curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v0.26.3/nix-installer-x86_64-linux # renovate:github-release chmod a+x "$HOME/.local/bin/nix-installer" - "$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz" + "$HOME/.local/bin/nix-installer" install --no-confirm - name: Build shell: bash @@ -81,13 +77,13 @@ jobs: run: shasum -a 256 "${binary}" | tee "${binary}.sha256" - name: Upload binary artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}" path: "${{ env.binary }}" - name: Upload hash artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}" path: "${{ env.binary }}.sha256" @@ -146,13 +142,13 @@ jobs: run: shasum -a 256 "${binary}" | tee "${binary}.sha256" - name: Upload binary artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "osimages-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}" - name: Upload hash artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}.sha256" @@ -175,7 +171,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download binaries - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: "binaries-${{ matrix.target }}-*" merge-multiple: true @@ -209,7 +205,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download os images - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: "osimages-${{ matrix.target }}-*" merge-multiple: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ccde82ebc..f5c996507 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -23,20 +23,20 @@ jobs: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: results.sarif diff --git a/.github/workflows/sync-terraform-docs.yml b/.github/workflows/sync-terraform-docs.yml index 9bc2aac07..6b9be623d 100644 --- a/.github/workflows/sync-terraform-docs.yml +++ b/.github/workflows/sync-terraform-docs.yml @@ -40,7 +40,7 @@ jobs: - name: Create pull request id: create-pull-request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: path: terraform-provider-constellation branch: "feat/docs/update" diff --git a/.github/workflows/test-operator-codegen.yml b/.github/workflows/test-operator-codegen.yml index b2f92ba7f..06a7129d9 100644 --- a/.github/workflows/test-operator-codegen.yml +++ b/.github/workflows/test-operator-codegen.yml @@ -26,9 +26,9 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: true - name: Run code generation diff --git a/.github/workflows/test-tidy.yml b/.github/workflows/test-tidy.yml index 25f06e174..99585ddaf 100644 --- a/.github/workflows/test-tidy.yml +++ b/.github/workflows/test-tidy.yml @@ -37,7 +37,7 @@ jobs: - name: Assume AWS role to upload Bazel dependencies to S3 if: startsWith(github.head_ref, 'renovate/') - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite aws-region: eu-central-1 diff --git a/.github/workflows/test-unittest.yml b/.github/workflows/test-unittest.yml index 7b64254dd..b676e7dca 100644 --- a/.github/workflows/test-unittest.yml +++ b/.github/workflows/test-unittest.yml @@ -49,7 +49,7 @@ jobs: rm -rf awscliv2.zip aws - name: Login to AWS (IAM role) - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage aws-region: eu-central-1 @@ -69,7 +69,7 @@ jobs: - name: Comment coverage if: steps.coverage.outputs.uploadable == 'true' && github.event_name == 'pull_request' - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2 + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 with: header: coverage path: coverage_diff.md diff --git a/.github/workflows/update-rpms.yml b/.github/workflows/update-rpms.yml index c7146607e..bd30519ef 100644 --- a/.github/workflows/update-rpms.yml +++ b/.github/workflows/update-rpms.yml @@ -18,7 +18,7 @@ jobs: token: ${{ secrets.CI_COMMIT_PUSH_PR }} - name: Assume AWS role to upload Bazel dependencies to S3 - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite aws-region: eu-central-1 @@ -39,7 +39,7 @@ jobs: fi - name: Create pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: "image/automated/update-rpms-${{ github.run_number }}" base: main diff --git a/.github/workflows/versionsapi.yml b/.github/workflows/versionsapi.yml index 27acd9287..c4e62d412 100644 --- a/.github/workflows/versionsapi.yml +++ b/.github/workflows/versionsapi.yml @@ -149,21 +149,21 @@ jobs: - name: Login to AWS without write access if: steps.check-rights.outputs.write == 'false' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 - name: Login to AWS with write access if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite aws-region: eu-central-1 - name: Login to AWS with write and image remove access if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove aws-region: eu-central-1 diff --git a/.golangci.yml b/.golangci.yml index 2e5cd2d5c..9a03b837e 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,65 +1,53 @@ -version: "2" run: + timeout: 10m build-tags: - integration - e2e modules-download-mode: readonly + output: formats: - tab: + - format: tab path: stdout - colors: false + sort-results: true + linters: enable: + # Default linters + - errcheck + - gosimple + - govet + - ineffassign + - staticcheck + - typecheck + - unused + # Additional linters - bodyclose - - copyloopvar - errname + - copyloopvar - godot + - gofmt + - gofumpt - misspell - noctx - revive + - tenv - unconvert - unparam - - usetesting - settings: - errcheck: - exclude-functions: - - (*go.uber.org/zap.Logger).Sync - - (*google.golang.org/grpc.Server).Serve - exclusions: - generated: lax - presets: - - common-false-positives - - legacy - - std-error-handling - paths: - - 3rdparty/node-maintenance-operator - rules: - # TODO(burgerdev): these exclusions have been added to ease migration to v2 and should eventually be addressed. - - linters: ["staticcheck"] - text: "QF1008: could remove embedded field" - - linters: ["staticcheck"] - text: "QF1001: could apply De Morgan's law" - - linters: ["staticcheck"] - text: "ST1005: error strings should not be capitalized" - - linters: ["revive"] - text: "package-comments: package comment should be of the form" - - linters: ["revive"] - text: "package-comments: should have a package comment" - - linters: ["staticcheck"] - text: "QF1012: Use fmt.Fprintf" - - linters: ["staticcheck"] - text: "ST1019" - issues: max-issues-per-linter: 0 max-same-issues: 20 -formatters: - enable: - - gofmt - - gofumpt - exclusions: - generated: lax - paths: - - 3rdparty/node-maintenance-operator + exclude-dirs: + - 3rdparty/node-maintenance-operator + include: + - EXC0012 + - EXC0014 + +linters-settings: + errcheck: + # List of functions to exclude from checking, where each entry is a single function to exclude. + # See https://github.com/kisielk/errcheck#excluding-functions for details. + exclude-functions: + - (*go.uber.org/zap.Logger).Sync + - (*google.golang.org/grpc.Server).Serve diff --git a/.nixversion b/.nixversion deleted file mode 100644 index 40a8d7f12..000000000 --- a/.nixversion +++ /dev/null @@ -1 +0,0 @@ -2.25.2 diff --git a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel deleted file mode 100644 index 9aa7e3f64..000000000 --- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel +++ /dev/null @@ -1,13 +0,0 @@ -load("//bazel/sh:def.bzl", "sh_template") - -sh_template( - name = "pull_files", - data = [ - "@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy", - ], - substitutions = { - "@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)", - }, - template = "pull_files.sh", - visibility = ["//visibility:public"], -) diff --git a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh deleted file mode 100644 index 10a224890..000000000 --- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash - -###### script header ###### - -lib=$(realpath @@BASE_LIB@@) || exit 1 -stat "${lib}" >> /dev/null || exit 1 - -# shellcheck source=../../../bazel/sh/lib.bash -if ! source "${lib}"; then - echo "Error: could not find import" - exit 1 -fi - -controller_policy_source="@@POLICY_SRC@@" - -###### script body ###### - -controller_policy_real_source=$(realpath "${controller_policy_source}") - -cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath - -targetDir="terraform/infrastructure/iam/aws/alb_policy.json" - -cp "${controller_policy_real_source}" "${targetDir}" diff --git a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl deleted file mode 100644 index e2c1e8034..000000000 --- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl +++ /dev/null @@ -1,22 +0,0 @@ -"""A module defining the source of the AWS load balancer controller.""" - -load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") - -def aws_load_balancer_controller_deps(): - http_archive( - name = "com_github_kubernetes_sigs_aws_load_balancer_controller", - urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1", - "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz", - ], - strip_prefix = "aws-load-balancer-controller-2.12.0", - build_file_content = """ -filegroup( - srcs = ["docs/install/iam_policy.json"], - name = "lb_policy", - visibility = ["//visibility:public"], -) - """, - type = "tar.gz", - sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1", - ) diff --git a/3rdparty/gcp-guest-agent/Dockerfile b/3rdparty/gcp-guest-agent/Dockerfile index 0053c34a8..0276f8259 100644 --- a/3rdparty/gcp-guest-agent/Dockerfile +++ b/3rdparty/gcp-guest-agent/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 as build +FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 as build # Install packages RUN apt-get update && apt-get install -y \ @@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \ git # Install Go -ARG GO_VER=1.24.2 +ARG GO_VER=1.22.3 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ rm go${GO_VER}.linux-amd64.tar.gz diff --git a/CODEOWNERS b/CODEOWNERS index 9b9c14fcf..fd7e2d8a0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,36 +1,38 @@ # keep-sorted start -.golangci.yml @daniel-weisse -/3rdparty/gcp-guest-agent @msanft +.golangci.yml @katexochen +/3rdparty/gcp-guest-agent @3u13r /bazel @burgerdev -/bootstrapper @msanft +/bazel/ci @katexochen +/bazel/sh @katexochen +/bootstrapper @3u13r /cli/internal/cloudcmd @daniel-weisse -/cli/internal/cmd/upgrade* @daniel-weisse +/cli/internal/cmd/upgrade* @derpsteb /cli/internal/libvirt @daniel-weisse /cli/internal/terraform @elchead /csi @daniel-weisse /debugd @daniel-weisse /disk-mapper @daniel-weisse /docs @thomasten -/e2e @msanft -/hack/azure-snp-report-verify @msanft +/e2e @3u13r +/hack/azure-snp-report-verify @derpsteb /hack/bazel-deps-mirror @burgerdev -/hack/cli-k8s-compatibility @burgerdev +/hack/cli-k8s-compatibility @derpsteb /hack/clidocgen @thomasten -/hack/fetch-broken-e2e @msanft -/hack/gocoverage @msanft +/hack/fetch-broken-e2e @katexochen +/hack/gocoverage @katexochen /hack/oci-pin @burgerdev /hack/qemu-metadata-api @daniel-weisse -/hack/remove-tf-providers @msanft -/hack/terraform @msanft -/hack/tools @msanft +/hack/remove-tf-providers @katexochen +/hack/terraform @3u13r +/hack/tools @katexochen /hack/versioninfogen @daniel-weisse /image @msanft -/internal/api @daniel-weisse +/internal/api @derpsteb /internal/atls @thomasten /internal/attestation @daniel-weisse -/internal/cloud @msanft -/internal/compatibility @daniel-weisse -/internal/config @msanft +/internal/cloud @3u13r +/internal/compatibility @derpsteb +/internal/config @derpsteb /internal/constellation/featureset @thomasten /internal/constellation/helm @burgerdev /internal/constellation/kubecmd @daniel-weisse @@ -41,24 +43,24 @@ /internal/file @daniel-weisse /internal/grpc @thomasten /internal/imagefetcher @msanft -/internal/installer @msanft +/internal/installer @3u13r /internal/kms @daniel-weisse -/internal/kubernetes @msanft +/internal/kubernetes @3u13r /internal/license @thomasten /internal/logger @daniel-weisse /internal/nodestate @daniel-weisse /internal/osimage @msanft -/internal/retry @msanft -/internal/semver @daniel-weisse +/internal/retry @katexochen +/internal/semver @derpsteb /internal/sigstore @elchead /internal/staticupload @msanft -/internal/versions @msanft +/internal/versions @3u13r /joinservice @daniel-weisse /keyservice @daniel-weisse /measurement-reader @daniel-weisse -/operators @msanft +/operators @3u13r /terraform-provider-constellation @msanft @elchead /tools @burgerdev -/upgrade-agent @msanft +/upgrade-agent @3u13r /verify @daniel-weisse # keep-sorted end diff --git a/MODULE.bazel b/MODULE.bazel index 13876ce45..111a0f6ad 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -1,6 +1,6 @@ module(name = "constellation") -bazel_dep(name = "aspect_bazel_lib", version = "2.16.0") +bazel_dep(name = "aspect_bazel_lib", version = "2.9.4") bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains") bazel_lib.yq() @@ -8,22 +8,21 @@ use_repo(bazel_lib, "jq_toolchains") use_repo(bazel_lib, "yq_toolchains") bazel_dep(name = "bazel_skylib", version = "1.7.1") -bazel_dep(name = "gazelle", version = "0.43.0") -bazel_dep(name = "hermetic_cc_toolchain", version = "3.2.0") -bazel_dep(name = "rules_cc", version = "0.1.1") -bazel_dep(name = "rules_go", version = "0.54.0", repo_name = "io_bazel_rules_go") -bazel_dep(name = "rules_pkg", version = "1.1.0") -bazel_dep(name = "rules_proto", version = "7.1.0") -bazel_dep(name = "rules_python", version = "1.4.1") -bazel_dep(name = "rules_shell", version = "0.4.1") +bazel_dep(name = "gazelle", version = "0.39.1") +bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1") +bazel_dep(name = "rules_cc", version = "0.1.0") +bazel_dep(name = "rules_go", version = "0.50.1", repo_name = "io_bazel_rules_go") +bazel_dep(name = "rules_pkg", version = "0.10.1") +bazel_dep(name = "rules_proto", version = "6.0.2") +bazel_dep(name = "rules_python", version = "0.40.0") -bazel_dep(name = "buildifier_prebuilt", version = "8.0.3", dev_dependency = True) +bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True) go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk") go_sdk.download( name = "go_sdk", patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"], - version = "1.24.2", + version = "1.23.2", ) python = use_extension("@rules_python//python/extensions:python.bzl", "python") diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock index 18b6cd2c4..4782a3045 100644 --- a/MODULE.bazel.lock +++ b/MODULE.bazel.lock @@ -1,5 +1,5 @@ { - "lockFileVersion": 13, + "lockFileVersion": 11, "registryFileHashes": { "https://bcr.bazel.build/bazel_registry.json": "8a28e4aff06ee60aed2a8c281907fb8bcbf3b753c91fb5a5c57da3215d5b3497", "https://bcr.bazel.build/modules/abseil-cpp/20210324.2/MODULE.bazel": "7cd0312e064fde87c8d1cd79ba06c876bd23630c83466e9500321be55c96ace2", @@ -12,8 +12,8 @@ "https://bcr.bazel.build/modules/abseil-cpp/20240116.1/source.json": "9be551b8d4e3ef76875c0d744b5d6a504a27e3ae67bc6b28f46415fd2d2957da", "https://bcr.bazel.build/modules/apple_support/1.5.0/MODULE.bazel": "50341a62efbc483e8a2a6aec30994a58749bd7b885e18dd96aa8c33031e558ef", "https://bcr.bazel.build/modules/apple_support/1.5.0/source.json": "eb98a7627c0bc486b57f598ad8da50f6625d974c8f723e9ea71bd39f709c9862", - "https://bcr.bazel.build/modules/aspect_bazel_lib/2.16.0/MODULE.bazel": "852f9ebbda017572a7c113a2434592dd3b2f55cd9a0faea3d4be5a09a59e4900", - "https://bcr.bazel.build/modules/aspect_bazel_lib/2.16.0/source.json": "87ffed720a2ba7cfe209d9ccc1be59e21ec3d434124ec126ab90e5913e9cb13b", + "https://bcr.bazel.build/modules/aspect_bazel_lib/2.9.4/MODULE.bazel": "ccc41028429f894b02fde7ef67d416cba3ba5084ed9ddb9bb6107aa82d118776", + "https://bcr.bazel.build/modules/aspect_bazel_lib/2.9.4/source.json": "9e20ebe57de2e7657a188af6e132a9562fa26c201b2d999bc0a8981e8f3b6c36", "https://bcr.bazel.build/modules/bazel_features/1.1.0/MODULE.bazel": "cfd42ff3b815a5f39554d97182657f8c4b9719568eb7fded2b9135f084bf760b", "https://bcr.bazel.build/modules/bazel_features/1.1.1/MODULE.bazel": "27b8c79ef57efe08efccbd9dd6ef70d61b4798320b8d3c134fd571f78963dbcd", "https://bcr.bazel.build/modules/bazel_features/1.11.0/MODULE.bazel": "f9382337dd5a474c3b7d334c2f83e50b6eaedc284253334cf823044a26de03e8", @@ -21,11 +21,8 @@ "https://bcr.bazel.build/modules/bazel_features/1.17.0/MODULE.bazel": "039de32d21b816b47bd42c778e0454217e9c9caac4a3cf8e15c7231ee3ddee4d", "https://bcr.bazel.build/modules/bazel_features/1.18.0/MODULE.bazel": "1be0ae2557ab3a72a57aeb31b29be347bcdc5d2b1eb1e70f39e3851a7e97041a", "https://bcr.bazel.build/modules/bazel_features/1.19.0/MODULE.bazel": "59adcdf28230d220f0067b1f435b8537dd033bfff8db21335ef9217919c7fb58", - "https://bcr.bazel.build/modules/bazel_features/1.20.0/MODULE.bazel": "8b85300b9c8594752e0721a37210e34879d23adc219ed9dc8f4104a4a1750920", - "https://bcr.bazel.build/modules/bazel_features/1.21.0/MODULE.bazel": "675642261665d8eea09989aa3b8afb5c37627f1be178382c320d1b46afba5e3b", - "https://bcr.bazel.build/modules/bazel_features/1.21.0/source.json": "3e8379efaaef53ce35b7b8ba419df829315a880cb0a030e5bb45c96d6d5ecb5f", + "https://bcr.bazel.build/modules/bazel_features/1.19.0/source.json": "d7bf14517c1b25b9d9c580b0f8795fceeae08a7590f507b76aace528e941375d", "https://bcr.bazel.build/modules/bazel_features/1.4.1/MODULE.bazel": "e45b6bb2350aff3e442ae1111c555e27eac1d915e77775f6fdc4b351b758b5d7", - "https://bcr.bazel.build/modules/bazel_features/1.9.0/MODULE.bazel": "885151d58d90d8d9c811eb75e3288c11f850e1d6b481a8c9f766adee4712358b", "https://bcr.bazel.build/modules/bazel_features/1.9.1/MODULE.bazel": "8f679097876a9b609ad1f60249c49d68bfab783dd9be012faf9d82547b14815a", "https://bcr.bazel.build/modules/bazel_skylib/1.0.3/MODULE.bazel": "bcb0fd896384802d1ad283b4e4eb4d718eebd8cb820b0a2c3a347fb971afd9d8", "https://bcr.bazel.build/modules/bazel_skylib/1.1.1/MODULE.bazel": "1add3e7d93ff2e6998f9e118022c84d163917d912f5afafb3058e3d2f1545b5e", @@ -39,29 +36,28 @@ "https://bcr.bazel.build/modules/bazel_skylib/1.7.0/MODULE.bazel": "0db596f4563de7938de764cc8deeabec291f55e8ec15299718b93c4423e9796d", "https://bcr.bazel.build/modules/bazel_skylib/1.7.1/MODULE.bazel": "3120d80c5861aa616222ec015332e5f8d3171e062e3e804a2a0253e1be26e59b", "https://bcr.bazel.build/modules/bazel_skylib/1.7.1/source.json": "f121b43eeefc7c29efbd51b83d08631e2347297c95aac9764a701f2a6a2bb953", - "https://bcr.bazel.build/modules/buildifier_prebuilt/8.0.3/MODULE.bazel": "4791b031727d1183c183a0b8fd5fc0fe8d8834c45f9a22efd26be6c962b9cfee", - "https://bcr.bazel.build/modules/buildifier_prebuilt/8.0.3/source.json": "68ee16210562f325ff961aabeb4d46ed10e6638b5e842cd48d8d83dea220dfbd", + "https://bcr.bazel.build/modules/buildifier_prebuilt/6.4.0/MODULE.bazel": "37389c6b5a40c59410b4226d3bb54b08637f393d66e2fa57925c6fcf68e64bf4", + "https://bcr.bazel.build/modules/buildifier_prebuilt/6.4.0/source.json": "83eb01b197ed0b392f797860c9da5ed1bf95f4d0ded994d694a3d44731275916", "https://bcr.bazel.build/modules/buildozer/7.1.2/MODULE.bazel": "2e8dd40ede9c454042645fd8d8d0cd1527966aa5c919de86661e62953cd73d84", "https://bcr.bazel.build/modules/buildozer/7.1.2/source.json": "c9028a501d2db85793a6996205c8de120944f50a0d570438fcae0457a5f9d1f8", "https://bcr.bazel.build/modules/gazelle/0.32.0/MODULE.bazel": "b499f58a5d0d3537f3cf5b76d8ada18242f64ec474d8391247438bf04f58c7b8", "https://bcr.bazel.build/modules/gazelle/0.33.0/MODULE.bazel": "a13a0f279b462b784fb8dd52a4074526c4a2afe70e114c7d09066097a46b3350", "https://bcr.bazel.build/modules/gazelle/0.34.0/MODULE.bazel": "abdd8ce4d70978933209db92e436deb3a8b737859e9354fb5fd11fb5c2004c8a", "https://bcr.bazel.build/modules/gazelle/0.36.0/MODULE.bazel": "e375d5d6e9a6ca59b0cb38b0540bc9a05b6aa926d322f2de268ad267a2ee74c0", - "https://bcr.bazel.build/modules/gazelle/0.43.0/MODULE.bazel": "846e1fe396eefc0f9ddad2b33e9bd364dd993fc2f42a88e31590fe0b0eefa3f0", - "https://bcr.bazel.build/modules/gazelle/0.43.0/source.json": "021a77f6625906d9d176e2fa351175e842622a5d45989312f2ad4924aab72df6", + "https://bcr.bazel.build/modules/gazelle/0.39.1/MODULE.bazel": "1fa3fefad240e535066fd0e6950dfccd627d36dc699ee0034645e51dbde3980f", + "https://bcr.bazel.build/modules/gazelle/0.39.1/source.json": "f2facfa8c8c9a4d2ebf613754023054c2eb793b88675082216c6be0419eb20a1", "https://bcr.bazel.build/modules/google_benchmark/1.8.2/MODULE.bazel": "a70cf1bba851000ba93b58ae2f6d76490a9feb74192e57ab8e8ff13c34ec50cb", "https://bcr.bazel.build/modules/googletest/1.11.0/MODULE.bazel": "3a83f095183f66345ca86aa13c58b59f9f94a2f81999c093d4eeaa2d262d12f4", "https://bcr.bazel.build/modules/googletest/1.14.0.bcr.1/MODULE.bazel": "22c31a561553727960057361aa33bf20fb2e98584bc4fec007906e27053f80c6", "https://bcr.bazel.build/modules/googletest/1.14.0.bcr.1/source.json": "41e9e129f80d8c8bf103a7acc337b76e54fad1214ac0a7084bf24f4cd924b8b4", "https://bcr.bazel.build/modules/googletest/1.14.0/MODULE.bazel": "cfbcbf3e6eac06ef9d85900f64424708cc08687d1b527f0ef65aa7517af8118f", - "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.2.0/MODULE.bazel": "8e7faec81c1f0fb65fe277ecfc75ea3636ce7bf848f88037fedd58e6eeacc28f", - "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.2.0/source.json": "67c2b76edff27c3ec449a935fc9468996d1a730b52a9a6f97c40c8a06d381630", + "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.1.1/MODULE.bazel": "164331a6e73093376a19eaa1eae45a94aad3245e9e79d8f31237f4a8eb6c1c41", + "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.1.1/source.json": "a2f67694b91ae575e2715fa2c5745c8c9879e7132852ef45c05b4e25a0d3b423", "https://bcr.bazel.build/modules/jsoncpp/1.9.5/MODULE.bazel": "31271aedc59e815656f5736f282bb7509a97c7ecb43e927ac1a37966e0578075", "https://bcr.bazel.build/modules/jsoncpp/1.9.5/source.json": "4108ee5085dd2885a341c7fab149429db457b3169b86eb081fa245eadf69169d", "https://bcr.bazel.build/modules/libpfm/4.11.0/MODULE.bazel": "45061ff025b301940f1e30d2c16bea596c25b176c8b6b3087e92615adbd52902", "https://bcr.bazel.build/modules/platforms/0.0.10/MODULE.bazel": "8cb8efaf200bdeb2150d93e162c40f388529a25852b332cec879373771e48ed5", - "https://bcr.bazel.build/modules/platforms/0.0.11/MODULE.bazel": "0daefc49732e227caa8bfa834d65dc52e8cc18a2faf80df25e8caea151a9413f", - "https://bcr.bazel.build/modules/platforms/0.0.11/source.json": "f7e188b79ebedebfe75e9e1d098b8845226c7992b307e28e1496f23112e8fc29", + "https://bcr.bazel.build/modules/platforms/0.0.10/source.json": "f22828ff4cf021a6b577f1bf6341cb9dcd7965092a439f64fc1bb3b7a5ae4bd5", "https://bcr.bazel.build/modules/platforms/0.0.4/MODULE.bazel": "9b328e31ee156f53f3c416a64f8491f7eb731742655a47c9eec4703a71644aee", "https://bcr.bazel.build/modules/platforms/0.0.5/MODULE.bazel": "5733b54ea419d5eaf7997054bb55f6a1d0b5ff8aedf0176fef9eea44f3acda37", "https://bcr.bazel.build/modules/platforms/0.0.6/MODULE.bazel": "ad6eeef431dc52aefd2d77ed20a4b353f8ebf0f4ecdd26a807d2da5aa8cd0615", @@ -72,9 +68,7 @@ "https://bcr.bazel.build/modules/protobuf/27.0/MODULE.bazel": "7873b60be88844a0a1d8f80b9d5d20cfbd8495a689b8763e76c6372998d3f64c", "https://bcr.bazel.build/modules/protobuf/27.1/MODULE.bazel": "703a7b614728bb06647f965264967a8ef1c39e09e8f167b3ca0bb1fd80449c0d", "https://bcr.bazel.build/modules/protobuf/29.0-rc2/MODULE.bazel": "6241d35983510143049943fc0d57937937122baf1b287862f9dc8590fc4c37df", - "https://bcr.bazel.build/modules/protobuf/29.0-rc3/MODULE.bazel": "33c2dfa286578573afc55a7acaea3cada4122b9631007c594bf0729f41c8de92", - "https://bcr.bazel.build/modules/protobuf/29.1/MODULE.bazel": "557c3457560ff49e122ed76c0bc3397a64af9574691cb8201b4e46d4ab2ecb95", - "https://bcr.bazel.build/modules/protobuf/29.1/source.json": "04cca85dce26b895ed037d98336d860367fe09919208f2ad383f0df1aff63199", + "https://bcr.bazel.build/modules/protobuf/29.0-rc2/source.json": "52101bfd37e38f0d159dee47b71ccbd1f22f7a32192cef5ef2533bb6212f410f", "https://bcr.bazel.build/modules/protobuf/3.19.0/MODULE.bazel": "6b5fbb433f760a99a22b18b6850ed5784ef0e9928a72668b66e4d7ccd47db9b0", "https://bcr.bazel.build/modules/protobuf/3.19.2/MODULE.bazel": "532ffe5f2186b69fdde039efe6df13ba726ff338c6bc82275ad433013fa10573", "https://bcr.bazel.build/modules/protobuf/3.19.6/MODULE.bazel": "9233edc5e1f2ee276a60de3eaa47ac4132302ef9643238f23128fea53ea12858", @@ -87,14 +81,14 @@ "https://bcr.bazel.build/modules/rules_cc/0.0.1/MODULE.bazel": "cb2aa0747f84c6c3a78dad4e2049c154f08ab9d166b1273835a8174940365647", "https://bcr.bazel.build/modules/rules_cc/0.0.10/MODULE.bazel": "ec1705118f7eaedd6e118508d3d26deba2a4e76476ada7e0e3965211be012002", "https://bcr.bazel.build/modules/rules_cc/0.0.13/MODULE.bazel": "0e8529ed7b323dad0775ff924d2ae5af7640b23553dfcd4d34344c7e7a867191", + "https://bcr.bazel.build/modules/rules_cc/0.0.14/MODULE.bazel": "5e343a3aac88b8d7af3b1b6d2093b55c347b8eefc2e7d1442f7a02dc8fea48ac", "https://bcr.bazel.build/modules/rules_cc/0.0.15/MODULE.bazel": "6704c35f7b4a72502ee81f61bf88706b54f06b3cbe5558ac17e2e14666cd5dcc", - "https://bcr.bazel.build/modules/rules_cc/0.0.16/MODULE.bazel": "7661303b8fc1b4d7f532e54e9d6565771fea666fbdf839e0a86affcd02defe87", "https://bcr.bazel.build/modules/rules_cc/0.0.2/MODULE.bazel": "6915987c90970493ab97393024c156ea8fb9f3bea953b2f3ec05c34f19b5695c", "https://bcr.bazel.build/modules/rules_cc/0.0.6/MODULE.bazel": "abf360251023dfe3efcef65ab9d56beefa8394d4176dd29529750e1c57eaa33f", "https://bcr.bazel.build/modules/rules_cc/0.0.8/MODULE.bazel": "964c85c82cfeb6f3855e6a07054fdb159aced38e99a5eecf7bce9d53990afa3e", "https://bcr.bazel.build/modules/rules_cc/0.0.9/MODULE.bazel": "836e76439f354b89afe6a911a7adf59a6b2518fafb174483ad78a2a2fde7b1c5", - "https://bcr.bazel.build/modules/rules_cc/0.1.1/MODULE.bazel": "2f0222a6f229f0bf44cd711dc13c858dad98c62d52bd51d8fc3a764a83125513", - "https://bcr.bazel.build/modules/rules_cc/0.1.1/source.json": "d61627377bd7dd1da4652063e368d9366fc9a73920bfa396798ad92172cf645c", + "https://bcr.bazel.build/modules/rules_cc/0.1.0/MODULE.bazel": "2fef03775b9ba995ec543868840041cc69e8bc705eb0cb6604a36eee18c87d8b", + "https://bcr.bazel.build/modules/rules_cc/0.1.0/source.json": "8a4e832d75e073ab56c74dd77008cf7a81e107dec4544019eb1eefc1320d55be", "https://bcr.bazel.build/modules/rules_foreign_cc/0.9.0/MODULE.bazel": "c9e8c682bf75b0e7c704166d79b599f93b72cfca5ad7477df596947891feeef6", "https://bcr.bazel.build/modules/rules_fuzzing/0.5.2/MODULE.bazel": "40c97d1144356f52905566c55811f13b299453a14ac7769dfba2ac38192337a8", "https://bcr.bazel.build/modules/rules_fuzzing/0.5.2/source.json": "c8b1e2c717646f1702290959a3302a178fb639d987ab61d548105019f11e527e", @@ -102,62 +96,64 @@ "https://bcr.bazel.build/modules/rules_go/0.42.0/MODULE.bazel": "8cfa875b9aa8c6fce2b2e5925e73c1388173ea3c32a0db4d2b4804b453c14270", "https://bcr.bazel.build/modules/rules_go/0.46.0/MODULE.bazel": "3477df8bdcc49e698b9d25f734c4f3a9f5931ff34ee48a2c662be168f5f2d3fd", "https://bcr.bazel.build/modules/rules_go/0.50.1/MODULE.bazel": "b91a308dc5782bb0a8021ad4330c81fea5bda77f96b9e4c117b9b9c8f6665ee0", - "https://bcr.bazel.build/modules/rules_go/0.54.0/MODULE.bazel": "ebec39ed510d0d4122b60764623dda92ca7f175479b511bf7cd5de7f38e86747", - "https://bcr.bazel.build/modules/rules_go/0.54.0/source.json": "6eb9b4f4fc27ab5be79d84dcfcf971beea6caa91a1b02088a9ee314c88915cf3", + "https://bcr.bazel.build/modules/rules_go/0.50.1/source.json": "205765fd30216c70321f84c9a967267684bdc74350af3f3c46c857d9f80a4fa2", "https://bcr.bazel.build/modules/rules_java/4.0.0/MODULE.bazel": "5a78a7ae82cd1a33cef56dc578c7d2a46ed0dca12643ee45edbb8417899e6f74", "https://bcr.bazel.build/modules/rules_java/5.3.5/MODULE.bazel": "a4ec4f2db570171e3e5eb753276ee4b389bae16b96207e9d3230895c99644b86", + "https://bcr.bazel.build/modules/rules_java/6.0.0/MODULE.bazel": "8a43b7df601a7ec1af61d79345c17b31ea1fedc6711fd4abfd013ea612978e39", "https://bcr.bazel.build/modules/rules_java/6.3.0/MODULE.bazel": "a97c7678c19f236a956ad260d59c86e10a463badb7eb2eda787490f4c969b963", + "https://bcr.bazel.build/modules/rules_java/6.4.0/MODULE.bazel": "e986a9fe25aeaa84ac17ca093ef13a4637f6107375f64667a15999f77db6c8f6", "https://bcr.bazel.build/modules/rules_java/6.5.2/MODULE.bazel": "1d440d262d0e08453fa0c4d8f699ba81609ed0e9a9a0f02cd10b3e7942e61e31", "https://bcr.bazel.build/modules/rules_java/7.10.0/MODULE.bazel": "530c3beb3067e870561739f1144329a21c851ff771cd752a49e06e3dc9c2e71a", "https://bcr.bazel.build/modules/rules_java/7.12.2/MODULE.bazel": "579c505165ee757a4280ef83cda0150eea193eed3bef50b1004ba88b99da6de6", + "https://bcr.bazel.build/modules/rules_java/7.12.2/source.json": "b0890f9cda8ff1b8e691a3ac6037b5c14b7fd4134765a3946b89f31ea02e5884", "https://bcr.bazel.build/modules/rules_java/7.2.0/MODULE.bazel": "06c0334c9be61e6cef2c8c84a7800cef502063269a5af25ceb100b192453d4ab", + "https://bcr.bazel.build/modules/rules_java/7.3.2/MODULE.bazel": "50dece891cfdf1741ea230d001aa9c14398062f2b7c066470accace78e412bc2", "https://bcr.bazel.build/modules/rules_java/7.6.1/MODULE.bazel": "2f14b7e8a1aa2f67ae92bc69d1ec0fa8d9f827c4e17ff5e5f02e91caa3b2d0fe", "https://bcr.bazel.build/modules/rules_java/7.6.5/MODULE.bazel": "481164be5e02e4cab6e77a36927683263be56b7e36fef918b458d7a8a1ebadb1", - "https://bcr.bazel.build/modules/rules_java/8.3.2/MODULE.bazel": "7336d5511ad5af0b8615fdc7477535a2e4e723a357b6713af439fe8cf0195017", - "https://bcr.bazel.build/modules/rules_java/8.5.1/MODULE.bazel": "d8a9e38cc5228881f7055a6079f6f7821a073df3744d441978e7a43e20226939", - "https://bcr.bazel.build/modules/rules_java/8.5.1/source.json": "db1a77d81b059e0f84985db67a22f3f579a529a86b7997605be3d214a0abe38e", "https://bcr.bazel.build/modules/rules_jvm_external/4.4.2/MODULE.bazel": "a56b85e418c83eb1839819f0b515c431010160383306d13ec21959ac412d2fe7", "https://bcr.bazel.build/modules/rules_jvm_external/5.1/MODULE.bazel": "33f6f999e03183f7d088c9be518a63467dfd0be94a11d0055fe2d210f89aa909", "https://bcr.bazel.build/modules/rules_jvm_external/5.2/MODULE.bazel": "d9351ba35217ad0de03816ef3ed63f89d411349353077348a45348b096615036", + "https://bcr.bazel.build/modules/rules_jvm_external/5.3/MODULE.bazel": "bf93870767689637164657731849fb887ad086739bd5d360d90007a581d5527d", + "https://bcr.bazel.build/modules/rules_jvm_external/6.1/MODULE.bazel": "75b5fec090dbd46cf9b7d8ea08cf84a0472d92ba3585b476f44c326eda8059c4", "https://bcr.bazel.build/modules/rules_jvm_external/6.3/MODULE.bazel": "c998e060b85f71e00de5ec552019347c8bca255062c990ac02d051bb80a38df0", "https://bcr.bazel.build/modules/rules_jvm_external/6.3/source.json": "6f5f5a5a4419ae4e37c35a5bb0a6ae657ed40b7abc5a5189111b47fcebe43197", + "https://bcr.bazel.build/modules/rules_kotlin/1.9.0/MODULE.bazel": "ef85697305025e5a61f395d4eaede272a5393cee479ace6686dba707de804d59", "https://bcr.bazel.build/modules/rules_kotlin/1.9.6/MODULE.bazel": "d269a01a18ee74d0335450b10f62c9ed81f2321d7958a2934e44272fe82dcef3", "https://bcr.bazel.build/modules/rules_kotlin/1.9.6/source.json": "2faa4794364282db7c06600b7e5e34867a564ae91bda7cae7c29c64e9466b7d5", "https://bcr.bazel.build/modules/rules_license/0.0.3/MODULE.bazel": "627e9ab0247f7d1e05736b59dbb1b6871373de5ad31c3011880b4133cafd4bd0", + "https://bcr.bazel.build/modules/rules_license/0.0.4/MODULE.bazel": "6a88dd22800cf1f9f79ba32cacad0d3a423ed28efa2c2ed5582eaa78dd3ac1e5", "https://bcr.bazel.build/modules/rules_license/0.0.7/MODULE.bazel": "088fbeb0b6a419005b89cf93fe62d9517c0a2b8bb56af3244af65ecfe37e7d5d", "https://bcr.bazel.build/modules/rules_license/1.0.0/MODULE.bazel": "a7fda60eefdf3d8c827262ba499957e4df06f659330bbe6cdbdb975b768bb65c", "https://bcr.bazel.build/modules/rules_license/1.0.0/source.json": "a52c89e54cc311196e478f8382df91c15f7a2bfdf4c6cd0e2675cc2ff0b56efb", + "https://bcr.bazel.build/modules/rules_pkg/0.10.1/MODULE.bazel": "d6e593e048db5f1028f1f05ceb64b123aa6f1c2d43cba049c036443ab2cc2044", "https://bcr.bazel.build/modules/rules_pkg/0.7.0/MODULE.bazel": "df99f03fc7934a4737122518bb87e667e62d780b610910f0447665a7e2be62dc", "https://bcr.bazel.build/modules/rules_pkg/1.0.1/MODULE.bazel": "5b1df97dbc29623bccdf2b0dcd0f5cb08e2f2c9050aab1092fd39a41e82686ff", - "https://bcr.bazel.build/modules/rules_pkg/1.1.0/MODULE.bazel": "9db8031e71b6ef32d1846106e10dd0ee2deac042bd9a2de22b4761b0c3036453", - "https://bcr.bazel.build/modules/rules_pkg/1.1.0/source.json": "fef768df13a92ce6067e1cd0cdc47560dace01354f1d921cfb1d632511f7d608", + "https://bcr.bazel.build/modules/rules_pkg/1.0.1/source.json": "bd82e5d7b9ce2d31e380dd9f50c111d678c3bdaca190cb76b0e1c71b05e1ba8a", "https://bcr.bazel.build/modules/rules_proto/4.0.0/MODULE.bazel": "a7a7b6ce9bee418c1a760b3d84f83a299ad6952f9903c67f19e4edd964894e06", "https://bcr.bazel.build/modules/rules_proto/5.3.0-21.7/MODULE.bazel": "e8dff86b0971688790ae75528fe1813f71809b5afd57facb44dad9e8eca631b7", "https://bcr.bazel.build/modules/rules_proto/6.0.0/MODULE.bazel": "b531d7f09f58dce456cd61b4579ce8c86b38544da75184eadaf0a7cb7966453f", "https://bcr.bazel.build/modules/rules_proto/6.0.2/MODULE.bazel": "ce916b775a62b90b61888052a416ccdda405212b6aaeb39522f7dc53431a5e73", "https://bcr.bazel.build/modules/rules_proto/7.0.2/MODULE.bazel": "bf81793bd6d2ad89a37a40693e56c61b0ee30f7a7fdbaf3eabbf5f39de47dea2", - "https://bcr.bazel.build/modules/rules_proto/7.1.0/MODULE.bazel": "002d62d9108f75bb807cd56245d45648f38275cb3a99dcd45dfb864c5d74cb96", - "https://bcr.bazel.build/modules/rules_proto/7.1.0/source.json": "39f89066c12c24097854e8f57ab8558929f9c8d474d34b2c00ac04630ad8940e", + "https://bcr.bazel.build/modules/rules_proto/7.0.2/source.json": "1e5e7260ae32ef4f2b52fd1d0de8d03b606a44c91b694d2f1afb1d3b28a48ce1", "https://bcr.bazel.build/modules/rules_python/0.10.2/MODULE.bazel": "cc82bc96f2997baa545ab3ce73f196d040ffb8756fd2d66125a530031cd90e5f", "https://bcr.bazel.build/modules/rules_python/0.22.1/MODULE.bazel": "26114f0c0b5e93018c0c066d6673f1a2c3737c7e90af95eff30cfee38d0bbac7", "https://bcr.bazel.build/modules/rules_python/0.23.1/MODULE.bazel": "49ffccf0511cb8414de28321f5fcf2a31312b47c40cc21577144b7447f2bf300", + "https://bcr.bazel.build/modules/rules_python/0.24.0/MODULE.bazel": "4bff7f583653d0762cda21303da0643cc4c545ddfd9593337f18dad8d1787801", "https://bcr.bazel.build/modules/rules_python/0.25.0/MODULE.bazel": "72f1506841c920a1afec76975b35312410eea3aa7b63267436bfb1dd91d2d382", "https://bcr.bazel.build/modules/rules_python/0.28.0/MODULE.bazel": "cba2573d870babc976664a912539b320cbaa7114cd3e8f053c720171cde331ed", "https://bcr.bazel.build/modules/rules_python/0.31.0/MODULE.bazel": "93a43dc47ee570e6ec9f5779b2e64c1476a6ce921c48cc9a1678a91dd5f8fd58", "https://bcr.bazel.build/modules/rules_python/0.4.0/MODULE.bazel": "9208ee05fd48bf09ac60ed269791cf17fb343db56c8226a720fbb1cdf467166c", - "https://bcr.bazel.build/modules/rules_python/1.0.0/MODULE.bazel": "898a3d999c22caa585eb062b600f88654bf92efb204fa346fb55f6f8edffca43", - "https://bcr.bazel.build/modules/rules_python/1.4.1/MODULE.bazel": "8991ad45bdc25018301d6b7e1d3626afc3c8af8aaf4bc04f23d0b99c938b73a6", - "https://bcr.bazel.build/modules/rules_python/1.4.1/source.json": "8ec8c90c70ccacc4de8ca1b97f599e756fb59173e898ee08b733006650057c07", + "https://bcr.bazel.build/modules/rules_python/0.40.0/MODULE.bazel": "9d1a3cd88ed7d8e39583d9ffe56ae8a244f67783ae89b60caafc9f5cf318ada7", + "https://bcr.bazel.build/modules/rules_python/0.40.0/source.json": "939d4bd2e3110f27bfb360292986bb79fd8dcefb874358ccd6cdaa7bda029320", "https://bcr.bazel.build/modules/rules_shell/0.2.0/MODULE.bazel": "fda8a652ab3c7d8fee214de05e7a9916d8b28082234e8d2c0094505c5268ed3c", - "https://bcr.bazel.build/modules/rules_shell/0.3.0/MODULE.bazel": "de4402cd12f4cc8fda2354fce179fdb068c0b9ca1ec2d2b17b3e21b24c1a937b", - "https://bcr.bazel.build/modules/rules_shell/0.4.1/MODULE.bazel": "00e501db01bbf4e3e1dd1595959092c2fadf2087b2852d3f553b5370f5633592", - "https://bcr.bazel.build/modules/rules_shell/0.4.1/source.json": "4757bd277fe1567763991c4425b483477bb82e35e777a56fd846eb5cceda324a", + "https://bcr.bazel.build/modules/rules_shell/0.2.0/source.json": "7f27af3c28037d9701487c4744b5448d26537cc66cdef0d8df7ae85411f8de95", "https://bcr.bazel.build/modules/stardoc/0.5.1/MODULE.bazel": "1a05d92974d0c122f5ccf09291442580317cdd859f07a8655f1db9a60374f9f8", "https://bcr.bazel.build/modules/stardoc/0.5.3/MODULE.bazel": "c7f6948dae6999bf0db32c1858ae345f112cacf98f174c7a8bb707e41b974f1c", + "https://bcr.bazel.build/modules/stardoc/0.5.6/MODULE.bazel": "c43dabc564990eeab55e25ed61c07a1aadafe9ece96a4efabb3f8bf9063b71ef", "https://bcr.bazel.build/modules/stardoc/0.6.2/MODULE.bazel": "7060193196395f5dd668eda046ccbeacebfd98efc77fed418dbe2b82ffaa39fd", "https://bcr.bazel.build/modules/stardoc/0.7.0/MODULE.bazel": "05e3d6d30c099b6770e97da986c53bd31844d7f13d41412480ea265ac9e8079c", - "https://bcr.bazel.build/modules/stardoc/0.7.2/MODULE.bazel": "fc152419aa2ea0f51c29583fab1e8c99ddefd5b3778421845606ee628629e0e5", - "https://bcr.bazel.build/modules/stardoc/0.7.2/source.json": "58b029e5e901d6802967754adf0a9056747e8176f017cfe3607c0851f4d42216", + "https://bcr.bazel.build/modules/stardoc/0.7.1/MODULE.bazel": "3548faea4ee5dda5580f9af150e79d0f6aea934fc60c1cc50f4efdd9420759e7", + "https://bcr.bazel.build/modules/stardoc/0.7.1/source.json": "b6500ffcd7b48cd72c29bb67bcac781e12701cc0d6d55d266a652583cfcdab01", "https://bcr.bazel.build/modules/upb/0.0.0-20220923-a547704/MODULE.bazel": "7298990c00040a0e2f121f6c32544bab27d4452f80d9ce51349b1a28f3005c43", "https://bcr.bazel.build/modules/zlib/1.2.11/MODULE.bazel": "07b389abc85fdbca459b69e2ec656ae5622873af3f845e1c9d80fe179f3effa0", "https://bcr.bazel.build/modules/zlib/1.2.12/MODULE.bazel": "3b1a8834ada2a883674be8cbd36ede1b6ec481477ada359cd2d3ddc562340b27", @@ -170,20 +166,20 @@ "@@apple_support~//crosstool:setup.bzl%apple_cc_configure_extension": { "general": { "bzlTransitiveDigest": "PjIds3feoYE8SGbbIq2SFTZy3zmxeO2tQevJZNDo7iY=", - "usagesDigest": "+hz7IHWN6A1oVJJWNDB6yZRG+RYhF76wAYItpAeIUIg=", + "usagesDigest": "aLmqbvowmHkkBPve05yyDNGN7oh7QE9kBADr3QIZTZs=", "recordedFileInputs": {}, "recordedDirentsInputs": {}, "envVariables": {}, "generatedRepoSpecs": { - "local_config_apple_cc_toolchains": { - "bzlFile": "@@apple_support~//crosstool:setup.bzl", - "ruleClassName": "_apple_cc_autoconf_toolchains", - "attributes": {} - }, "local_config_apple_cc": { "bzlFile": "@@apple_support~//crosstool:setup.bzl", "ruleClassName": "_apple_cc_autoconf", "attributes": {} + }, + "local_config_apple_cc_toolchains": { + "bzlFile": "@@apple_support~//crosstool:setup.bzl", + "ruleClassName": "_apple_cc_autoconf_toolchains", + "attributes": {} } }, "recordedRepoMappingEntries": [ @@ -195,36 +191,491 @@ ] } }, - "@@buildifier_prebuilt~//:defs.bzl%buildifier_prebuilt_deps_extension": { + "@@aspect_bazel_lib~//lib:extensions.bzl%toolchains": { "general": { - "bzlTransitiveDigest": "iJF3Ti5GHJEiRxMrIeawImDqrsi/K3YJ2iOANQ9PgTY=", - "usagesDigest": "7usdeKzpXVqoKoZ61Dnl/vDdUwqpKKsBnVxdfeIzpH4=", + "bzlTransitiveDigest": "NQSsfq2SQcHqmSrdUz3fctBGq66C56eokoZzu0MOhBU=", + "usagesDigest": "E1/WNi/RvQIo2JMDoqkXAe3ImUnQhegOYDC/dY2DVAk=", "recordedFileInputs": {}, "recordedDirentsInputs": {}, "envVariables": {}, "generatedRepoSpecs": { - "buildifier_darwin_amd64": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_file", + "expand_template_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", "attributes": { - "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-darwin-amd64" - ], - "downloaded_file_path": "buildifier", - "executable": true, - "sha256": "b7a3152cde0b3971b1107f2274afe778c5c154dcdf6c9c669a231e3c004f047e" + "platform": "windows_amd64" } }, - "buildifier_darwin_arm64": { + "copy_to_directory_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "windows_amd64" + } + }, + "jq_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "darwin_amd64", + "version": "1.7" + } + }, + "copy_to_directory_freebsd_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "freebsd_amd64" + } + }, + "expand_template_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "jq_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "linux_arm64", + "version": "1.7" + } + }, + "coreutils_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "darwin_arm64", + "version": "0.0.27" + } + }, + "copy_to_directory_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "bsd_tar_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "copy_directory_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "coreutils_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "darwin_amd64", + "version": "0.0.27" + } + }, + "coreutils_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "linux_arm64", + "version": "0.0.27" + } + }, + "zstd_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "yq_linux_s390x": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_s390x", + "version": "4.25.2" + } + }, + "yq": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_host_alias_repo", + "attributes": {} + }, + "expand_template_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "copy_directory_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "jq_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "darwin_arm64", + "version": "1.7" + } + }, + "yq_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "darwin_amd64", + "version": "4.25.2" + } + }, + "copy_directory_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "expand_template_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_toolchains_repo", + "attributes": { + "user_repository_name": "expand_template" + } + }, + "bats_assert": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "98ca3b685f8b8993e48ec057565e6e2abcc541034ed5b0e81f191505682037fd", + "urls": [ + "https://github.com/bats-core/bats-assert/archive/v2.1.0.tar.gz" + ], + "strip_prefix": "bats-assert-2.1.0", + "build_file_content": "load(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"assert\",\n hardlink = \"on\",\n srcs = glob([\n \"src/**\",\n \"load.bash\",\n ]),\n out = \"bats-assert\",\n visibility = [\"//visibility:public\"]\n)\n" + } + }, + "copy_to_directory_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "zstd_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "bsd_tar_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "yq_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_toolchains_repo", + "attributes": { + "user_repository_name": "yq" + } + }, + "zstd_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "bats_support": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "7815237aafeb42ddcc1b8c698fc5808026d33317d8701d5ec2396e9634e2918f", + "urls": [ + "https://github.com/bats-core/bats-support/archive/v0.3.0.tar.gz" + ], + "strip_prefix": "bats-support-0.3.0", + "build_file_content": "load(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"support\",\n hardlink = \"on\",\n srcs = glob([\n \"src/**\",\n \"load.bash\",\n ]),\n out = \"bats-support\",\n visibility = [\"//visibility:public\"]\n)\n" + } + }, + "bsd_tar_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "windows_amd64" + } + }, + "jq": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_host_alias_repo", + "attributes": {} + }, + "expand_template_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "bsd_tar_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "copy_to_directory_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "coreutils_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "linux_amd64", + "version": "0.0.27" + } + }, + "copy_directory_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_toolchains_repo", + "attributes": { + "user_repository_name": "copy_directory" + } + }, + "yq_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_amd64", + "version": "4.25.2" + } + }, + "copy_to_directory_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "coreutils_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_toolchains_repo", + "attributes": { + "user_repository_name": "coreutils" + } + }, + "copy_directory_freebsd_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "freebsd_amd64" + } + }, + "zstd_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "zstd_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_toolchains_repo", + "attributes": { + "user_repository_name": "zstd" + } + }, + "bats_file": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "9b69043241f3af1c2d251f89b4fcafa5df3f05e97b89db18d7c9bdf5731bb27a", + "urls": [ + "https://github.com/bats-core/bats-file/archive/v0.4.0.tar.gz" + ], + "strip_prefix": "bats-file-0.4.0", + "build_file_content": "load(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"file\",\n hardlink = \"on\",\n srcs = glob([\n \"src/**\",\n \"load.bash\",\n ]),\n out = \"bats-file\",\n visibility = [\"//visibility:public\"]\n)\n" + } + }, + "expand_template_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "jq_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "linux_amd64", + "version": "1.7" + } + }, + "bsd_tar_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "bsd_tar_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "tar_toolchains_repo", + "attributes": { + "user_repository_name": "bsd_tar" + } + }, + "bats_toolchains": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "a1a9f7875aa4b6a9480ca384d5865f1ccf1b0b1faead6b47aa47d79709a5c5fd", + "urls": [ + "https://github.com/bats-core/bats-core/archive/v1.10.0.tar.gz" + ], + "strip_prefix": "bats-core-1.10.0", + "build_file_content": "load(\"@local_config_platform//:constraints.bzl\", \"HOST_CONSTRAINTS\")\nload(\"@aspect_bazel_lib//lib/private:bats_toolchain.bzl\", \"bats_toolchain\")\nload(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"core\",\n hardlink = \"on\",\n srcs = glob([\n \"lib/**\",\n \"libexec/**\"\n ]) + [\"bin/bats\"],\n out = \"bats-core\",\n)\n\nbats_toolchain(\n name = \"toolchain\",\n core = \":core\",\n libraries = [\"@bats_support//:support\", \"@bats_assert//:assert\", \"@bats_file//:file\"]\n)\n\ntoolchain(\n name = \"bats_toolchain\",\n exec_compatible_with = HOST_CONSTRAINTS,\n toolchain = \":toolchain\",\n toolchain_type = \"@aspect_bazel_lib//lib:bats_toolchain_type\",\n)\n" + } + }, + "yq_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "windows_amd64", + "version": "4.25.2" + } + }, + "jq_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "windows_amd64", + "version": "1.7" + } + }, + "expand_template_freebsd_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "freebsd_amd64" + } + }, + "yq_linux_ppc64le": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_ppc64le", + "version": "4.25.2" + } + }, + "copy_to_directory_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_toolchains_repo", + "attributes": { + "user_repository_name": "copy_to_directory" + } + }, + "jq_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_toolchains_repo", + "attributes": { + "user_repository_name": "jq" + } + }, + "copy_directory_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "copy_directory_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "windows_amd64" + } + }, + "yq_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "darwin_arm64", + "version": "4.25.2" + } + }, + "coreutils_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "windows_amd64", + "version": "0.0.27" + } + }, + "yq_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_arm64", + "version": "4.25.2" + } + } + }, + "recordedRepoMappingEntries": [ + [ + "aspect_bazel_lib~", + "aspect_bazel_lib", + "aspect_bazel_lib~" + ], + [ + "aspect_bazel_lib~", + "bazel_skylib", + "bazel_skylib~" + ], + [ + "aspect_bazel_lib~", + "bazel_tools", + "bazel_tools" + ] + ] + } + }, + "@@buildifier_prebuilt~//:defs.bzl%buildifier_prebuilt_deps_extension": { + "general": { + "bzlTransitiveDigest": "eXBP0KrRexbBjR0KdxpnbWtfahy0r48xfQb4hBQ4Mcc=", + "usagesDigest": "nThSTPRdiQbhDFl8FRM2nsKJftWMtPBQHrp/mdk716w=", + "recordedFileInputs": {}, + "recordedDirentsInputs": {}, + "envVariables": {}, + "generatedRepoSpecs": { + "buildozer_darwin_amd64": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", "ruleClassName": "http_file", "attributes": { "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-darwin-arm64" + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-darwin-amd64" ], - "downloaded_file_path": "buildifier", + "downloaded_file_path": "buildozer", "executable": true, - "sha256": "674c663f7b5cd03c002f8ca834a8c1c008ccb527a0a2a132d08a7a355883b22d" + "sha256": "d29e347ecd6b5673d72cb1a8de05bf1b06178dd229ff5eb67fad5100c840cc8e" } }, "buildifier_linux_amd64": { @@ -232,47 +683,11 @@ "ruleClassName": "http_file", "attributes": { "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-linux-amd64" + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-linux-amd64" ], "downloaded_file_path": "buildifier", "executable": true, - "sha256": "c969487c1af85e708576c8dfdd0bb4681eae58aad79e68ae48882c70871841b7" - } - }, - "buildifier_linux_arm64": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_file", - "attributes": { - "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-linux-arm64" - ], - "downloaded_file_path": "buildifier", - "executable": true, - "sha256": "bdd9b92e2c65d46affeecaefb54e68d34c272d1f4a8c5b54929a3e92ab78820a" - } - }, - "buildifier_windows_amd64": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_file", - "attributes": { - "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-windows-amd64.exe" - ], - "downloaded_file_path": "buildifier.exe", - "executable": true, - "sha256": "63a242f57e253efe7b9573d739c08a3d0e628efd84015c8dad17d87b6429e443" - } - }, - "buildozer_darwin_amd64": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_file", - "attributes": { - "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildozer-darwin-amd64" - ], - "downloaded_file_path": "buildozer", - "executable": true, - "sha256": "7aa7929faddcee5a879135356bb4d38af3e895893c78d361e7cdb8dfb3e7d5e4" + "sha256": "be63db12899f48600bad94051123b1fd7b5251e7661b9168582ce52396132e92" } }, "buildozer_darwin_arm64": { @@ -280,11 +695,11 @@ "ruleClassName": "http_file", "attributes": { "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildozer-darwin-arm64" + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-darwin-arm64" ], "downloaded_file_path": "buildozer", "executable": true, - "sha256": "33b776862c31bfb4e2e6e88186cae02746d9084da8b7341930e77d42718277cc" + "sha256": "9b9e71bdbec5e7223871e913b65d12f6d8fa026684daf991f00e52ed36a6978d" } }, "buildozer_linux_amd64": { @@ -292,23 +707,11 @@ "ruleClassName": "http_file", "attributes": { "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildozer-linux-amd64" + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-linux-amd64" ], "downloaded_file_path": "buildozer", "executable": true, - "sha256": "775d17118aecd023352e75611dbe7c12a340e23615ffb270a1dec3f339239949" - } - }, - "buildozer_linux_arm64": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_file", - "attributes": { - "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildozer-linux-arm64" - ], - "downloaded_file_path": "buildozer", - "executable": true, - "sha256": "058ad60f279a7b1db339bb287aed2056a992eddfe1b5d2e56d86256bdc9a93b3" + "sha256": "8dfd6345da4e9042daa738d7fdf34f699c5dfce4632f7207956fceedd8494119" } }, "buildozer_windows_amd64": { @@ -316,18 +719,78 @@ "ruleClassName": "http_file", "attributes": { "urls": [ - "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildozer-windows-amd64.exe" + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-windows-amd64.exe" ], "downloaded_file_path": "buildozer.exe", "executable": true, - "sha256": "5ba106b25230e0e321b7259bee325ae6fa5b5771e54163ad865b1d18856f59ca" + "sha256": "e7f05bf847f7c3689dd28926460ce6e1097ae97380ac8e6ae7147b7b706ba19b" + } + }, + "buildozer_linux_arm64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-linux-arm64" + ], + "downloaded_file_path": "buildozer", + "executable": true, + "sha256": "6559558fded658c8fa7432a9d011f7c4dcbac6b738feae73d2d5c352e5f605fa" + } + }, + "buildifier_windows_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-windows-amd64.exe" + ], + "downloaded_file_path": "buildifier.exe", + "executable": true, + "sha256": "da8372f35e34b65fb6d997844d041013bb841e55f58b54d596d35e49680fe13c" } }, "buildifier_prebuilt_toolchains": { "bzlFile": "@@buildifier_prebuilt~//:defs.bzl", "ruleClassName": "_buildifier_toolchain_setup", "attributes": { - "assets_json": "[{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"darwin\",\"sha256\":\"b7a3152cde0b3971b1107f2274afe778c5c154dcdf6c9c669a231e3c004f047e\",\"version\":\"v8.0.3\"},{\"arch\":\"arm64\",\"name\":\"buildifier\",\"platform\":\"darwin\",\"sha256\":\"674c663f7b5cd03c002f8ca834a8c1c008ccb527a0a2a132d08a7a355883b22d\",\"version\":\"v8.0.3\"},{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"linux\",\"sha256\":\"c969487c1af85e708576c8dfdd0bb4681eae58aad79e68ae48882c70871841b7\",\"version\":\"v8.0.3\"},{\"arch\":\"arm64\",\"name\":\"buildifier\",\"platform\":\"linux\",\"sha256\":\"bdd9b92e2c65d46affeecaefb54e68d34c272d1f4a8c5b54929a3e92ab78820a\",\"version\":\"v8.0.3\"},{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"windows\",\"sha256\":\"63a242f57e253efe7b9573d739c08a3d0e628efd84015c8dad17d87b6429e443\",\"version\":\"v8.0.3\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"darwin\",\"sha256\":\"7aa7929faddcee5a879135356bb4d38af3e895893c78d361e7cdb8dfb3e7d5e4\",\"version\":\"v8.0.3\"},{\"arch\":\"arm64\",\"name\":\"buildozer\",\"platform\":\"darwin\",\"sha256\":\"33b776862c31bfb4e2e6e88186cae02746d9084da8b7341930e77d42718277cc\",\"version\":\"v8.0.3\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"linux\",\"sha256\":\"775d17118aecd023352e75611dbe7c12a340e23615ffb270a1dec3f339239949\",\"version\":\"v8.0.3\"},{\"arch\":\"arm64\",\"name\":\"buildozer\",\"platform\":\"linux\",\"sha256\":\"058ad60f279a7b1db339bb287aed2056a992eddfe1b5d2e56d86256bdc9a93b3\",\"version\":\"v8.0.3\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"windows\",\"sha256\":\"5ba106b25230e0e321b7259bee325ae6fa5b5771e54163ad865b1d18856f59ca\",\"version\":\"v8.0.3\"}]" + "assets_json": "[{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"darwin\",\"sha256\":\"eeb47b2de27f60efe549348b183fac24eae80f1479e8b06cac0799c486df5bed\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildifier\",\"platform\":\"darwin\",\"sha256\":\"fa07ba0d20165917ca4cc7609f9b19a8a4392898148b7babdf6bb2a7dd963f05\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"linux\",\"sha256\":\"be63db12899f48600bad94051123b1fd7b5251e7661b9168582ce52396132e92\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildifier\",\"platform\":\"linux\",\"sha256\":\"18540fc10f86190f87485eb86963e603e41fa022f88a2d1b0cf52ff252b5e1dd\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"windows\",\"sha256\":\"da8372f35e34b65fb6d997844d041013bb841e55f58b54d596d35e49680fe13c\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"darwin\",\"sha256\":\"d29e347ecd6b5673d72cb1a8de05bf1b06178dd229ff5eb67fad5100c840cc8e\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildozer\",\"platform\":\"darwin\",\"sha256\":\"9b9e71bdbec5e7223871e913b65d12f6d8fa026684daf991f00e52ed36a6978d\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"linux\",\"sha256\":\"8dfd6345da4e9042daa738d7fdf34f699c5dfce4632f7207956fceedd8494119\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildozer\",\"platform\":\"linux\",\"sha256\":\"6559558fded658c8fa7432a9d011f7c4dcbac6b738feae73d2d5c352e5f605fa\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"windows\",\"sha256\":\"e7f05bf847f7c3689dd28926460ce6e1097ae97380ac8e6ae7147b7b706ba19b\",\"version\":\"v6.4.0\"}]" + } + }, + "buildifier_darwin_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-darwin-amd64" + ], + "downloaded_file_path": "buildifier", + "executable": true, + "sha256": "eeb47b2de27f60efe549348b183fac24eae80f1479e8b06cac0799c486df5bed" + } + }, + "buildifier_darwin_arm64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-darwin-arm64" + ], + "downloaded_file_path": "buildifier", + "executable": true, + "sha256": "fa07ba0d20165917ca4cc7609f9b19a8a4392898148b7babdf6bb2a7dd963f05" + } + }, + "buildifier_linux_arm64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-linux-arm64" + ], + "downloaded_file_path": "buildifier", + "executable": true, + "sha256": "18540fc10f86190f87485eb86963e603e41fa022f88a2d1b0cf52ff252b5e1dd" } } }, @@ -345,10 +808,76 @@ ] } }, + "@@hermetic_cc_toolchain~//toolchain:ext.bzl%toolchains": { + "general": { + "bzlTransitiveDigest": "L0EDVXQ1bqh5CxjodeVieW+SjWsjwxFXYEKhUNgMY50=", + "usagesDigest": "dNvS5vmHnd33Wm8wEDdfCELM1fuXE9dmHYK9BLQTjPc=", + "recordedFileInputs": {}, + "recordedDirentsInputs": {}, + "envVariables": {}, + "generatedRepoSpecs": { + "zig_sdk": { + "bzlFile": "@@hermetic_cc_toolchain~//toolchain:defs.bzl", + "ruleClassName": "zig_repository", + "attributes": { + "version": "0.12.0", + "url_formats": [ + "https://mirror.bazel.build/ziglang.org/download/{version}/zig-{host_platform}-{version}.{_ext}", + "https://ziglang.org/download/{version}/zig-{host_platform}-{version}.{_ext}" + ], + "host_platform_sha256": { + "linux-aarch64": "754f1029484079b7e0ca3b913a0a2f2a6afd5a28990cb224fe8845e72f09de63", + "linux-x86_64": "c7ae866b8a76a568e2d5cfd31fe89cdb629bdd161fdd5018b29a4a0a17045cad", + "macos-aarch64": "294e224c14fd0822cfb15a35cf39aa14bd9967867999bf8bdfe3db7ddec2a27f", + "macos-x86_64": "4d411bf413e7667821324da248e8589278180dbc197f4f282b7dbb599a689311", + "windows-aarch64": "04c6b92689241ca7a8a59b5f12d2ca2820c09d5043c3c4808b7e93e41c7bf97b", + "windows-x86_64": "2199eb4c2000ddb1fba85ba78f1fcf9c1fb8b3e57658f6a627a8e513131893f5" + }, + "host_platform_ext": { + "linux-aarch64": "tar.xz", + "linux-x86_64": "tar.xz", + "macos-aarch64": "tar.xz", + "macos-x86_64": "tar.xz", + "windows-x86_64": "zip" + } + } + } + }, + "recordedRepoMappingEntries": [ + [ + "hermetic_cc_toolchain~", + "bazel_tools", + "bazel_tools" + ], + [ + "hermetic_cc_toolchain~", + "hermetic_cc_toolchain", + "hermetic_cc_toolchain~" + ] + ] + } + }, + "@@platforms//host:extension.bzl%host_platform": { + "general": { + "bzlTransitiveDigest": "xelQcPZH8+tmuOHVjL9vDxMnnQNMlwj0SlvgoqBkm4U=", + "usagesDigest": "oS5QVdWCSAWner9adrekJ2fs1FPUng+yVuoJb9mq6e4=", + "recordedFileInputs": {}, + "recordedDirentsInputs": {}, + "envVariables": {}, + "generatedRepoSpecs": { + "host_platform": { + "bzlFile": "@@platforms//host:extension.bzl", + "ruleClassName": "host_platform_repo", + "attributes": {} + } + }, + "recordedRepoMappingEntries": [] + } + }, "@@pybind11_bazel~//:python_configure.bzl%extension": { "general": { - "bzlTransitiveDigest": "whINYge95GgPtysKDbNHQ0ZlWYdtKybHs5y2tLF+x7Q=", - "usagesDigest": "gNvOHVcAlwgDsNXD0amkv2CC96mnaCThPQoE44y8K+w=", + "bzlTransitiveDigest": "3LPSHhLo7VQLO+x5c48KQmJdPDwEMqMdeng5XVAZm4Y=", + "usagesDigest": "e/EIZlWEpIWcNL1dkob+QepsV4rx7UmnvodvXa76ycY=", "recordedFileInputs": { "@@pybind11_bazel~//MODULE.bazel": "88af1c246226d87e65be78ed49ecd1e6f5e98648558c14ce99176da041dc378e" }, @@ -383,21 +912,29 @@ }, "@@rules_fuzzing~//fuzzing/private:extensions.bzl%non_module_dependencies": { "general": { - "bzlTransitiveDigest": "hVgJRQ3Er45/UUAgNn1Yp2Khcp/Y8WyafA2kXIYmQ5M=", - "usagesDigest": "YnIrdgwnf3iCLfChsltBdZ7yOJh706lpa2vww/i2pDI=", + "bzlTransitiveDigest": "aN6cDs7sOfBWTyYmCu+aV9nr3VKpDIZprzN+yGEsNO0=", + "usagesDigest": "X26dvBYyk1211bNrYvtOxec7AmnYf6DQEYUw1L0Oo74=", "recordedFileInputs": {}, "recordedDirentsInputs": {}, "envVariables": {}, "generatedRepoSpecs": { - "platforms": { + "bazel_skylib": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", "ruleClassName": "http_archive", "attributes": { + "sha256": "cd55a062e763b9349921f0f5db8c3933288dc8ba4f76dd9416aac68acee3cb94", "urls": [ - "https://mirror.bazel.build/github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz", - "https://github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz" - ], - "sha256": "8150406605389ececb6da07cbcb509d5637a3ab9a24bc69b1101531367d89d74" + "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz", + "https://github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz" + ] + } + }, + "rules_fuzzing_jazzer": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_jar", + "attributes": { + "sha256": "ee6feb569d88962d59cb59e8a31eb9d007c82683f3ebc64955fd5b96f277eec2", + "url": "https://repo1.maven.org/maven2/com/code-intelligence/jazzer/0.20.1/jazzer-0.20.1.jar" } }, "rules_python": { @@ -409,16 +946,10 @@ "url": "https://github.com/bazelbuild/rules_python/releases/download/0.28.0/rules_python-0.28.0.tar.gz" } }, - "bazel_skylib": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_archive", - "attributes": { - "sha256": "cd55a062e763b9349921f0f5db8c3933288dc8ba4f76dd9416aac68acee3cb94", - "urls": [ - "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz", - "https://github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz" - ] - } + "rules_fuzzing_oss_fuzz": { + "bzlFile": "@@rules_fuzzing~//fuzzing/private/oss_fuzz:repository.bzl", + "ruleClassName": "oss_fuzz_repository", + "attributes": {} }, "com_google_absl": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", @@ -431,11 +962,6 @@ "integrity": "sha256-7capMWOvWyoYbUaHF/b+I2U6XLMaHmky8KugWvfXYuk=" } }, - "rules_fuzzing_oss_fuzz": { - "bzlFile": "@@rules_fuzzing~//fuzzing/private/oss_fuzz:repository.bzl", - "ruleClassName": "oss_fuzz_repository", - "attributes": {} - }, "honggfuzz": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", "ruleClassName": "http_archive", @@ -446,12 +972,15 @@ "strip_prefix": "honggfuzz-2.5" } }, - "rules_fuzzing_jazzer": { + "platforms": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_jar", + "ruleClassName": "http_archive", "attributes": { - "sha256": "ee6feb569d88962d59cb59e8a31eb9d007c82683f3ebc64955fd5b96f277eec2", - "url": "https://repo1.maven.org/maven2/com/code-intelligence/jazzer/0.20.1/jazzer-0.20.1.jar" + "urls": [ + "https://mirror.bazel.build/github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz", + "https://github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz" + ], + "sha256": "8150406605389ececb6da07cbcb509d5637a3ab9a24bc69b1101531367d89d74" } }, "rules_fuzzing_jazzer_api": { @@ -472,64 +1001,23 @@ ] } }, - "@@rules_java~//java:rules_java_deps.bzl%compatibility_proxy": { - "general": { - "bzlTransitiveDigest": "KIX40nDfygEWbU+rq3nYpt3tVgTK/iO8PKh5VMBlN7M=", - "usagesDigest": "pwHZ+26iLgQdwvdZeA5wnAjKnNI3y6XO2VbhOTeo5h8=", - "recordedFileInputs": {}, - "recordedDirentsInputs": {}, - "envVariables": {}, - "generatedRepoSpecs": { - "compatibility_proxy": { - "bzlFile": "@@rules_java~//java:rules_java_deps.bzl", - "ruleClassName": "_compatibility_proxy_repo_rule", - "attributes": {} - } - }, - "recordedRepoMappingEntries": [ - [ - "rules_java~", - "bazel_tools", - "bazel_tools" - ] - ] - } - }, "@@rules_kotlin~//src/main/starlark/core/repositories:bzlmod_setup.bzl%rules_kotlin_extensions": { "general": { - "bzlTransitiveDigest": "fus14IFJ/1LGWWGKPH/U18VnJCoMjfDt1ckahqCnM0A=", - "usagesDigest": "aJF6fLy82rR95Ff5CZPAqxNoFgOMLMN5ImfBS0nhnkg=", + "bzlTransitiveDigest": "l//eFZVgEUHSUfuQ1zQw9uxmcJku8ikraA2fv/2Pyh0=", + "usagesDigest": "NXmdQOmIAdsAdtLv3dhkX8UQ+0st9iQ0EkR28lUNdHc=", "recordedFileInputs": {}, "recordedDirentsInputs": {}, "envVariables": {}, "generatedRepoSpecs": { - "com_github_jetbrains_kotlin_git": { - "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", - "ruleClassName": "kotlin_compiler_git_repository", + "rules_android": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", "attributes": { + "sha256": "cd06d15dd8bb59926e4d65f9003bfc20f9da4b2519985c27e190cddc8b7a7806", + "strip_prefix": "rules_android-0.1.1", "urls": [ - "https://github.com/JetBrains/kotlin/releases/download/v1.9.23/kotlin-compiler-1.9.23.zip" - ], - "sha256": "93137d3aab9afa9b27cb06a824c2324195c6b6f6179d8a8653f440f5bd58be88" - } - }, - "com_github_jetbrains_kotlin": { - "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", - "ruleClassName": "kotlin_capabilities_repository", - "attributes": { - "git_repository_name": "com_github_jetbrains_kotlin_git", - "compiler_version": "1.9.23" - } - }, - "com_github_google_ksp": { - "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:ksp.bzl", - "ruleClassName": "ksp_compiler_plugin_repository", - "attributes": { - "urls": [ - "https://github.com/google/ksp/releases/download/1.9.23-1.0.20/artifacts.zip" - ], - "sha256": "ee0618755913ef7fd6511288a232e8fad24838b9af6ea73972a76e81053c8c2d", - "strip_version": "1.9.23-1.0.20" + "https://github.com/bazelbuild/rules_android/archive/v0.1.1.zip" + ] } }, "com_github_pinterest_ktlint": { @@ -543,15 +1031,33 @@ "executable": true } }, - "rules_android": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_archive", + "com_github_jetbrains_kotlin": { + "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", + "ruleClassName": "kotlin_capabilities_repository", + "attributes": { + "git_repository_name": "com_github_jetbrains_kotlin_git", + "compiler_version": "1.9.23" + } + }, + "com_github_jetbrains_kotlin_git": { + "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", + "ruleClassName": "kotlin_compiler_git_repository", "attributes": { - "sha256": "cd06d15dd8bb59926e4d65f9003bfc20f9da4b2519985c27e190cddc8b7a7806", - "strip_prefix": "rules_android-0.1.1", "urls": [ - "https://github.com/bazelbuild/rules_android/archive/v0.1.1.zip" - ] + "https://github.com/JetBrains/kotlin/releases/download/v1.9.23/kotlin-compiler-1.9.23.zip" + ], + "sha256": "93137d3aab9afa9b27cb06a824c2324195c6b6f6179d8a8653f440f5bd58be88" + } + }, + "com_github_google_ksp": { + "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:ksp.bzl", + "ruleClassName": "ksp_compiler_plugin_repository", + "attributes": { + "urls": [ + "https://github.com/google/ksp/releases/download/1.9.23-1.0.20/artifacts.zip" + ], + "sha256": "ee0618755913ef7fd6511288a232e8fad24838b9af6ea73972a76e81053c8c2d", + "strip_version": "1.9.23-1.0.20" } } }, @@ -564,39 +1070,2590 @@ ] } }, - "@@rules_python~//python/uv:uv.bzl%uv": { + "@@rules_python~//python/private/pypi:pip.bzl%pip_internal": { "general": { - "bzlTransitiveDigest": "Xpqjnjzy6zZ90Es9Wa888ZLHhn7IsNGbph/e6qoxzw8=", - "usagesDigest": "Tx9xMlyNlKU8Dq4pnYUJ8g2T1PHLiGoAs42AGwUIqh8=", - "recordedFileInputs": {}, + "bzlTransitiveDigest": "NuFWsw0F1ZHsRw6pAHHojBht90U7WPJQr64a2sg5Ib0=", + "usagesDigest": "/5Os1MEbCgZJ42ZFY1UZAhnLguIdryegbkM9Wq+We6Y=", + "recordedFileInputs": { + "@@rules_python~//tools/publish/requirements_linux.txt": "8175b4c8df50ae2f22d1706961884beeb54e7da27bd2447018314a175981997d", + "@@rules_python~//tools/publish/requirements_windows.txt": "7673adc71dc1a81d3661b90924d7a7c0fc998cd508b3cb4174337cef3f2de556", + "@@rules_python~//tools/publish/requirements_darwin.txt": "2994136eab7e57b083c3de76faf46f70fad130bc8e7360a7fed2b288b69e79dc" + }, "recordedDirentsInputs": {}, - "envVariables": {}, + "envVariables": { + "RULES_PYTHON_REPO_DEBUG": null, + "RULES_PYTHON_REPO_DEBUG_VERBOSITY": null + }, "generatedRepoSpecs": { - "uv": { - "bzlFile": "@@rules_python~//python/uv/private:uv_toolchains_repo.bzl", - "ruleClassName": "uv_toolchains_repo", + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_x86_64_c57516e5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", "attributes": { - "toolchain_type": "'@@rules_python~//python/uv:uv_toolchain_type'", - "toolchain_names": [ - "none" + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" ], - "toolchain_implementations": { - "none": "'@@rules_python~//python:none'" + "filename": "charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "c57516e58fd17d03ebe67e181a4e4e2ccab1168f8c2976c6a334d4f819fe5944", + "urls": [ + "https://files.pythonhosted.org/packages/77/d5/8c982d58144de49f59571f940e329ad6e8615e1e82ef84584c5eeb5e1d72/charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_sdist_1c39c601": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "cffi-1.17.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824", + "urls": [ + "https://files.pythonhosted.org/packages/fc/97/c783634659c2920c3fc70419e3af40972dbaf758daa229a7d6ea6135c90d/cffi-1.17.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_11_0_arm64_6dba5d19": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "6dba5d19c4dfab08e58d5b36304b3f92f3bd5d42c1a3fa37b5ba5cdf6dfcbcee", + "urls": [ + "https://files.pythonhosted.org/packages/bf/19/411a64f01ee971bed3231111b69eb56f9331a769072de479eae7de52296d/charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl" + ] + } + }, + "rules_python_publish_deps_311_urllib3_py3_none_any_ca899ca0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "urllib3-2.2.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "urllib3==2.2.3", + "sha256": "ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac", + "urls": [ + "https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_x86_64_3710a975": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "3710a9751938947e6327ea9f3ea6332a09bf0ba0c09cae9cb1f250bd1f1549bc", + "urls": [ + "https://files.pythonhosted.org/packages/eb/5b/6f10bad0f6461fa272bfbbdf5d0023b5fb9bc6217c92bf068fa5a99820f5/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_x86_64_0f996e72": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "0f996e7268af62598f2fc1204afa98a3b5712313a55c4c9d434aef49cadc91d4", + "urls": [ + "https://files.pythonhosted.org/packages/2a/2c/488776a3dc843f95f86d2f957ca0fc3407d0242b50bede7fad1e339be03f/cryptography-43.0.3-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_urllib3_sdist_e7d814a8": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "urllib3-2.2.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "urllib3==2.2.3", + "sha256": "e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9", + "urls": [ + "https://files.pythonhosted.org/packages/ed/63/22ba4ebfe7430b76388e7cd448d5478814d3032121827c12a2cc287e2260/urllib3-2.2.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_aarch64_e1be4655": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-musllinux_1_2_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "e1be4655c7ef6e1bbe6b5d0403526601323420bcf414598955968c9ef3eb7d16", + "urls": [ + "https://files.pythonhosted.org/packages/21/ce/b9c9ff56c7164d8e2edfb6c9305045fbc0df4508ccfdb13ee66eb8c95b0e/cryptography-43.0.3-cp39-abi3-musllinux_1_2_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_armv7l_0411beb0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "0411beb0589eacb6734f28d5497ca2ed379eafab8ad8c84b31bb5c34072b7164", + "urls": [ + "https://files.pythonhosted.org/packages/05/2b/85977d9e11713b5747595ee61f381bc820749daf83f07b90b6c9964cf932/nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_sdist_223217c3": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "charset_normalizer-3.4.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "223217c3d4f82c3ac5e29032b3f1c2eb0fb591b72161f86d93f5719079dae93e", + "urls": [ + "https://files.pythonhosted.org/packages/f2/4f/e1808dc01273379acc506d18f1504eb2d299bd4131743b9fc54d7be4df1e/charset_normalizer-3.4.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_aarch64_47334db7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "47334db71978b23ebcf3c0f9f5ee98b8d65992b65c9c4f2d34c2eaf5bcaf0594", + "urls": [ + "https://files.pythonhosted.org/packages/d7/a1/493919799446464ed0299c8eef3c3fad0daf1c3cd48bff9263c731b0d9e2/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_ppc64le_46bf4316": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1", + "urls": [ + "https://files.pythonhosted.org/packages/1c/a0/a4fa9f4f781bda074c3ddd57a572b060fa0df7655d2a4247bbe277200146/cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_aarch64_bf4475b8": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "bf4475b82be41b07cc5e5ff94810e6a01f276e37c2d55571e3fe175e467a1a1c", + "urls": [ + "https://files.pythonhosted.org/packages/4c/92/97509850f0d00e9f14a46bc751daabd0ad7765cff29cdfb66c68b6dad57f/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_sdist_315b9001": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "cryptography-43.0.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "315b9001266a492a6ff443b61238f956b214dbec9910a081ba5b6646a055a805", + "urls": [ + "https://files.pythonhosted.org/packages/0d/05/07b55d1fa21ac18c3a8c79f764e2514e6f6a9698f1be44994f5adf0d29db/cryptography-43.0.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64_5f36b271": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "5f36b271dae35c465ef5e9090e1fdaba4a60a56f0bb0ba03e0932a66f28b9189", + "urls": [ + "https://files.pythonhosted.org/packages/72/f2/5c894d5265ab80a97c68ca36f25c8f6f0308abac649aaf152b74e7e854a8/nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl" + ] + } + }, + "rules_python_publish_deps_311_secretstorage_sdist_2403533e": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "SecretStorage-3.3.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "secretstorage==3.3.3", + "sha256": "2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77", + "urls": [ + "https://files.pythonhosted.org/packages/53/a4/f48c9d79cb507ed1373477dbceaba7401fd8a23af63b837fa61f1dcd3691/SecretStorage-3.3.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_jaraco_functools_sdist_70f7e0e2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jaraco_functools-4.1.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-functools==4.1.0", + "sha256": "70f7e0e2ae076498e212562325e805204fc092d7b4c17e0e86c959e249701a9d", + "urls": [ + "https://files.pythonhosted.org/packages/ab/23/9894b3df5d0a6eb44611c36aec777823fc2e07740dabbd0b810e19594013/jaraco_functools-4.1.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_pycparser_py3_none_any_c3702b6d": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "pycparser-2.22-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pycparser==2.22", + "sha256": "c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc", + "urls": [ + "https://files.pythonhosted.org/packages/13/a3/a812df4e2dd5696d1f351d58b8fe16a405b234ad2886a0dab9183fb78109/pycparser-2.22-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_aarch64_a9b15d49": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6", + "urls": [ + "https://files.pythonhosted.org/packages/1a/52/d9a0e523a572fbccf2955f5abe883cfa8bcc570d7faeee06336fbd50c9fc/cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_idna_sdist_12f65c9b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "idna-3.10.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "idna==3.10", + "sha256": "12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", + "urls": [ + "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_s390x_19aaba96": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "19aaba96e0f795bd0a6c56291495ff59364f4300d4a39b29a0abc9cb3774a84b", + "urls": [ + "https://files.pythonhosted.org/packages/c2/a8/3bb02d0c60a03ad3a112b76c46971e9480efa98a8946677b5a59f60130ca/nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_pywin32_ctypes_sdist_d162dc04": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pywin32-ctypes-0.2.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pywin32-ctypes==0.2.3", + "sha256": "d162dc04946d704503b2edc4d55f3dba5c1d539ead017afa00142c38b9885755", + "urls": [ + "https://files.pythonhosted.org/packages/85/9f/01a1a99704853cb63f253eea009390c88e7131c67e66a0a02099a8c917cb/pywin32-ctypes-0.2.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_readme_renderer_py3_none_any_2fbca89b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "readme_renderer-44.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "readme-renderer==44.0", + "sha256": "2fbca89b81a08526aadf1357a8c2ae889ec05fb03f5da67f9769c9a592166151", + "urls": [ + "https://files.pythonhosted.org/packages/e1/67/921ec3024056483db83953ae8e48079ad62b92db7880013ca77632921dd0/readme_renderer-44.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_pygments_sdist_786ff802": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pygments-2.18.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pygments==2.18.0", + "sha256": "786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199", + "urls": [ + "https://files.pythonhosted.org/packages/8e/62/8336eff65bcbc8e4cb5d05b55faf041285951b6e80f33e2bff2024788f31/pygments-2.18.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_ppc64le_f1a2f519": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "f1a2f519ae173b5b6a2c9d5fa3116ce16e48b3462c8b96dfdded11055e3d6365", + "urls": [ + "https://files.pythonhosted.org/packages/75/d2/0ab54463d3410709c09266dfb416d032a08f97fd7d60e94b8c6ef54ae14b/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_14c5a72e": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "14c5a72e9fe82aea5fe3072116ad4661af5cf8e8ff8fc5ad3450f123e4925e86", + "urls": [ + "https://files.pythonhosted.org/packages/b3/89/1daff5d9ba5a95a157c092c7c5f39b8dd2b1ddb4559966f808d31cfb67e0/nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl" + ] + } + }, + "rules_python_publish_deps_311_zipp_py3_none_any_a817ac80": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "zipp-3.20.2-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "zipp==3.20.2", + "sha256": "a817ac80d6cf4b23bf7f2828b7cabf326f15a001bea8b1f9b49631780ba28350", + "urls": [ + "https://files.pythonhosted.org/packages/62/8b/5ba542fa83c90e09eac972fc9baca7a88e7e7ca4b221a89251954019308b/zipp-3.20.2-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_backports_tarfile_sdist_d75e02c2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "backports_tarfile-1.2.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "backports-tarfile==1.2.0", + "sha256": "d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991", + "urls": [ + "https://files.pythonhosted.org/packages/86/72/cd9b395f25e290e633655a100af28cb253e4393396264a98bd5f5951d50f/backports_tarfile-1.2.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_jeepney_py3_none_any_c0a454ad": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "jeepney-0.8.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jeepney==0.8.0", + "sha256": "c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755", + "urls": [ + "https://files.pythonhosted.org/packages/ae/72/2a1e2290f1ab1e06f71f3d0f1646c9e4634e70e1d37491535e19266e8dc9/jeepney-0.8.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_secretstorage_py3_none_any_f356e662": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "SecretStorage-3.3.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "secretstorage==3.3.3", + "sha256": "f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99", + "urls": [ + "https://files.pythonhosted.org/packages/54/24/b4293291fa1dd830f353d2cb163295742fa87f179fcc8a20a306a81978b7/SecretStorage-3.3.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_classes_sdist_47a024b5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jaraco.classes-3.4.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-classes==3.4.0", + "sha256": "47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd", + "urls": [ + "https://files.pythonhosted.org/packages/06/c0/ed4a27bc5571b99e3cff68f8a9fa5b56ff7df1c2251cc715a652ddd26402/jaraco.classes-3.4.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_win_amd64_cee4373f": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "cee4373f4d3ad28f1ab6290684d8e2ebdb9e7a1b74fdc39e4c211995f77bec27", + "urls": [ + "https://files.pythonhosted.org/packages/0b/6e/b13bd47fa9023b3699e94abf565b5a2f0b0be6e9ddac9812182596ee62e4/charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_x86_64_df6b6c6d": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-musllinux_1_2_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "df6b6c6d742395dd77a23ea3728ab62f98379eff8fb61be2744d4679ab678f73", + "urls": [ + "https://files.pythonhosted.org/packages/2a/33/b3682992ab2e9476b9c81fff22f02c8b0a1e6e1d49ee1750a67d85fd7ed2/cryptography-43.0.3-cp39-abi3-musllinux_1_2_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_7b7c2a3c": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "7b7c2a3c9eb1a827d42539aa64091640bd275b81e097cd1d8d82ef91ffa2e811", + "urls": [ + "https://files.pythonhosted.org/packages/2c/b6/42fc3c69cabf86b6b81e4c051a9b6e249c5ba9f8155590222c2622961f58/nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_requests_toolbelt_sdist_7681a0a3": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "requests-toolbelt-1.0.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests-toolbelt==1.0.0", + "sha256": "7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6", + "urls": [ + "https://files.pythonhosted.org/packages/f3/61/d7545dafb7ac2230c70d38d31cbfe4cc64f7144dc41f6e4e4b78ecd9f5bb/requests-toolbelt-1.0.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_rich_py3_none_any_9836f509": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "rich-13.9.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rich==13.9.3", + "sha256": "9836f5096eb2172c9e77df411c1b009bace4193d6a481d534fea75ebba758283", + "urls": [ + "https://files.pythonhosted.org/packages/9a/e2/10e9819cf4a20bd8ea2f5dabafc2e6bf4a78d6a0965daeb60a4b34d1c11f/rich-13.9.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_importlib_metadata_py3_none_any_45e54197": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "importlib_metadata-8.5.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "importlib-metadata==8.5.0", + "sha256": "45e54197d28b7a7f1559e60b95e7c567032b602131fbd588f1497f47880aa68b", + "urls": [ + "https://files.pythonhosted.org/packages/a0/d9/a1e041c5e7caa9a05c925f4bdbdfb7f006d1f74996af53467bc394c97be7/importlib_metadata-8.5.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_twine_py3_none_any_215dbe7b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "twine-5.1.1-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "twine==5.1.1", + "sha256": "215dbe7b4b94c2c50a7315c0275d2258399280fbb7d04182c7e55e24b5f93997", + "urls": [ + "https://files.pythonhosted.org/packages/5d/ec/00f9d5fd040ae29867355e559a94e9a8429225a0284a3f5f091a3878bfc0/twine-5.1.1-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_docutils_sdist_3a6b1873": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "docutils-0.21.2.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "docutils==0.21.2", + "sha256": "3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f", + "urls": [ + "https://files.pythonhosted.org/packages/ae/ed/aefcc8cd0ba62a0560c3c18c33925362d46c6075480bfa4df87b28e169a9/docutils-0.21.2.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_keyring_sdist_b07ebc55": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "keyring-25.4.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "keyring==25.4.1", + "sha256": "b07ebc55f3e8ed86ac81dd31ef14e81ace9dd9c3d4b5d77a6e9a2016d0d71a1b", + "urls": [ + "https://files.pythonhosted.org/packages/a5/1c/2bdbcfd5d59dc6274ffb175bc29aa07ecbfab196830e0cfbde7bd861a2ea/keyring-25.4.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_markdown_it_py_py3_none_any_35521684": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "markdown_it_py-3.0.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "markdown-it-py==3.0.0", + "sha256": "355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1", + "urls": [ + "https://files.pythonhosted.org/packages/42/d7/1ec15b46af6af88f19b8e5ffea08fa375d433c998b8a7639e76935c14f1f/markdown_it_py-3.0.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_certifi_py3_none_any_922820b5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "certifi-2024.8.30-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "certifi==2024.8.30", + "sha256": "922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8", + "urls": [ + "https://files.pythonhosted.org/packages/12/90/3c9ff0512038035f59d279fddeb79f5f1eccd8859f06d6163c58798b9487/certifi-2024.8.30-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_more_itertools_sdist_5482bfef": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "more-itertools-10.5.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "more-itertools==10.5.0", + "sha256": "5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6", + "urls": [ + "https://files.pythonhosted.org/packages/51/78/65922308c4248e0eb08ebcbe67c95d48615cc6f27854b6f2e57143e9178f/more-itertools-10.5.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_win_amd64_8ce0f819": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-win_amd64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "8ce0f819d2f1933953fca255db2471ad58184a60508f03e6285e5114b6254844", + "urls": [ + "https://files.pythonhosted.org/packages/26/8d/53c5b19c4999bdc6ba95f246f4ef35ca83d7d7423e5e38be43ad66544e5d/nh3-0.2.18-cp37-abi3-win_amd64.whl" + ] + } + }, + "rules_python_publish_deps_311_certifi_sdist_bec941d2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "certifi-2024.8.30.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "certifi==2024.8.30", + "sha256": "bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9", + "urls": [ + "https://files.pythonhosted.org/packages/b0/ee/9b19140fe824b367c04c5e1b369942dd754c4c5462d5674002f75c4dedc1/certifi-2024.8.30.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_py3_none_any_fe9f97fe": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "fe9f97feb71aa9896b81973a7bbada8c49501dc73e58a10fcef6663af95e5079", + "urls": [ + "https://files.pythonhosted.org/packages/bf/9b/08c0432272d77b04803958a4598a51e2a4b51c06640af8b8f0f908c18bf2/charset_normalizer-3.4.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_mdurl_py3_none_any_84008a41": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "mdurl-0.1.2-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "mdurl==0.1.2", + "sha256": "84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8", + "urls": [ + "https://files.pythonhosted.org/packages/b3/38/89ba8ad64ae25be8de66a6d463314cf1eb366222074cfda9ee839c56a4b4/mdurl-0.1.2-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_x86_64_bcb4f8ea": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "bcb4f8ea87d03bc51ad04add8ceaf9b0f085ac045ab4d74e73bbc2dc033f0236", + "urls": [ + "https://files.pythonhosted.org/packages/ee/44/4f62042ca8cdc0cabf87c0fc00ae27cd8b53ab68be3605ba6d071f742ad3/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_s390x_a24ed04c": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6", + "urls": [ + "https://files.pythonhosted.org/packages/62/12/ce8710b5b8affbcdd5c6e367217c242524ad17a02fe5beec3ee339f69f85/cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_mdurl_sdist_bb413d29": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "mdurl-0.1.2.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "mdurl==0.1.2", + "sha256": "bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba", + "urls": [ + "https://files.pythonhosted.org/packages/d6/54/cfe61301667036ec958cb99bd3efefba235e65cdeb9c84d24a8293ba1d90/mdurl-0.1.2.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_keyring_py3_none_any_5426f817": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "keyring-25.4.1-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "keyring==25.4.1", + "sha256": "5426f817cf7f6f007ba5ec722b1bcad95a75b27d780343772ad76b17cb47b0bf", + "urls": [ + "https://files.pythonhosted.org/packages/83/25/e6d59e5f0a0508d0dca8bb98c7f7fd3772fc943ac3f53d5ab18a218d32c0/keyring-25.4.1-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_aarch64_42c64511": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "42c64511469005058cd17cc1537578eac40ae9f7200bedcfd1fc1a05f4f8c200", + "urls": [ + "https://files.pythonhosted.org/packages/45/b9/833f385403abaf0023c6547389ec7a7acf141ddd9d1f21573723a6eab39a/nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_rfc3986_sdist_97aacf9d": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "rfc3986-2.0.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rfc3986==2.0.0", + "sha256": "97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c", + "urls": [ + "https://files.pythonhosted.org/packages/85/40/1520d68bfa07ab5a6f065a186815fb6610c86fe957bc065754e47f7b0840/rfc3986-2.0.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_twine_sdist_9aa08251": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "twine-5.1.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "twine==5.1.1", + "sha256": "9aa0825139c02b3434d913545c7b847a21c835e11597f5255842d457da2322db", + "urls": [ + "https://files.pythonhosted.org/packages/77/68/bd982e5e949ef8334e6f7dcf76ae40922a8750aa2e347291ae1477a4782b/twine-5.1.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_pkginfo_sdist_5df73835": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pkginfo-1.10.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pkginfo==1.10.0", + "sha256": "5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297", + "urls": [ + "https://files.pythonhosted.org/packages/2f/72/347ec5be4adc85c182ed2823d8d1c7b51e13b9a6b0c1aae59582eca652df/pkginfo-1.10.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_backports_tarfile_py3_none_any_77e284d7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "backports.tarfile-1.2.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "backports-tarfile==1.2.0", + "sha256": "77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34", + "urls": [ + "https://files.pythonhosted.org/packages/b9/fa/123043af240e49752f1c4bd24da5053b6bd00cad78c2be53c0d1e8b975bc/backports.tarfile-1.2.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_markdown_it_py_sdist_e3f60a94": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "markdown-it-py-3.0.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "markdown-it-py==3.0.0", + "sha256": "e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb", + "urls": [ + "https://files.pythonhosted.org/packages/38/71/3b932df36c1a044d397a1f92d1cf91ee0a503d91e470cbd670aa66b07ed0/markdown-it-py-3.0.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_ppc64le_ce031db0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "ce031db0408e487fd2775d745ce30a7cd2923667cf3b69d48d219f1d8f5ddeb6", + "urls": [ + "https://files.pythonhosted.org/packages/e2/29/d227805bff72ed6d6cb1ce08eec707f7cfbd9868044893617eb331f16295/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_aarch64_f0eca9ca": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "f0eca9ca8628dbb4e916ae2491d72957fdd35f7a5d326b7032a345f111ac07fe", + "urls": [ + "https://files.pythonhosted.org/packages/a3/da/0c4e282bc3cff4a0adf37005fa1fb42257673fbc1bbf7d1ff639ec3d255a/nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_pkginfo_py3_none_any_889a6da2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "pkginfo-1.10.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pkginfo==1.10.0", + "sha256": "889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097", + "urls": [ + "https://files.pythonhosted.org/packages/56/09/054aea9b7534a15ad38a363a2bd974c20646ab1582a387a95b8df1bfea1c/pkginfo-1.10.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_idna_py3_none_any_946d195a": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "idna-3.10-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "idna==3.10", + "sha256": "946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3", + "urls": [ + "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_sdist_94a16692": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "nh3-0.2.18.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "94a166927e53972a9698af9542ace4e38b9de50c34352b962f4d9a7d4c927af4", + "urls": [ + "https://files.pythonhosted.org/packages/62/73/10df50b42ddb547a907deeb2f3c9823022580a7a47281e8eae8e003a9639/nh3-0.2.18.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_requests_sdist_55365417": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "requests-2.32.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests==2.32.3", + "sha256": "55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760", + "urls": [ + "https://files.pythonhosted.org/packages/63/70/2bf7780ad2d390a8d301ad0b550f1581eadbd9a20f896afe06353c2a2913/requests-2.32.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_aarch64_846da004": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "846da004a5804145a5f441b8530b4bf35afbf7da70f82409f151695b127213d5", + "urls": [ + "https://files.pythonhosted.org/packages/2f/78/55356eb9075d0be6e81b59f45c7b48df87f76a20e73893872170471f3ee8/cryptography-43.0.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_pycparser_sdist_491c8be9": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pycparser-2.22.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pycparser==2.22", + "sha256": "491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6", + "urls": [ + "https://files.pythonhosted.org/packages/1d/b2/31537cf4b1ca988837256c910a668b553fceb8f069bedc4b1c826024b52c/pycparser-2.22.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_x86_64_de3ceed6": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "de3ceed6e661954871d6cd78b410213bdcb136f79aafe22aa7182e028b8c7307", + "urls": [ + "https://files.pythonhosted.org/packages/1b/63/6ab90d0e5225ab9780f6c9fb52254fa36b52bb7c188df9201d05b647e5e1/nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_pygments_py3_none_any_b8e6aca0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "pygments-2.18.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pygments==2.18.0", + "sha256": "b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a", + "urls": [ + "https://files.pythonhosted.org/packages/f7/3f/01c8b82017c199075f8f788d0d906b9ffbbc5a47dc9918a945e13d5a2bda/pygments-2.18.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_importlib_metadata_sdist_71522656": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "importlib_metadata-8.5.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "importlib-metadata==8.5.0", + "sha256": "71522656f0abace1d072b9e5481a48f07c138e00f079c38c8f883823f9c26bd7", + "urls": [ + "https://files.pythonhosted.org/packages/cd/12/33e59336dca5be0c398a7482335911a33aa0e20776128f038019f1a95f1b/importlib_metadata-8.5.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_armv7l_3a157ab1": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "3a157ab149e591bb638a55c8c6bcb8cdb559c8b12c13a8affaba6cedfe51713a", + "urls": [ + "https://files.pythonhosted.org/packages/de/81/c291231463d21da5f8bba82c8167a6d6893cc5419b0639801ee5d3aeb8a9/nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_context_py3_none_any_f797fc48": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "jaraco.context-6.0.1-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-context==6.0.1", + "sha256": "f797fc481b490edb305122c9181830a3a5b76d84ef6d1aef2fb9b47ab956f9e4", + "urls": [ + "https://files.pythonhosted.org/packages/ff/db/0c52c4cf5e4bd9f5d7135ec7669a3a767af21b3a308e1ed3674881e52b62/jaraco.context-6.0.1-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_more_itertools_py3_none_any_037b0d32": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "more_itertools-10.5.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "more-itertools==10.5.0", + "sha256": "037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef", + "urls": [ + "https://files.pythonhosted.org/packages/48/7e/3a64597054a70f7c86eb0a7d4fc315b8c1ab932f64883a297bdffeb5f967/more_itertools-10.5.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_s390x_63bc5c4a": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "63bc5c4ae26e4bc6be6469943b8253c0fd4e4186c43ad46e713ea61a0ba49129", + "urls": [ + "https://files.pythonhosted.org/packages/8d/c9/27e41d481557be53d51e60750b85aa40eaf52b841946b3cdeff363105737/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64le_34c03fa7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "34c03fa78e328c691f982b7c03d4423bdfd7da69cd707fe572f544cf74ac23ad", + "urls": [ + "https://files.pythonhosted.org/packages/ab/a7/375afcc710dbe2d64cfbd69e31f82f3e423d43737258af01f6a56d844085/nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_rich_sdist_bc1e01b8": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "rich-13.9.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rich==13.9.3", + "sha256": "bc1e01b899537598cf02579d2b9f4a415104d3fc439313a7a2c165d76557a08e", + "urls": [ + "https://files.pythonhosted.org/packages/d9/e9/cf9ef5245d835065e6673781dbd4b8911d352fb770d56cf0879cf11b7ee1/rich-13.9.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_requests_toolbelt_py2_none_any_cccfdd66": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "requests_toolbelt-1.0.0-py2.py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests-toolbelt==1.0.0", + "sha256": "cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06", + "urls": [ + "https://files.pythonhosted.org/packages/3f/51/d4db610ef29373b879047326cbf6fa98b6c1969d6f6dc423279de2b1be2c/requests_toolbelt-1.0.0-py2.py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_x86_64_610faea7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d", + "urls": [ + "https://files.pythonhosted.org/packages/ff/6b/d45873c5e0242196f042d555526f92aa9e0c32355a1be1ff8c27f077fd37/cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_x86_64_fc48c783": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b", + "urls": [ + "https://files.pythonhosted.org/packages/f8/4a/34599cac7dfcd888ff54e801afe06a19c17787dfd94495ab0c8d35fe99fb/cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_aarch64_f7b178f1": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_28_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "f7b178f11ed3664fd0e995a47ed2b5ff0a12d893e41dd0494f406d1cf555cab7", + "urls": [ + "https://files.pythonhosted.org/packages/7c/04/2345ca92f7a22f601a9c62961741ef7dd0127c39f7310dffa0041c80f16f/cryptography-43.0.3-cp39-abi3-manylinux_2_28_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_docutils_py3_none_any_dafca5b9": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "docutils-0.21.2-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "docutils==0.21.2", + "sha256": "dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2", + "urls": [ + "https://files.pythonhosted.org/packages/8f/d7/9322c609343d929e75e7e5e6255e614fcc67572cfd083959cdef3b7aad79/docutils-0.21.2-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_pywin32_ctypes_py3_none_any_8a151337": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_windows_x86_64" + ], + "filename": "pywin32_ctypes-0.2.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pywin32-ctypes==0.2.3", + "sha256": "8a1513379d709975552d202d942d9837758905c8d01eb82b8bcc30918929e7b8", + "urls": [ + "https://files.pythonhosted.org/packages/de/3d/8161f7711c017e01ac9f008dfddd9410dff3674334c233bde66e7ba65bbf/pywin32_ctypes-0.2.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_x86_64_36c95d4b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "36c95d4b70530b320b365659bb5034341316e6a9b30f0b25fa9c9eff4c27a204", + "urls": [ + "https://files.pythonhosted.org/packages/eb/61/73a007c74c37895fdf66e0edcd881f5eaa17a348ff02f4bb4bc906d61085/nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_jeepney_sdist_5efe48d2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jeepney-0.8.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jeepney==0.8.0", + "sha256": "5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806", + "urls": [ + "https://files.pythonhosted.org/packages/d6/f4/154cf374c2daf2020e05c3c6a03c91348d59b23c5366e968feb198306fdf/jeepney-0.8.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_x86_64_c2e6fc39": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "c2e6fc39c4ab499049df3bdf567f768a723a5e8464816e8f009f121a5a9f4405", + "urls": [ + "https://files.pythonhosted.org/packages/ac/25/e715fa0bc24ac2114ed69da33adf451a38abb6f3f24ec207908112e9ba53/cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_rfc3986_py2_none_any_50b1502b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "rfc3986-2.0.0-py2.py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rfc3986==2.0.0", + "sha256": "50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd", + "urls": [ + "https://files.pythonhosted.org/packages/ff/9a/9afaade874b2fa6c752c36f1548f718b5b83af81ed9b76628329dab81c1b/rfc3986-2.0.0-py2.py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_zipp_sdist_bc9eb26f": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "zipp-3.20.2.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "zipp==3.20.2", + "sha256": "bc9eb26f4506fda01b81bcde0ca78103b6e62f991b381fec825435c836edbc29", + "urls": [ + "https://files.pythonhosted.org/packages/54/bf/5c0000c44ebc80123ecbdddba1f5dcd94a5ada602a9c225d84b5aaa55e86/zipp-3.20.2.tar.gz" + ] + } + }, + "rules_python_publish_deps": { + "bzlFile": "@@rules_python~//python/private/pypi:hub_repository.bzl", + "ruleClassName": "hub_repository", + "attributes": { + "repo_name": "rules_python_publish_deps", + "extra_hub_aliases": {}, + "whl_map": { + "backports_tarfile": "[{\"filename\":\"backports.tarfile-1.2.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_backports_tarfile_py3_none_any_77e284d7\",\"version\":\"3.11\"},{\"filename\":\"backports_tarfile-1.2.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_backports_tarfile_sdist_d75e02c2\",\"version\":\"3.11\"}]", + "certifi": "[{\"filename\":\"certifi-2024.8.30-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_certifi_py3_none_any_922820b5\",\"version\":\"3.11\"},{\"filename\":\"certifi-2024.8.30.tar.gz\",\"repo\":\"rules_python_publish_deps_311_certifi_sdist_bec941d2\",\"version\":\"3.11\"}]", + "cffi": "[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_aarch64_a1ed2dd2\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_ppc64le_46bf4316\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_s390x_a24ed04c\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_x86_64_610faea7\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_aarch64_a9b15d49\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_x86_64_fc48c783\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_cffi_sdist_1c39c601\",\"version\":\"3.11\"}]", + "charset_normalizer": "[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_universal2_0d99dd8f\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_x86_64_c57516e5\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_11_0_arm64_6dba5d19\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_aarch64_bf4475b8\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_ppc64le_ce031db0\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_s390x_8ff4e7cd\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_x86_64_3710a975\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_aarch64_47334db7\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_ppc64le_f1a2f519\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_s390x_63bc5c4a\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_x86_64_bcb4f8ea\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_win_amd64_cee4373f\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_py3_none_any_fe9f97fe\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_sdist_223217c3\",\"version\":\"3.11\"}]", + "cryptography": "[{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_aarch64_846da004\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_x86_64_0f996e72\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_28_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_aarch64_f7b178f1\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_x86_64_c2e6fc39\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-musllinux_1_2_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_aarch64_e1be4655\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-musllinux_1_2_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_x86_64_df6b6c6d\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_cryptography_sdist_315b9001\",\"version\":\"3.11\"}]", + "docutils": "[{\"filename\":\"docutils-0.21.2-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_docutils_py3_none_any_dafca5b9\",\"version\":\"3.11\"},{\"filename\":\"docutils-0.21.2.tar.gz\",\"repo\":\"rules_python_publish_deps_311_docutils_sdist_3a6b1873\",\"version\":\"3.11\"}]", + "idna": "[{\"filename\":\"idna-3.10-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_idna_py3_none_any_946d195a\",\"version\":\"3.11\"},{\"filename\":\"idna-3.10.tar.gz\",\"repo\":\"rules_python_publish_deps_311_idna_sdist_12f65c9b\",\"version\":\"3.11\"}]", + "importlib_metadata": "[{\"filename\":\"importlib_metadata-8.5.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_importlib_metadata_py3_none_any_45e54197\",\"version\":\"3.11\"},{\"filename\":\"importlib_metadata-8.5.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_importlib_metadata_sdist_71522656\",\"version\":\"3.11\"}]", + "jaraco_classes": "[{\"filename\":\"jaraco.classes-3.4.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jaraco_classes_py3_none_any_f662826b\",\"version\":\"3.11\"},{\"filename\":\"jaraco.classes-3.4.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jaraco_classes_sdist_47a024b5\",\"version\":\"3.11\"}]", + "jaraco_context": "[{\"filename\":\"jaraco.context-6.0.1-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jaraco_context_py3_none_any_f797fc48\",\"version\":\"3.11\"},{\"filename\":\"jaraco_context-6.0.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jaraco_context_sdist_9bae4ea5\",\"version\":\"3.11\"}]", + "jaraco_functools": "[{\"filename\":\"jaraco.functools-4.1.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jaraco_functools_py3_none_any_ad159f13\",\"version\":\"3.11\"},{\"filename\":\"jaraco_functools-4.1.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jaraco_functools_sdist_70f7e0e2\",\"version\":\"3.11\"}]", + "jeepney": "[{\"filename\":\"jeepney-0.8.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jeepney_py3_none_any_c0a454ad\",\"version\":\"3.11\"},{\"filename\":\"jeepney-0.8.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jeepney_sdist_5efe48d2\",\"version\":\"3.11\"}]", + "keyring": "[{\"filename\":\"keyring-25.4.1-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_keyring_py3_none_any_5426f817\",\"version\":\"3.11\"},{\"filename\":\"keyring-25.4.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_keyring_sdist_b07ebc55\",\"version\":\"3.11\"}]", + "markdown_it_py": "[{\"filename\":\"markdown-it-py-3.0.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_markdown_it_py_sdist_e3f60a94\",\"version\":\"3.11\"},{\"filename\":\"markdown_it_py-3.0.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_markdown_it_py_py3_none_any_35521684\",\"version\":\"3.11\"}]", + "mdurl": "[{\"filename\":\"mdurl-0.1.2-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_mdurl_py3_none_any_84008a41\",\"version\":\"3.11\"},{\"filename\":\"mdurl-0.1.2.tar.gz\",\"repo\":\"rules_python_publish_deps_311_mdurl_sdist_bb413d29\",\"version\":\"3.11\"}]", + "more_itertools": "[{\"filename\":\"more-itertools-10.5.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_more_itertools_sdist_5482bfef\",\"version\":\"3.11\"},{\"filename\":\"more_itertools-10.5.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_more_itertools_py3_none_any_037b0d32\",\"version\":\"3.11\"}]", + "nh3": "[{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_14c5a72e\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_7b7c2a3c\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_aarch64_42c64511\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_armv7l_0411beb0\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64_5f36b271\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64le_34c03fa7\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_s390x_19aaba96\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_x86_64_de3ceed6\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_aarch64_f0eca9ca\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_armv7l_3a157ab1\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_x86_64_36c95d4b\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-win_amd64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_win_amd64_8ce0f819\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18.tar.gz\",\"repo\":\"rules_python_publish_deps_311_nh3_sdist_94a16692\",\"version\":\"3.11\"}]", + "pkginfo": "[{\"filename\":\"pkginfo-1.10.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pkginfo_py3_none_any_889a6da2\",\"version\":\"3.11\"},{\"filename\":\"pkginfo-1.10.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pkginfo_sdist_5df73835\",\"version\":\"3.11\"}]", + "pycparser": "[{\"filename\":\"pycparser-2.22-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pycparser_py3_none_any_c3702b6d\",\"version\":\"3.11\"},{\"filename\":\"pycparser-2.22.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pycparser_sdist_491c8be9\",\"version\":\"3.11\"}]", + "pygments": "[{\"filename\":\"pygments-2.18.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pygments_py3_none_any_b8e6aca0\",\"version\":\"3.11\"},{\"filename\":\"pygments-2.18.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pygments_sdist_786ff802\",\"version\":\"3.11\"}]", + "pywin32_ctypes": "[{\"filename\":\"pywin32-ctypes-0.2.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pywin32_ctypes_sdist_d162dc04\",\"version\":\"3.11\"},{\"filename\":\"pywin32_ctypes-0.2.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pywin32_ctypes_py3_none_any_8a151337\",\"version\":\"3.11\"}]", + "readme_renderer": "[{\"filename\":\"readme_renderer-44.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_readme_renderer_py3_none_any_2fbca89b\",\"version\":\"3.11\"},{\"filename\":\"readme_renderer-44.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_readme_renderer_sdist_8712034e\",\"version\":\"3.11\"}]", + "requests": "[{\"filename\":\"requests-2.32.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_requests_py3_none_any_70761cfe\",\"version\":\"3.11\"},{\"filename\":\"requests-2.32.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_requests_sdist_55365417\",\"version\":\"3.11\"}]", + "requests_toolbelt": "[{\"filename\":\"requests-toolbelt-1.0.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_requests_toolbelt_sdist_7681a0a3\",\"version\":\"3.11\"},{\"filename\":\"requests_toolbelt-1.0.0-py2.py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_requests_toolbelt_py2_none_any_cccfdd66\",\"version\":\"3.11\"}]", + "rfc3986": "[{\"filename\":\"rfc3986-2.0.0-py2.py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_rfc3986_py2_none_any_50b1502b\",\"version\":\"3.11\"},{\"filename\":\"rfc3986-2.0.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_rfc3986_sdist_97aacf9d\",\"version\":\"3.11\"}]", + "rich": "[{\"filename\":\"rich-13.9.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_rich_py3_none_any_9836f509\",\"version\":\"3.11\"},{\"filename\":\"rich-13.9.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_rich_sdist_bc1e01b8\",\"version\":\"3.11\"}]", + "secretstorage": "[{\"filename\":\"SecretStorage-3.3.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_secretstorage_py3_none_any_f356e662\",\"version\":\"3.11\"},{\"filename\":\"SecretStorage-3.3.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_secretstorage_sdist_2403533e\",\"version\":\"3.11\"}]", + "twine": "[{\"filename\":\"twine-5.1.1-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_twine_py3_none_any_215dbe7b\",\"version\":\"3.11\"},{\"filename\":\"twine-5.1.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_twine_sdist_9aa08251\",\"version\":\"3.11\"}]", + "urllib3": "[{\"filename\":\"urllib3-2.2.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_urllib3_py3_none_any_ca899ca0\",\"version\":\"3.11\"},{\"filename\":\"urllib3-2.2.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_urllib3_sdist_e7d814a8\",\"version\":\"3.11\"}]", + "zipp": "[{\"filename\":\"zipp-3.20.2-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_zipp_py3_none_any_a817ac80\",\"version\":\"3.11\"},{\"filename\":\"zipp-3.20.2.tar.gz\",\"repo\":\"rules_python_publish_deps_311_zipp_sdist_bc9eb26f\",\"version\":\"3.11\"}]" }, - "toolchain_compatible_with": { - "none": [ - "@platforms//:incompatible" - ] - }, - "toolchain_target_settings": {} + "packages": [ + "backports_tarfile", + "certifi", + "charset_normalizer", + "docutils", + "idna", + "importlib_metadata", + "jaraco_classes", + "jaraco_context", + "jaraco_functools", + "keyring", + "markdown_it_py", + "mdurl", + "more_itertools", + "nh3", + "pkginfo", + "pygments", + "readme_renderer", + "requests", + "requests_toolbelt", + "rfc3986", + "rich", + "twine", + "urllib3", + "zipp" + ], + "groups": {} + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_universal2_0d99dd8f": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "0d99dd8ff461990f12d6e42c7347fd9ab2532fb70e9621ba520f9e8637161d7c", + "urls": [ + "https://files.pythonhosted.org/packages/9c/61/73589dcc7a719582bf56aae309b6103d2762b526bffe189d635a7fcfd998/charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_classes_py3_none_any_f662826b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "jaraco.classes-3.4.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-classes==3.4.0", + "sha256": "f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790", + "urls": [ + "https://files.pythonhosted.org/packages/7f/66/b15ce62552d84bbfcec9a4873ab79d993a1dd4edb922cbfccae192bd5b5f/jaraco.classes-3.4.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_context_sdist_9bae4ea5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jaraco_context-6.0.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-context==6.0.1", + "sha256": "9bae4ea555cf0b14938dc0aee7c9f32ed303aa20a3b73e7dc80111628792d1b3", + "urls": [ + "https://files.pythonhosted.org/packages/df/ad/f3777b81bf0b6e7bc7514a1656d3e637b2e8e15fab2ce3235730b3e7a4e6/jaraco_context-6.0.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_requests_py3_none_any_70761cfe": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "requests-2.32.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests==2.32.3", + "sha256": "70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6", + "urls": [ + "https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_readme_renderer_sdist_8712034e": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "readme_renderer-44.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "readme-renderer==44.0", + "sha256": "8712034eabbfa6805cacf1402b4eeb2a73028f72d1166d6f5cb7f9c047c5d1e1", + "urls": [ + "https://files.pythonhosted.org/packages/5a/a9/104ec9234c8448c4379768221ea6df01260cd6c2ce13182d4eac531c8342/readme_renderer-44.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_aarch64_a1ed2dd2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41", + "urls": [ + "https://files.pythonhosted.org/packages/2e/ea/70ce63780f096e16ce8588efe039d3c4f91deb1dc01e9c73a287939c79a6/cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_s390x_8ff4e7cd": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "8ff4e7cdfdb1ab5698e675ca622e72d58a6fa2a8aa58195de0c0061288e6e3ea", + "urls": [ + "https://files.pythonhosted.org/packages/13/bc/87c2c9f2c144bedfa62f894c3007cd4530ba4b5351acb10dc786428a50f0/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_functools_py3_none_any_ad159f13": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "jaraco.functools-4.1.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-functools==4.1.0", + "sha256": "ad159f13428bc4acbf5541ad6dec511f91573b90fba04df61dafa2a1231cf649", + "urls": [ + "https://files.pythonhosted.org/packages/9f/4f/24b319316142c44283d7540e76c7b5a6dbd5db623abd86bb7b3491c21018/jaraco.functools-4.1.0-py3-none-any.whl" + ] } } }, "recordedRepoMappingEntries": [ + [ + "bazel_features~", + "bazel_features_globals", + "bazel_features~~version_extension~bazel_features_globals" + ], + [ + "bazel_features~", + "bazel_features_version", + "bazel_features~~version_extension~bazel_features_version" + ], [ "rules_python~", - "platforms", - "platforms" + "bazel_features", + "bazel_features~" + ], + [ + "rules_python~", + "bazel_skylib", + "bazel_skylib~" + ], + [ + "rules_python~", + "bazel_tools", + "bazel_tools" + ], + [ + "rules_python~", + "pypi__build", + "rules_python~~internal_deps~pypi__build" + ], + [ + "rules_python~", + "pypi__click", + "rules_python~~internal_deps~pypi__click" + ], + [ + "rules_python~", + "pypi__colorama", + "rules_python~~internal_deps~pypi__colorama" + ], + [ + "rules_python~", + "pypi__importlib_metadata", + "rules_python~~internal_deps~pypi__importlib_metadata" + ], + [ + "rules_python~", + "pypi__installer", + "rules_python~~internal_deps~pypi__installer" + ], + [ + "rules_python~", + "pypi__more_itertools", + "rules_python~~internal_deps~pypi__more_itertools" + ], + [ + "rules_python~", + "pypi__packaging", + "rules_python~~internal_deps~pypi__packaging" + ], + [ + "rules_python~", + "pypi__pep517", + "rules_python~~internal_deps~pypi__pep517" + ], + [ + "rules_python~", + "pypi__pip", + "rules_python~~internal_deps~pypi__pip" + ], + [ + "rules_python~", + "pypi__pip_tools", + "rules_python~~internal_deps~pypi__pip_tools" + ], + [ + "rules_python~", + "pypi__pyproject_hooks", + "rules_python~~internal_deps~pypi__pyproject_hooks" + ], + [ + "rules_python~", + "pypi__setuptools", + "rules_python~~internal_deps~pypi__setuptools" + ], + [ + "rules_python~", + "pypi__tomli", + "rules_python~~internal_deps~pypi__tomli" + ], + [ + "rules_python~", + "pypi__wheel", + "rules_python~~internal_deps~pypi__wheel" + ], + [ + "rules_python~", + "pypi__zipp", + "rules_python~~internal_deps~pypi__zipp" + ], + [ + "rules_python~", + "pythons_hub", + "rules_python~~python~pythons_hub" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_10_host", + "rules_python~~python~python_3_10_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_11_host", + "rules_python~~python~python_3_11_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_12_host", + "rules_python~~python~python_3_12_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_8_host", + "rules_python~~python~python_3_8_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_9_host", + "rules_python~~python~python_3_9_host" ] ] } diff --git a/WORKSPACE.bzlmod b/WORKSPACE.bzlmod index 273d85e75..5bf5f4fd9 100644 --- a/WORKSPACE.bzlmod +++ b/WORKSPACE.bzlmod @@ -234,10 +234,6 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl" node_maintainance_operator_deps() -load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps") - -aws_load_balancer_controller_deps() - # CI deps load("//bazel/toolchains:ci_deps.bzl", "ci_deps") diff --git a/bazel/ci/BUILD.bazel b/bazel/ci/BUILD.bazel index 3fdcdcc8b..455b136e5 100644 --- a/bazel/ci/BUILD.bazel +++ b/bazel/ci/BUILD.bazel @@ -1,7 +1,7 @@ load("@buildifier_prebuilt//:rules.bzl", "buildifier", "buildifier_test") load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun") load("@gazelle//:def.bzl", "gazelle") -load("//bazel/ci:go_bin_for_host.bzl", "go_bin_for_host") +load("@io_bazel_rules_go//go/private/rules:go_bin_for_host.bzl", "go_bin_for_host") load("//bazel/ci:proto_targets.bzl", "proto_targets") load("//bazel/sh:def.bzl", "noop_warn", "repo_command", "sh_template") @@ -558,7 +558,6 @@ multirun( commands = [ ":terraform_gen", "//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files", - "//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files", ":go_generate", ":proto_generate", ], diff --git a/bazel/ci/go_bin_for_host.bzl b/bazel/ci/go_bin_for_host.bzl deleted file mode 100644 index 29721b2e2..000000000 --- a/bazel/ci/go_bin_for_host.bzl +++ /dev/null @@ -1,29 +0,0 @@ -""" -Go toolchain for the host platformS -Inspired by https://github.com/bazel-contrib/rules_go/blob/6e4fdcfeb1a333b54ab39ae3413d4ded46d8958d/go/private/rules/go_bin_for_host.bzl -""" - -load("@local_config_platform//:constraints.bzl", "HOST_CONSTRAINTS") - -GO_TOOLCHAIN = "@io_bazel_rules_go//go:toolchain" - -def _ensure_target_cfg(ctx): - if "-exec" in ctx.bin_dir.path or "/host/" in ctx.bin_dir.path: - fail("exec not found") - -def _go_bin_for_host_impl(ctx): - _ensure_target_cfg(ctx) - sdk = ctx.toolchains[GO_TOOLCHAIN].sdk - sdk_files = ctx.runfiles([sdk.go] + sdk.headers.to_list() + sdk.libs.to_list() + sdk.srcs.to_list() + sdk.tools.to_list()) - return [ - DefaultInfo( - files = depset([sdk.go]), - runfiles = sdk_files, - ), - ] - -go_bin_for_host = rule( - implementation = _go_bin_for_host_impl, - toolchains = [GO_TOOLCHAIN], - exec_compatible_with = HOST_CONSTRAINTS, -) diff --git a/bazel/ci/golicenses.sh.in b/bazel/ci/golicenses.sh.in index 768406c49..2189b511d 100644 --- a/bazel/ci/golicenses.sh.in +++ b/bazel/ci/golicenses.sh.in @@ -63,8 +63,6 @@ license_report() { github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api) ;; - github.com/edgelesssys/go-tdx-qpl) ;; - *) not_allowed ;; @@ -73,6 +71,8 @@ license_report() { Unknown) case ${pkg} in + github.com/edgelesssys/go-tdx-qpl/*) ;; + *) not_allowed ;; diff --git a/bazel/ci/govulncheck.sh.in b/bazel/ci/govulncheck.sh.in index e73135093..d3cda88be 100644 --- a/bazel/ci/govulncheck.sh.in +++ b/bazel/ci/govulncheck.sh.in @@ -27,16 +27,11 @@ submodules=$(${go} list -f '{{.Dir}}' -m) PATH=$(dirname "${go}"):${PATH} check_module() { - excluded_osvs=( - "GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access - "GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition - ) - # shellcheck disable=SC2016 # The $ sign in the single quoted string is correct. CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." | - "${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr ' + "${jq}" -sr ' (map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs | - map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) | + map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) | group_by(.osv) | map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) | if length > 0 then halt_error(1) else .[] end' diff --git a/bazel/ci/terraform.sh.in b/bazel/ci/terraform.sh.in index 777049106..456e312c4 100644 --- a/bazel/ci/terraform.sh.in +++ b/bazel/ci/terraform.sh.in @@ -46,6 +46,7 @@ excludeDirs=( excludeLockDirs=( "build" "terraform-provider-constellation" + "terraform/legacy-module" ) excludeCheckDirs=( diff --git a/bazel/proto/rules.bzl b/bazel/proto/rules.bzl index 3807796b2..da73d5f72 100644 --- a/bazel/proto/rules.bzl +++ b/bazel/proto/rules.bzl @@ -5,14 +5,17 @@ based on https://github.com/bazelbuild/rules_go/issues/2111#issuecomment-1355927 """ load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files") -load("@io_bazel_rules_go//go:def.bzl", "GoInfo") +load("@io_bazel_rules_go//go:def.bzl", "GoLibrary", "go_context") load("@io_bazel_rules_go//proto:compiler.bzl", "GoProtoCompiler") def _output_go_library_srcs_impl(ctx): + go = go_context(ctx) + srcs_of_library = [] importpath = "" for src in ctx.attr.deps: - lib = src[GoInfo] + lib = src[GoLibrary] + go_src = go.library_to_source(go, ctx.attr, lib, False) if importpath and lib.importpath != importpath: fail( "importpath of all deps must match, got {} and {}", @@ -20,7 +23,7 @@ def _output_go_library_srcs_impl(ctx): lib.importpath, ) importpath = lib.importpath - srcs_of_library.extend(lib.srcs) + srcs_of_library.extend(go_src.srcs) if len(srcs_of_library) != 1: fail("expected exactly one src for library, got {}", len(srcs_of_library)) @@ -51,7 +54,7 @@ output_go_library_srcs = rule( default = "@io_bazel_rules_go//proto:go_proto", ), "deps": attr.label_list( - providers = [GoInfo], + providers = [GoLibrary], aspects = [], ), "out": attr.output( diff --git a/bazel/release/artifacts/BUILD.bazel b/bazel/release/artifacts/BUILD.bazel index 8861d6dfe..bba7fb0c8 100644 --- a/bazel/release/artifacts/BUILD.bazel +++ b/bazel/release/artifacts/BUILD.bazel @@ -70,5 +70,5 @@ go_test( env = platform_container_sums_paths | platform_clis_paths, # keep x_defs = {"runsUnder": "bazel"}, - deps = ["@io_bazel_rules_go//go/runfiles"], + deps = ["@io_bazel_rules_go//go/runfiles:go_default_library"], ) diff --git a/bazel/sh/BUILD.bazel b/bazel/sh/BUILD.bazel index 7a347a852..cac8fda5a 100644 --- a/bazel/sh/BUILD.bazel +++ b/bazel/sh/BUILD.bazel @@ -1,5 +1,3 @@ -load("@rules_shell//shell:sh_library.bzl", "sh_library") - exports_files([ "repo_command.sh.in", "noop_warn.sh.in", diff --git a/bazel/sh/def.bzl b/bazel/sh/def.bzl index 4ddad1fe0..5f2129017 100644 --- a/bazel/sh/def.bzl +++ b/bazel/sh/def.bzl @@ -1,8 +1,6 @@ """Bazel rules for CI and dev tooling""" load("@bazel_skylib//lib:shell.bzl", "shell") -load("@rules_shell//shell:sh_binary.bzl", "sh_binary") -load("@rules_shell//shell:sh_test.bzl", "sh_test") def _sh_template_impl(ctx): out_file = ctx.actions.declare_file(ctx.label.name + ".bash") @@ -68,7 +66,8 @@ def sh_template(name, **kwargs): template = template, toolchains = toolchains, ) - sh_binary( + + native.sh_binary( name = name, srcs = [script_name], data = [script_name] + data, @@ -96,7 +95,8 @@ def sh_test_template(name, **kwargs): substitutions = substitutions, template = template, ) - sh_test( + + native.sh_test( name = name, srcs = [script_name], data = [script_name] + data, diff --git a/bazel/toolchains/ci_deps.bzl b/bazel/toolchains/ci_deps.bzl index f6354e6ca..2215f85a8 100644 --- a/bazel/toolchains/ci_deps.bzl +++ b/bazel/toolchains/ci_deps.bzl @@ -97,83 +97,83 @@ def _actionlint_deps(): name = "com_github_rhysd_actionlint_linux_amd64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/fc0a6886bbb9a23a39eeec4b176193cadb54ddbe77cdbb19b637933919545395", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_linux_amd64.tar.gz", ], type = "tar.gz", - sha256 = "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757", + sha256 = "fc0a6886bbb9a23a39eeec4b176193cadb54ddbe77cdbb19b637933919545395", ) http_archive( name = "com_github_rhysd_actionlint_linux_arm64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/ede03682dc955381d057dde95bb85ce9ca418122209a8a313b617d4adec56416", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_linux_arm64.tar.gz", ], type = "tar.gz", - sha256 = "401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0", + sha256 = "ede03682dc955381d057dde95bb85ce9ca418122209a8a313b617d4adec56416", ) http_archive( name = "com_github_rhysd_actionlint_darwin_amd64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/63a3ba90ee2325afad3ff2e64a4d80688c261e6c68be8e6ab91214637bf936b8", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_darwin_amd64.tar.gz", ], type = "tar.gz", - sha256 = "28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5", + sha256 = "63a3ba90ee2325afad3ff2e64a4d80688c261e6c68be8e6ab91214637bf936b8", ) http_archive( name = "com_github_rhysd_actionlint_darwin_arm64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/cbd193bb490f598d77e179261d7b76dfebd049dddede5803ba21cbf6a469aeee", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_darwin_arm64.tar.gz", ], type = "tar.gz", - sha256 = "2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db", + sha256 = "cbd193bb490f598d77e179261d7b76dfebd049dddede5803ba21cbf6a469aeee", ) def _gofumpt_deps(): http_file( name = "com_github_mvdan_gofumpt_linux_amd64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/11604bbaf7321abcc2fca2c6a37b7e9198bb1e76e5a86f297c07201e8ab1fda9", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_linux_amd64", + "https://cdn.confidential.cloud/constellation/cas/sha256/6ff459c1dcae3b0b00844c1a5a4a5b0f547237d8a4f3624aaea8d424aeef24c6", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_linux_amd64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "11604bbaf7321abcc2fca2c6a37b7e9198bb1e76e5a86f297c07201e8ab1fda9", + sha256 = "6ff459c1dcae3b0b00844c1a5a4a5b0f547237d8a4f3624aaea8d424aeef24c6", ) http_file( name = "com_github_mvdan_gofumpt_linux_arm64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/787c1d3d4d20e6fe2b0bf06a5a913ac0f50343dbf9a71540724a2b8092a0e6ca", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_linux_arm64", + "https://cdn.confidential.cloud/constellation/cas/sha256/00c18c88ef50437629626ba20d677f4648684cb280952814cdd887677d42cbd3", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_linux_arm64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "787c1d3d4d20e6fe2b0bf06a5a913ac0f50343dbf9a71540724a2b8092a0e6ca", + sha256 = "00c18c88ef50437629626ba20d677f4648684cb280952814cdd887677d42cbd3", ) http_file( name = "com_github_mvdan_gofumpt_darwin_amd64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/0dda6600cf263b703a5ad93e792b06180c36afdee9638617a91dd552f2c6fb3e", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_darwin_amd64", + "https://cdn.confidential.cloud/constellation/cas/sha256/b7d05e092da45c5ec96344ab635b1d6547c3e27c840ba39bc76989934efd7ce3", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_darwin_amd64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "0dda6600cf263b703a5ad93e792b06180c36afdee9638617a91dd552f2c6fb3e", + sha256 = "b7d05e092da45c5ec96344ab635b1d6547c3e27c840ba39bc76989934efd7ce3", ) http_file( name = "com_github_mvdan_gofumpt_darwin_arm64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/7e66e92b7a67d1d12839ab030fb7ae38e5e2273474af3762e67bc7fe9471fcd9", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_darwin_arm64", + "https://cdn.confidential.cloud/constellation/cas/sha256/08f23114760a090b090706d92b8c52b9875b9eb352d76c77aa354d6aa20b045a", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_darwin_arm64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "7e66e92b7a67d1d12839ab030fb7ae38e5e2273474af3762e67bc7fe9471fcd9", + sha256 = "08f23114760a090b090706d92b8c52b9875b9eb352d76c77aa354d6aa20b045a", ) def _tfsec_deps(): @@ -181,41 +181,41 @@ def _tfsec_deps(): name = "com_github_aquasecurity_tfsec_linux_amd64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/329ae7f67f2f1813ebe08de498719ea7003c75d3ca24bb0b038369062508008e", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_linux_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_amd64.tar.gz", ], type = "tar.gz", - sha256 = "329ae7f67f2f1813ebe08de498719ea7003c75d3ca24bb0b038369062508008e", + sha256 = "9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c", ) http_archive( name = "com_github_aquasecurity_tfsec_linux_arm64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/13dcbd3602027be49ce6cab7e1c24b0a8e833f0143fe327b0a13b87686541ce0", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_linux_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_arm64.tar.gz", ], type = "tar.gz", - sha256 = "13dcbd3602027be49ce6cab7e1c24b0a8e833f0143fe327b0a13b87686541ce0", + sha256 = "68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52", ) http_archive( name = "com_github_aquasecurity_tfsec_darwin_amd64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/0aeef31f83d6f44ba9ba5b6cbb954304c772dee73ac704e38896940f94af887a", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_darwin_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_amd64.tar.gz", ], type = "tar.gz", - sha256 = "0aeef31f83d6f44ba9ba5b6cbb954304c772dee73ac704e38896940f94af887a", + sha256 = "d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001", ) http_archive( name = "com_github_aquasecurity_tfsec_darwin_arm64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/f39d59a3f9be4eeb3d965657653ad62243103a3d921ce52ca8f907cff45896f5", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_darwin_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_arm64.tar.gz", ], type = "tar.gz", - sha256 = "f39d59a3f9be4eeb3d965657653ad62243103a3d921ce52ca8f907cff45896f5", + sha256 = "14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7", ) def _golangci_lint_deps(): @@ -223,45 +223,45 @@ def _golangci_lint_deps(): name = "com_github_golangci_golangci_lint_linux_amd64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/e55e0eb515936c0fbd178bce504798a9bd2f0b191e5e357768b18fd5415ee541", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-linux-amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/5101292b7925a6a14b49c5c3d845c5021399698ffd2f41bcfab8a111b5669939", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-linux-amd64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-linux-amd64", + strip_prefix = "golangci-lint-1.62.2-linux-amd64", type = "tar.gz", - sha256 = "e55e0eb515936c0fbd178bce504798a9bd2f0b191e5e357768b18fd5415ee541", + sha256 = "5101292b7925a6a14b49c5c3d845c5021399698ffd2f41bcfab8a111b5669939", ) http_archive( name = "com_github_golangci_golangci_lint_linux_arm64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/582eb73880f4408d7fb89f12b502d577bd7b0b63d8c681da92bb6b9d934d4363", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-linux-arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/10b6f5bd8483bd9e85a82f6119ed08f95609f42b86dc344b5dc15703c74d5b85", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-linux-arm64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-linux-arm64", + strip_prefix = "golangci-lint-1.62.2-linux-arm64", type = "tar.gz", - sha256 = "582eb73880f4408d7fb89f12b502d577bd7b0b63d8c681da92bb6b9d934d4363", + sha256 = "10b6f5bd8483bd9e85a82f6119ed08f95609f42b86dc344b5dc15703c74d5b85", ) http_archive( name = "com_github_golangci_golangci_lint_darwin_amd64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/e091107c4ca7e283902343ba3a09d14fb56b86e071effd461ce9d67193ef580e", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-darwin-amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/6c9ffd05896f0638d5c37152ac4ae337c2d301ba6c9dadf49c04e6d639f10f91", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-darwin-amd64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-darwin-amd64", + strip_prefix = "golangci-lint-1.62.2-darwin-amd64", type = "tar.gz", - sha256 = "e091107c4ca7e283902343ba3a09d14fb56b86e071effd461ce9d67193ef580e", + sha256 = "6c9ffd05896f0638d5c37152ac4ae337c2d301ba6c9dadf49c04e6d639f10f91", ) http_archive( name = "com_github_golangci_golangci_lint_darwin_arm64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/90783fa092a0f64a4f7b7d419f3da1f53207e300261773babe962957240e9ea6", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-darwin-arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/6c76f54467ba471f7bdcd5df0f27c3fa3dbe530b771a10d384c3d8c7178f5e89", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-darwin-arm64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-darwin-arm64", + strip_prefix = "golangci-lint-1.62.2-darwin-arm64", type = "tar.gz", - sha256 = "90783fa092a0f64a4f7b7d419f3da1f53207e300261773babe962957240e9ea6", + sha256 = "6c76f54467ba471f7bdcd5df0f27c3fa3dbe530b771a10d384c3d8c7178f5e89", ) def _buf_deps(): @@ -270,44 +270,44 @@ def _buf_deps(): strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/fa10faf16973f3861992cc2687b651350d70eafd467aea72cf0994556c2a0927", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Linux-x86_64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-x86_64.tar.gz", ], type = "tar.gz", - sha256 = "fa10faf16973f3861992cc2687b651350d70eafd467aea72cf0994556c2a0927", + sha256 = "deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4", ) http_archive( name = "com_github_bufbuild_buf_linux_arm64", strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/f41ef4431858556ece6a77662d6b9317fa4406585998cb3dffb7403b3e86713e", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Linux-aarch64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-aarch64.tar.gz", ], type = "tar.gz", - sha256 = "f41ef4431858556ece6a77662d6b9317fa4406585998cb3dffb7403b3e86713e", + sha256 = "2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d", ) http_archive( name = "com_github_bufbuild_buf_darwin_amd64", strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/22c9836a836b867e49e9d0ef223fd934cbf2690e7400facddb9be07b8809f889", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Darwin-x86_64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-x86_64.tar.gz", ], type = "tar.gz", - sha256 = "22c9836a836b867e49e9d0ef223fd934cbf2690e7400facddb9be07b8809f889", + sha256 = "7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4", ) http_archive( name = "com_github_bufbuild_buf_darwin_arm64", strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/f01f32a690efab3ef22a1c821aebc0c4bec7ca63faddbf64408d7d614e9d7f92", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Darwin-arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-arm64.tar.gz", ], type = "tar.gz", - sha256 = "f01f32a690efab3ef22a1c821aebc0c4bec7ca63faddbf64408d7d614e9d7f92", + sha256 = "e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b", ) def _talos_docgen_deps(): diff --git a/bazel/toolchains/container_images.bzl b/bazel/toolchains/container_images.bzl index 1c405484f..cd82c6fae 100644 --- a/bazel/toolchains/container_images.bzl +++ b/bazel/toolchains/container_images.bzl @@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull") def containter_image_deps(): oci_pull( name = "distroless_static", - digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9", + digest = "sha256:f4a57e8ffd7ba407bdd0eb315bb54ef1f21a2100a7f032e9102e4da34fe7c196", image = "gcr.io/distroless/static", platforms = [ "linux/amd64", @@ -16,6 +16,6 @@ def containter_image_deps(): ) oci_pull( name = "libvirtd_base", - digest = "sha256:f23e0f587860c841adde25b1b4f0d99aa4fbce1c92b01b5b46ab5fa35980a135", + digest = "sha256:99dbf3cf69b3f97cb0158bde152c9bc7c2a96458cf462527ee80b75754f572a7", image = "ghcr.io/edgelesssys/constellation/libvirtd-base", ) diff --git a/bazel/toolchains/linux_kernel.bzl b/bazel/toolchains/linux_kernel.bzl index d34d15324..b4aab0fa5 100644 --- a/bazel/toolchains/linux_kernel.bzl +++ b/bazel/toolchains/linux_kernel.bzl @@ -9,38 +9,38 @@ def kernel_rpms(): http_file( name = "kernel_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/7834bc4bc7e088c98505956382884bdc670ab9a9283288b7fef04a43df31356e", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/c87995e19c04e2f033e6db5e92bfcb845ac015722e776c09a7af4c82c86cd273", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-lts.rpm", - sha256 = "7834bc4bc7e088c98505956382884bdc670ab9a9283288b7fef04a43df31356e", + sha256 = "c87995e19c04e2f033e6db5e92bfcb845ac015722e776c09a7af4c82c86cd273", ) http_file( name = "kernel_core_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/2763c699d1e2f9810421ac7af2e9c94c6f98533e83f2938c26f1d824e3559b97", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-core-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/5692d862b0cc0c442c581e5f3dc9f3c36cabda0c29d3f62e9b6313a6ec88b140", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-core-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-core-lts.rpm", - sha256 = "2763c699d1e2f9810421ac7af2e9c94c6f98533e83f2938c26f1d824e3559b97", + sha256 = "5692d862b0cc0c442c581e5f3dc9f3c36cabda0c29d3f62e9b6313a6ec88b140", ) http_file( name = "kernel_modules_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/a7604eec263f190db573d809d20336bbf75e46c51f5977f5db95bb88bfec56d3", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-modules-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/e1b697343b4f8ed8e992cd92860208dc1c28eb8b25a88f42f426326a0bbc307f", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-modules-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-modules-lts.rpm", - sha256 = "a7604eec263f190db573d809d20336bbf75e46c51f5977f5db95bb88bfec56d3", + sha256 = "e1b697343b4f8ed8e992cd92860208dc1c28eb8b25a88f42f426326a0bbc307f", ) http_file( name = "kernel_modules_core_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/648fd503d7d54608fbd62ace87c4da098f72abbaac1ab7e343327fc24ccef7f8", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-modules-core-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/448c6b10d9ed02aed078ff77223f5e495b2041be12d92eb0e5ca5726a08e0626", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-modules-core-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-modules-core-lts.rpm", - sha256 = "648fd503d7d54608fbd62ace87c4da098f72abbaac1ab7e343327fc24ccef7f8", + sha256 = "448c6b10d9ed02aed078ff77223f5e495b2041be12d92eb0e5ca5726a08e0626", ) # mainline kernel diff --git a/bazel/toolchains/nixpkgs_deps.bzl b/bazel/toolchains/nixpkgs_deps.bzl index bdf5f0f1c..c28c10cef 100644 --- a/bazel/toolchains/nixpkgs_deps.bzl +++ b/bazel/toolchains/nixpkgs_deps.bzl @@ -5,11 +5,11 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") def nixpkgs_deps(): http_archive( name = "io_tweag_rules_nixpkgs", - sha256 = "30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397", - strip_prefix = "rules_nixpkgs-0.13.0", + sha256 = "1ce13c13a2f354fd37016d9fb333efeddcb308e89db9b3a8f45eafce57746f49", + strip_prefix = "rules_nixpkgs-668609f0b3627751651cb325166d0e95062be3f7", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397", - "https://github.com/tweag/rules_nixpkgs/releases/download/v0.13.0/rules_nixpkgs-0.13.0.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/1ce13c13a2f354fd37016d9fb333efeddcb308e89db9b3a8f45eafce57746f49", + "https://github.com/tweag/rules_nixpkgs/archive/668609f0b3627751651cb325166d0e95062be3f7.tar.gz", ], type = "tar.gz", ) diff --git a/bazel/toolchains/oci_deps.bzl b/bazel/toolchains/oci_deps.bzl index f425e9066..8cfbecf3b 100644 --- a/bazel/toolchains/oci_deps.bzl +++ b/bazel/toolchains/oci_deps.bzl @@ -7,13 +7,14 @@ def oci_deps(): # Remove this override once https://github.com/bazel-contrib/rules_oci/issues/420 is fixed. http_archive( name = "rules_oci", - strip_prefix = "rules_oci-2.2.5", + strip_prefix = "rules_oci-2.0.1", type = "tar.gz", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142", - "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.5/rules_oci-v2.2.5.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43", + "https://cdn.confidential.cloud/constellation/cas/sha256/f70f07f9d0d6c275d7ec7d3c7f236d9b552ba3205e8f37df9c1125031cf967cc", + "https://github.com/bazel-contrib/rules_oci/releases/download/v2.0.1/rules_oci-v2.0.1.tar.gz", ], - sha256 = "361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142", + sha256 = "acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43", patches = ["//bazel/toolchains:0001-disable-Windows-support.patch"], patch_args = ["-p1"], ) diff --git a/bootstrapper/initproto/init.pb.go b/bootstrapper/initproto/init.pb.go index 5ce2213ae..2d3b04e93 100644 --- a/bootstrapper/initproto/init.pb.go +++ b/bootstrapper/initproto/init.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: bootstrapper/initproto/init.proto package initproto @@ -16,7 +16,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -27,7 +26,10 @@ const ( ) type InitRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + KmsUri string `protobuf:"bytes,1,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"` StorageUri string `protobuf:"bytes,2,opt,name=storage_uri,json=storageUri,proto3" json:"storage_uri,omitempty"` MeasurementSalt []byte `protobuf:"bytes,3,opt,name=measurement_salt,json=measurementSalt,proto3" json:"measurement_salt,omitempty"` @@ -38,8 +40,6 @@ type InitRequest struct { ClusterName string `protobuf:"bytes,9,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"` ApiserverCertSans []string `protobuf:"bytes,10,rep,name=apiserver_cert_sans,json=apiserverCertSans,proto3" json:"apiserver_cert_sans,omitempty"` ServiceCidr string `protobuf:"bytes,11,opt,name=service_cidr,json=serviceCidr,proto3" json:"service_cidr,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache } func (x *InitRequest) Reset() { @@ -143,15 +143,16 @@ func (x *InitRequest) GetServiceCidr() string { } type InitResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Types that are valid to be assigned to Kind: + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Kind: // // *InitResponse_InitSuccess // *InitResponse_InitFailure // *InitResponse_Log - Kind isInitResponse_Kind `protobuf_oneof:"kind"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Kind isInitResponse_Kind `protobuf_oneof:"kind"` } func (x *InitResponse) Reset() { @@ -184,36 +185,30 @@ func (*InitResponse) Descriptor() ([]byte, []int) { return file_bootstrapper_initproto_init_proto_rawDescGZIP(), []int{1} } -func (x *InitResponse) GetKind() isInitResponse_Kind { - if x != nil { - return x.Kind +func (m *InitResponse) GetKind() isInitResponse_Kind { + if m != nil { + return m.Kind } return nil } func (x *InitResponse) GetInitSuccess() *InitSuccessResponse { - if x != nil { - if x, ok := x.Kind.(*InitResponse_InitSuccess); ok { - return x.InitSuccess - } + if x, ok := x.GetKind().(*InitResponse_InitSuccess); ok { + return x.InitSuccess } return nil } func (x *InitResponse) GetInitFailure() *InitFailureResponse { - if x != nil { - if x, ok := x.Kind.(*InitResponse_InitFailure); ok { - return x.InitFailure - } + if x, ok := x.GetKind().(*InitResponse_InitFailure); ok { + return x.InitFailure } return nil } func (x *InitResponse) GetLog() *LogResponseType { - if x != nil { - if x, ok := x.Kind.(*InitResponse_Log); ok { - return x.Log - } + if x, ok := x.GetKind().(*InitResponse_Log); ok { + return x.Log } return nil } @@ -241,12 +236,13 @@ func (*InitResponse_InitFailure) isInitResponse_Kind() {} func (*InitResponse_Log) isInitResponse_Kind() {} type InitSuccessResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Kubeconfig []byte `protobuf:"bytes,1,opt,name=kubeconfig,proto3" json:"kubeconfig,omitempty"` - OwnerId []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"` - ClusterId []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Kubeconfig []byte `protobuf:"bytes,1,opt,name=kubeconfig,proto3" json:"kubeconfig,omitempty"` + OwnerId []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"` + ClusterId []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` } func (x *InitSuccessResponse) Reset() { @@ -301,10 +297,11 @@ func (x *InitSuccessResponse) GetClusterId() []byte { } type InitFailureResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"` } func (x *InitFailureResponse) Reset() { @@ -345,10 +342,11 @@ func (x *InitFailureResponse) GetError() string { } type LogResponseType struct { - state protoimpl.MessageState `protogen:"open.v1"` - Log []byte `protobuf:"bytes,1,opt,name=log,proto3" json:"log,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Log []byte `protobuf:"bytes,1,opt,name=log,proto3" json:"log,omitempty"` } func (x *LogResponseType) Reset() { @@ -389,13 +387,14 @@ func (x *LogResponseType) GetLog() []byte { } type KubernetesComponent struct { - state protoimpl.MessageState `protogen:"open.v1"` - Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` - Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` - InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` - Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` + Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` + InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` + Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` } func (x *KubernetesComponent) Reset() { @@ -458,55 +457,92 @@ func (x *KubernetesComponent) GetExtract() bool { var File_bootstrapper_initproto_init_proto protoreflect.FileDescriptor -const file_bootstrapper_initproto_init_proto_rawDesc = "" + - "\n" + - "!bootstrapper/initproto/init.proto\x12\x04init\x1a-internal/versions/components/components.proto\"\xd0\x03\n" + - "\vInitRequest\x12\x17\n" + - "\akms_uri\x18\x01 \x01(\tR\x06kmsUri\x12\x1f\n" + - "\vstorage_uri\x18\x02 \x01(\tR\n" + - "storageUri\x12)\n" + - "\x10measurement_salt\x18\x03 \x01(\fR\x0fmeasurementSalt\x12-\n" + - "\x12kubernetes_version\x18\x05 \x01(\tR\x11kubernetesVersion\x12)\n" + - "\x10conformance_mode\x18\x06 \x01(\bR\x0fconformanceMode\x12J\n" + - "\x15kubernetes_components\x18\a \x03(\v2\x15.components.ComponentR\x14kubernetesComponents\x12\x1f\n" + - "\vinit_secret\x18\b \x01(\fR\n" + - "initSecret\x12!\n" + - "\fcluster_name\x18\t \x01(\tR\vclusterName\x12.\n" + - "\x13apiserver_cert_sans\x18\n" + - " \x03(\tR\x11apiserverCertSans\x12!\n" + - "\fservice_cidr\x18\v \x01(\tR\vserviceCidrJ\x04\b\x04\x10\x05R\x19cloud_service_account_uri\"\xc1\x01\n" + - "\fInitResponse\x12>\n" + - "\finit_success\x18\x01 \x01(\v2\x19.init.InitSuccessResponseH\x00R\vinitSuccess\x12>\n" + - "\finit_failure\x18\x02 \x01(\v2\x19.init.InitFailureResponseH\x00R\vinitFailure\x12)\n" + - "\x03log\x18\x03 \x01(\v2\x15.init.LogResponseTypeH\x00R\x03logB\x06\n" + - "\x04kind\"o\n" + - "\x13InitSuccessResponse\x12\x1e\n" + - "\n" + - "kubeconfig\x18\x01 \x01(\fR\n" + - "kubeconfig\x12\x19\n" + - "\bowner_id\x18\x02 \x01(\fR\aownerId\x12\x1d\n" + - "\n" + - "cluster_id\x18\x03 \x01(\fR\tclusterId\"+\n" + - "\x13InitFailureResponse\x12\x14\n" + - "\x05error\x18\x01 \x01(\tR\x05error\"#\n" + - "\x0fLogResponseType\x12\x10\n" + - "\x03log\x18\x01 \x01(\fR\x03log\"x\n" + - "\x13KubernetesComponent\x12\x10\n" + - "\x03url\x18\x01 \x01(\tR\x03url\x12\x12\n" + - "\x04hash\x18\x02 \x01(\tR\x04hash\x12!\n" + - "\finstall_path\x18\x03 \x01(\tR\vinstallPath\x12\x18\n" + - "\aextract\x18\x04 \x01(\bR\aextract26\n" + - "\x03API\x12/\n" + - "\x04Init\x12\x11.init.InitRequest\x1a\x12.init.InitResponse0\x01B@Z>github.com/edgelesssys/constellation/v2/bootstrapper/initprotob\x06proto3" +var file_bootstrapper_initproto_init_proto_rawDesc = []byte{ + 0x0a, 0x21, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, + 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e, 0x69, 0x74, 0x1a, 0x2d, 0x69, 0x6e, 0x74, 0x65, 0x72, + 0x6e, 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, + 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, + 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd0, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f, + 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x55, 0x72, + 0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x5f, 0x75, 0x72, 0x69, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x55, + 0x72, 0x69, 0x12, 0x29, 0x0a, 0x10, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x5f, 0x73, 0x61, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x6d, 0x65, + 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x61, 0x6c, 0x74, 0x12, 0x2d, 0x0a, + 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x76, 0x65, 0x72, 0x73, + 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, + 0x6e, 0x65, 0x74, 0x65, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x29, 0x0a, 0x10, + 0x63, 0x6f, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x6d, 0x6f, 0x64, 0x65, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, + 0x6e, 0x63, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x4a, 0x0a, 0x15, 0x6b, 0x75, 0x62, 0x65, 0x72, + 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, + 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, + 0x6e, 0x74, 0x73, 0x2e, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x52, 0x14, 0x6b, + 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, + 0x6e, 0x74, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x69, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x53, 0x65, + 0x63, 0x72, 0x65, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, + 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x13, 0x61, 0x70, 0x69, 0x73, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x61, 0x6e, 0x73, 0x18, 0x0a, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x61, 0x70, 0x69, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, + 0x65, 0x72, 0x74, 0x53, 0x61, 0x6e, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x63, 0x69, 0x64, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x43, 0x69, 0x64, 0x72, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, + 0x52, 0x19, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, + 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x22, 0xc1, 0x01, 0x0a, 0x0c, + 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3e, 0x0a, 0x0c, + 0x69, 0x6e, 0x69, 0x74, 0x5f, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x53, 0x75, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x00, 0x52, + 0x0b, 0x69, 0x6e, 0x69, 0x74, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x3e, 0x0a, 0x0c, + 0x69, 0x6e, 0x69, 0x74, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, + 0x69, 0x6c, 0x75, 0x72, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x00, 0x52, + 0x0b, 0x69, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x12, 0x29, 0x0a, 0x03, + 0x6c, 0x6f, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x69, 0x6e, 0x69, 0x74, + 0x2e, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, + 0x48, 0x00, 0x52, 0x03, 0x6c, 0x6f, 0x67, 0x42, 0x06, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22, + 0x6f, 0x0a, 0x13, 0x49, 0x6e, 0x69, 0x74, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, + 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, + 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, + 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, + 0x22, 0x2b, 0x0a, 0x13, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x23, 0x0a, + 0x0f, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, + 0x12, 0x10, 0x0a, 0x03, 0x6c, 0x6f, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6c, + 0x6f, 0x67, 0x22, 0x78, 0x0a, 0x13, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, + 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x68, + 0x61, 0x73, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x12, + 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x50, 0x61, + 0x74, 0x68, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x32, 0x36, 0x0a, 0x03, + 0x41, 0x50, 0x49, 0x12, 0x2f, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e, + 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, + 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x30, 0x01, 0x42, 0x40, 0x5a, 0x3e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, + 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, + 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, + 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} var ( file_bootstrapper_initproto_init_proto_rawDescOnce sync.Once - file_bootstrapper_initproto_init_proto_rawDescData []byte + file_bootstrapper_initproto_init_proto_rawDescData = file_bootstrapper_initproto_init_proto_rawDesc ) func file_bootstrapper_initproto_init_proto_rawDescGZIP() []byte { file_bootstrapper_initproto_init_proto_rawDescOnce.Do(func() { - file_bootstrapper_initproto_init_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_bootstrapper_initproto_init_proto_rawDesc), len(file_bootstrapper_initproto_init_proto_rawDesc))) + file_bootstrapper_initproto_init_proto_rawDescData = protoimpl.X.CompressGZIP(file_bootstrapper_initproto_init_proto_rawDescData) }) return file_bootstrapper_initproto_init_proto_rawDescData } @@ -549,7 +585,7 @@ func file_bootstrapper_initproto_init_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_bootstrapper_initproto_init_proto_rawDesc), len(file_bootstrapper_initproto_init_proto_rawDesc)), + RawDescriptor: file_bootstrapper_initproto_init_proto_rawDesc, NumEnums: 0, NumMessages: 6, NumExtensions: 0, @@ -560,6 +596,7 @@ func file_bootstrapper_initproto_init_proto_init() { MessageInfos: file_bootstrapper_initproto_init_proto_msgTypes, }.Build() File_bootstrapper_initproto_init_proto = out.File + file_bootstrapper_initproto_init_proto_rawDesc = nil file_bootstrapper_initproto_init_proto_goTypes = nil file_bootstrapper_initproto_init_proto_depIdxs = nil } diff --git a/bootstrapper/internal/initserver/BUILD.bazel b/bootstrapper/internal/initserver/BUILD.bazel index f45aad1e6..3ad04343c 100644 --- a/bootstrapper/internal/initserver/BUILD.bazel +++ b/bootstrapper/internal/initserver/BUILD.bazel @@ -11,7 +11,6 @@ go_library( "//bootstrapper/internal/journald", "//internal/atls", "//internal/attestation", - "//internal/constants", "//internal/crypto", "//internal/file", "//internal/grpc/atlscredentials", @@ -27,7 +26,6 @@ go_library( "@org_golang_google_grpc//keepalive", "@org_golang_google_grpc//status", "@org_golang_x_crypto//bcrypt", - "@org_golang_x_crypto//ssh", ], ) diff --git a/bootstrapper/internal/initserver/initserver.go b/bootstrapper/internal/initserver/initserver.go index fad54abda..a65a5f8b7 100644 --- a/bootstrapper/internal/initserver/initserver.go +++ b/bootstrapper/internal/initserver/initserver.go @@ -20,7 +20,6 @@ package initserver import ( "bufio" "context" - "crypto/ed25519" "errors" "fmt" "io" @@ -34,7 +33,6 @@ import ( "github.com/edgelesssys/constellation/v2/bootstrapper/internal/journald" "github.com/edgelesssys/constellation/v2/internal/atls" "github.com/edgelesssys/constellation/v2/internal/attestation" - "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials" @@ -46,7 +44,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/role" "github.com/edgelesssys/constellation/v2/internal/versions/components" "golang.org/x/crypto/bcrypt" - "golang.org/x/crypto/ssh" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/keepalive" @@ -225,28 +222,6 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe return err } - // Derive the emergency ssh CA key - key, err := cloudKms.GetDEK(stream.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize) - if err != nil { - if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "retrieving DEK for key derivation: %s", err)); e != nil { - err = errors.Join(err, e) - } - return err - } - ca, err := crypto.GenerateEmergencySSHCAKey(key) - if err != nil { - if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "generating emergency SSH CA key: %s", err)); e != nil { - err = errors.Join(err, e) - } - return err - } - if err := s.fileHandler.Write(constants.SSHCAKeyPath, ssh.MarshalAuthorizedKey(ca.PublicKey()), file.OptMkdirAll); err != nil { - if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "writing ssh CA pubkey: %s", err)); e != nil { - err = errors.Join(err, e) - } - return err - } - clusterName := req.ClusterName if clusterName == "" { clusterName = "constellation" diff --git a/bootstrapper/internal/initserver/initserver_test.go b/bootstrapper/internal/initserver/initserver_test.go index 878a1fe80..0d9f25db4 100644 --- a/bootstrapper/internal/initserver/initserver_test.go +++ b/bootstrapper/internal/initserver/initserver_test.go @@ -67,7 +67,7 @@ func TestNew(t *testing.T) { assert := assert.New(t) server, err := New( - t.Context(), newFakeLock(), &stubClusterInitializer{}, atls.NewFakeIssuer(variant.Dummy{}), + context.TODO(), newFakeLock(), &stubClusterInitializer{}, atls.NewFakeIssuer(variant.Dummy{}), &stubDisk{}, fh, &tc.metadata, logger.NewTest(t), ) if tc.wantErr { @@ -352,9 +352,9 @@ func TestSetupDisk(t *testing.T) { masterSecret := uri.MasterSecret{Key: tc.masterKey, Salt: tc.salt} - cloudKms, err := kmssetup.KMS(t.Context(), uri.NoStoreURI, masterSecret.EncodeToURI()) + cloudKms, err := kmssetup.KMS(context.Background(), uri.NoStoreURI, masterSecret.EncodeToURI()) require.NoError(err) - assert.NoError(server.setupDisk(t.Context(), cloudKms)) + assert.NoError(server.setupDisk(context.Background(), cloudKms)) }) } } diff --git a/bootstrapper/internal/joinclient/joinclient.go b/bootstrapper/internal/joinclient/joinclient.go index 536906988..37c9e9b8f 100644 --- a/bootstrapper/internal/joinclient/joinclient.go +++ b/bootstrapper/internal/joinclient/joinclient.go @@ -271,10 +271,6 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse, return fmt.Errorf("writing kubelet key: %w", err) } - if err := c.fileHandler.Write(constants.SSHCAKeyPath, ticket.AuthorizedCaPublicKey, file.OptMkdirAll); err != nil { - return fmt.Errorf("writing ssh ca key: %w", err) - } - state := nodestate.NodeState{ Role: c.role, MeasurementSalt: ticket.MeasurementSalt, diff --git a/bootstrapper/internal/joinclient/joinclient_test.go b/bootstrapper/internal/joinclient/joinclient_test.go index e652c5165..6a0b89f4b 100644 --- a/bootstrapper/internal/joinclient/joinclient_test.go +++ b/bootstrapper/internal/joinclient/joinclient_test.go @@ -50,8 +50,6 @@ func TestClient(t *testing.T) { {Role: role.ControlPlane, Name: "node-4", VPCIP: "192.0.2.2"}, {Role: role.ControlPlane, Name: "node-5", VPCIP: "192.0.2.3"}, } - caDerivationKey := make([]byte, 256) - respCaKey := &joinproto.IssueJoinTicketResponse{AuthorizedCaPublicKey: caDerivationKey} testCases := map[string]struct { role role.Role @@ -71,7 +69,7 @@ func TestClient(t *testing.T) { selfAnswer{err: assert.AnError}, selfAnswer{instance: workerSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -87,7 +85,7 @@ func TestClient(t *testing.T) { selfAnswer{instance: metadata.InstanceMetadata{Name: "node-1"}}, selfAnswer{instance: workerSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -103,7 +101,7 @@ func TestClient(t *testing.T) { listAnswer{err: assert.AnError}, listAnswer{err: assert.AnError}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -119,7 +117,7 @@ func TestClient(t *testing.T) { listAnswer{}, listAnswer{}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -136,7 +134,7 @@ func TestClient(t *testing.T) { listAnswer{instances: peers}, issueJoinTicketAnswer{err: assert.AnError}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -153,7 +151,7 @@ func TestClient(t *testing.T) { listAnswer{instances: peers}, issueJoinTicketAnswer{err: assert.AnError}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -166,7 +164,7 @@ func TestClient(t *testing.T) { apiAnswers: []any{ selfAnswer{instance: controlSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{numBadCalls: -1, joinClusterErr: assert.AnError}, nodeLock: newFakeLock(), @@ -179,7 +177,7 @@ func TestClient(t *testing.T) { apiAnswers: []any{ selfAnswer{instance: controlSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{numBadCalls: 1, joinClusterErr: assert.AnError}, nodeLock: newFakeLock(), @@ -193,7 +191,7 @@ func TestClient(t *testing.T) { apiAnswers: []any{ selfAnswer{instance: controlSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: lockedLock, diff --git a/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel b/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel index 968a2b011..ef87085bd 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel +++ b/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel @@ -28,7 +28,6 @@ go_library( "@io_k8s_kubelet//config/v1beta1", "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3", "@io_k8s_kubernetes//cmd/kubeadm/app/constants", - "@org_golang_x_mod//semver", ], ) diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index 1ce387aeb..430839a46 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -12,7 +12,6 @@ import ( "github.com/edgelesssys/constellation/v2/bootstrapper/internal/certificate" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/kubernetes" - "golang.org/x/mod/semver" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kubeletconf "k8s.io/kubelet/config/v1beta1" @@ -39,7 +38,7 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, cl cloudProvider = "external" } - initConfig := KubeadmInitYAML{ + return KubeadmInitYAML{ InitConfiguration: kubeadm.InitConfiguration{ TypeMeta: metav1.TypeMeta{ APIVersion: kubeadm.SchemeGroupVersion.String(), @@ -158,11 +157,6 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, cl TLSPrivateKeyFile: certificate.KeyFilename, }, } - - if semver.Compare(clusterVersion, "v1.31.0") >= 0 { - initConfig.ClusterConfiguration.FeatureGates = map[string]bool{"ControlPlaneKubeletLocalMode": true} - } - return initConfig } // JoinConfiguration returns a new kubeadm join configuration. diff --git a/bootstrapper/internal/kubernetes/kubernetes_test.go b/bootstrapper/internal/kubernetes/kubernetes_test.go index 55d6cf676..bef50253d 100644 --- a/bootstrapper/internal/kubernetes/kubernetes_test.go +++ b/bootstrapper/internal/kubernetes/kubernetes_test.go @@ -201,7 +201,7 @@ func TestInitCluster(t *testing.T) { } _, err := kube.InitCluster( - t.Context(), string(tc.k8sVersion), "kubernetes", + context.Background(), string(tc.k8sVersion), "kubernetes", false, nil, nil, "", ) @@ -384,7 +384,7 @@ func TestJoinCluster(t *testing.T) { log: logger.NewTest(t), } - err := kube.JoinCluster(t.Context(), joinCommand, tc.role, tc.k8sComponents) + err := kube.JoinCluster(context.Background(), joinCommand, tc.role, tc.k8sComponents) if tc.wantErr { assert.Error(err) return diff --git a/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go b/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go index 97f2daa15..fe51e2dbb 100644 --- a/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go +++ b/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go @@ -39,7 +39,7 @@ func TestCloudKubeAPIWaiter(t *testing.T) { require := require.New(t) waiter := &CloudKubeAPIWaiter{} - ctx, cancel := context.WithTimeout(t.Context(), 0) + ctx, cancel := context.WithTimeout(context.Background(), 0) defer cancel() err := waiter.Wait(ctx, tc.kubeClient) if tc.wantErr { diff --git a/cli/cmd/root.go b/cli/cmd/root.go index cd3f24647..6baaf3f1f 100644 --- a/cli/cmd/root.go +++ b/cli/cmd/root.go @@ -61,7 +61,6 @@ func NewRootCmd() *cobra.Command { rootCmd.AddCommand(cmd.NewIAMCmd()) rootCmd.AddCommand(cmd.NewVersionCmd()) rootCmd.AddCommand(cmd.NewInitCmd()) - rootCmd.AddCommand(cmd.NewSSHCmd()) rootCmd.AddCommand(cmd.NewMaaPatchCmd()) return rootCmd diff --git a/cli/internal/cloudcmd/apply_test.go b/cli/internal/cloudcmd/apply_test.go index 5fa4aa0d2..47217362f 100644 --- a/cli/internal/cloudcmd/apply_test.go +++ b/cli/internal/cloudcmd/apply_test.go @@ -185,14 +185,14 @@ func TestApplier(t *testing.T) { out: &bytes.Buffer{}, } - diff, err := applier.Plan(t.Context(), tc.config) + diff, err := applier.Plan(context.Background(), tc.config) if err != nil { assert.True(tc.wantErr, "unexpected error: %s", err) return } assert.False(diff) - idFile, err := applier.Apply(t.Context(), tc.provider, tc.config.GetAttestationConfig().GetVariant(), true) + idFile, err := applier.Apply(context.Background(), tc.provider, tc.config.GetAttestationConfig().GetVariant(), true) if tc.wantErr { assert.Error(err) @@ -303,7 +303,7 @@ func TestPlan(t *testing.T) { cfg := config.Default() cfg.RemoveProviderAndAttestationExcept(cloudprovider.Azure) - diff, err := u.Plan(t.Context(), cfg) + diff, err := u.Plan(context.Background(), cfg) if tc.wantErr { require.Error(err) } else { @@ -352,7 +352,7 @@ func TestApply(t *testing.T) { out: io.Discard, } - _, err := u.Apply(t.Context(), cloudprovider.QEMU, variant.QEMUVTPM{}, WithoutRollbackOnError) + _, err := u.Apply(context.Background(), cloudprovider.QEMU, variant.QEMUVTPM{}, WithoutRollbackOnError) if tc.wantErr { assert.Error(err) } else { diff --git a/cli/internal/cloudcmd/iam.go b/cli/internal/cloudcmd/iam.go index 0046c27e3..e73f2854d 100644 --- a/cli/internal/cloudcmd/iam.go +++ b/cli/internal/cloudcmd/iam.go @@ -91,7 +91,6 @@ type GCPIAMConfig struct { Zone string ProjectID string ServiceAccountID string - NamePrefix string } // AzureIAMConfig holds the necessary values for Azure IAM configuration. @@ -142,7 +141,6 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon vars := terraform.GCPIAMVariables{ ServiceAccountID: opts.GCP.ServiceAccountID, - NamePrefix: opts.GCP.NamePrefix, Project: opts.GCP.ProjectID, Region: opts.GCP.Region, Zone: opts.GCP.Zone, @@ -160,8 +158,7 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon return IAMOutput{ CloudProvider: cloudprovider.GCP, GCPOutput: GCPIAMOutput{ - ServiceAccountKey: iamOutput.GCP.SaKey, - IAMServiceAccountVM: iamOutput.GCP.ServiceAccountVMMailAddress, + ServiceAccountKey: iamOutput.GCP.SaKey, }, }, nil } @@ -235,8 +232,7 @@ type IAMOutput struct { // GCPIAMOutput contains the output information of a GCP IAM configuration. type GCPIAMOutput struct { - ServiceAccountKey string `json:"serviceAccountID,omitempty"` - IAMServiceAccountVM string `json:"iamServiceAccountVM,omitempty"` + ServiceAccountKey string `json:"serviceAccountID,omitempty"` } // AzureIAMOutput contains the output information of a Microsoft Azure IAM configuration. diff --git a/cli/internal/cloudcmd/iam_test.go b/cli/internal/cloudcmd/iam_test.go index e3c23e54b..ff198c51c 100644 --- a/cli/internal/cloudcmd/iam_test.go +++ b/cli/internal/cloudcmd/iam_test.go @@ -128,7 +128,7 @@ func TestIAMCreator(t *testing.T) { }, } - idFile, err := creator.Create(t.Context(), tc.provider, tc.config) + idFile, err := creator.Create(context.Background(), tc.provider, tc.config) if tc.wantErr { assert.Error(err) @@ -184,7 +184,7 @@ func TestDestroyIAMConfiguration(t *testing.T) { return tc.tfClient, nil }} - err := destroyer.DestroyIAMConfiguration(t.Context(), "", terraform.LogLevelNone) + err := destroyer.DestroyIAMConfiguration(context.Background(), "", terraform.LogLevelNone) if tc.wantErr { assert.Error(err) @@ -278,7 +278,7 @@ func TestGetTfstateServiceAccountKey(t *testing.T) { return tc.cl, nil }} - saKey, err := destroyer.GetTfStateServiceAccountKey(t.Context(), "") + saKey, err := destroyer.GetTfStateServiceAccountKey(context.Background(), "") if tc.wantErr { assert.Error(err) diff --git a/cli/internal/cloudcmd/rollback_test.go b/cli/internal/cloudcmd/rollback_test.go index ec5c23ccf..320dd1745 100644 --- a/cli/internal/cloudcmd/rollback_test.go +++ b/cli/internal/cloudcmd/rollback_test.go @@ -8,6 +8,7 @@ package cloudcmd import ( "bytes" + "context" "errors" "testing" @@ -45,7 +46,7 @@ func TestRollbackTerraform(t *testing.T) { } destroyClusterErrOutput := &bytes.Buffer{} - err := rollbacker.rollback(t.Context(), destroyClusterErrOutput, terraform.LogLevelNone) + err := rollbacker.rollback(context.Background(), destroyClusterErrOutput, terraform.LogLevelNone) if tc.wantCleanupErr { assert.Error(err) if tc.tfClient.cleanUpWorkspaceErr == nil { @@ -106,7 +107,7 @@ func TestRollbackQEMU(t *testing.T) { destroyClusterErrOutput := &bytes.Buffer{} - err := rollbacker.rollback(t.Context(), destroyClusterErrOutput, terraform.LogLevelNone) + err := rollbacker.rollback(context.Background(), destroyClusterErrOutput, terraform.LogLevelNone) if tc.wantErr { assert.Error(err) if tc.tfClient.cleanUpWorkspaceErr == nil { diff --git a/cli/internal/cloudcmd/terminate_test.go b/cli/internal/cloudcmd/terminate_test.go index 30add9909..1d9f0232c 100644 --- a/cli/internal/cloudcmd/terminate_test.go +++ b/cli/internal/cloudcmd/terminate_test.go @@ -63,7 +63,7 @@ func TestTerminator(t *testing.T) { }, } - err := terminator.Terminate(t.Context(), "", terraform.LogLevelNone) + err := terminator.Terminate(context.Background(), "", terraform.LogLevelNone) if tc.wantErr { assert.Error(err) diff --git a/cli/internal/cloudcmd/tfplan_test.go b/cli/internal/cloudcmd/tfplan_test.go index e83b34a9d..3cad299c1 100644 --- a/cli/internal/cloudcmd/tfplan_test.go +++ b/cli/internal/cloudcmd/tfplan_test.go @@ -101,7 +101,7 @@ func TestTFPlan(t *testing.T) { fs := tc.prepareFs(require.New(t)) hasDiff, planErr := plan( - t.Context(), tc.tf, fs, io.Discard, terraform.LogLevelDebug, + context.Background(), tc.tf, fs, io.Discard, terraform.LogLevelDebug, &terraform.QEMUVariables{}, templateDir, existingWorkspace, backupDir, ) diff --git a/cli/internal/cloudcmd/tfvars.go b/cli/internal/cloudcmd/tfvars.go index 98bb7bf55..aab752aca 100644 --- a/cli/internal/cloudcmd/tfvars.go +++ b/cli/internal/cloudcmd/tfvars.go @@ -231,7 +231,6 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste InternalLoadBalancer: conf.InternalLoadBalancer, CCTechnology: ccTech, AdditionalLabels: conf.Tags, - IAMServiceAccountVM: conf.Provider.GCP.IAMServiceAccountVM, } } @@ -241,7 +240,6 @@ func gcpTerraformIAMVars(conf *config.Config, oldVars terraform.GCPIAMVariables) Region: conf.Provider.GCP.Region, Zone: conf.Provider.GCP.Zone, ServiceAccountID: oldVars.ServiceAccountID, - NamePrefix: oldVars.NamePrefix, } } diff --git a/cli/internal/cmd/BUILD.bazel b/cli/internal/cmd/BUILD.bazel index bc6a71a50..828a63d5b 100644 --- a/cli/internal/cmd/BUILD.bazel +++ b/cli/internal/cmd/BUILD.bazel @@ -37,7 +37,6 @@ go_library( "miniup_linux_amd64.go", "recover.go", "spinner.go", - "ssh.go", "status.go", "terminate.go", "upgrade.go", @@ -117,8 +116,6 @@ go_library( "//internal/attestation/azure/tdx", "@com_github_google_go_sev_guest//proto/sevsnp", "@com_github_google_go_tpm_tools//proto/attest", - "@org_golang_x_crypto//ssh", - "//internal/kms/setup", ] + select({ "@io_bazel_rules_go//go/platform:android_amd64": [ "@org_golang_x_sys//unix", @@ -145,7 +142,6 @@ go_test( "maapatch_test.go", "recover_test.go", "spinner_test.go", - "ssh_test.go", "status_test.go", "terminate_test.go", "upgradeapply_test.go", @@ -205,7 +201,6 @@ go_test( "@org_golang_google_grpc//:grpc", "@org_golang_google_grpc//codes", "@org_golang_google_grpc//status", - "@org_golang_x_crypto//ssh", "@org_golang_x_mod//semver", "@org_uber_go_goleak//:goleak", ], diff --git a/cli/internal/cmd/apply.go b/cli/internal/cmd/apply.go index 439bf5708..d4390db21 100644 --- a/cli/internal/cmd/apply.go +++ b/cli/internal/cmd/apply.go @@ -14,6 +14,7 @@ import ( "io" "io/fs" "log/slog" + "net" "os" "path/filepath" "slices" @@ -228,7 +229,7 @@ func runApply(cmd *cobra.Command, _ []string) error { } newDialer := func(validator atls.Validator) *dialer.Dialer { - return dialer.New(nil, validator, nil) + return dialer.New(nil, validator, &net.Dialer{}) } upgradeID := generateUpgradeID(upgradeCmdKindApply) @@ -367,7 +368,7 @@ func (a *applyCmd) apply( // Check current Terraform state, if it exists and infrastructure upgrades are not skipped, // and apply migrations if necessary. if !a.flags.skipPhases.contains(skipInfrastructurePhase) { - if err := a.runTerraformApply(cmd, conf, stateFile, upgradeDir, a.flags.yes); err != nil { + if err := a.runTerraformApply(cmd, conf, stateFile, upgradeDir); err != nil { return fmt.Errorf("applying Terraform configuration: %w", err) } } diff --git a/cli/internal/cmd/apply_test.go b/cli/internal/cmd/apply_test.go index 383c51125..17c03f33f 100644 --- a/cli/internal/cmd/apply_test.go +++ b/cli/internal/cmd/apply_test.go @@ -199,7 +199,7 @@ func TestBackupHelmCharts(t *testing.T) { log: logger.NewTest(t), } - err := a.backupHelmCharts(t.Context(), tc.helmApplier, tc.includesUpgrades, "") + err := a.backupHelmCharts(context.Background(), tc.helmApplier, tc.includesUpgrades, "") if tc.wantErr { assert.Error(err) return @@ -256,7 +256,6 @@ func TestValidateInputs(t *testing.T) { ClientX509CertURL: "client_cert", })) cfg.Provider.GCP.ServiceAccountKeyPath = "saKey.json" - cfg.Provider.GCP.IAMServiceAccountVM = "example@example.com" } require.NoError(fh.WriteYAML(constants.ConfigFilename, cfg)) diff --git a/cli/internal/cmd/applyterraform.go b/cli/internal/cmd/applyterraform.go index 327936531..668ad0eed 100644 --- a/cli/internal/cmd/applyterraform.go +++ b/cli/internal/cmd/applyterraform.go @@ -22,7 +22,7 @@ import ( ) // runTerraformApply checks if changes to Terraform are required and applies them. -func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, stateFile *state.State, upgradeDir string, yesFlag bool) error { +func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, stateFile *state.State, upgradeDir string) error { a.log.Debug("Checking if Terraform migrations are required") terraformClient, removeClient, err := a.newInfraApplier(cmd.Context()) if err != nil { @@ -36,20 +36,6 @@ func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, st return fmt.Errorf("checking if Terraform workspace is empty: %w", err) } - if !isNewCluster && cloudcmd.UpgradeRequiresIAMMigration(conf.GetProvider()) { - cmd.Println("WARNING: This upgrade requires an IAM migration. Please make sure you have applied the IAM migration using `iam upgrade apply` before continuing.") - if !yesFlag { - yes, err := askToConfirm(cmd, "Did you upgrade the IAM resources?") - if err != nil { - return fmt.Errorf("asking for confirmation: %w", err) - } - if !yes { - cmd.Println("Skipping upgrade.") - return nil - } - } - } - if changesRequired, err := a.planTerraformChanges(cmd, conf, terraformClient); err != nil { return fmt.Errorf("planning Terraform migrations: %w", err) } else if !changesRequired { diff --git a/cli/internal/cmd/iamcreate.go b/cli/internal/cmd/iamcreate.go index c70744cdc..b2e44f4a2 100644 --- a/cli/internal/cmd/iamcreate.go +++ b/cli/internal/cmd/iamcreate.go @@ -29,9 +29,6 @@ var ( regionRegex = regexp.MustCompile(`^\w+-\w+[0-9]$`) // Source: https://cloud.google.com/resource-manager/reference/rest/v1/projects. gcpIDRegex = regexp.MustCompile(`^[a-z][-a-z0-9]{4,28}[a-z0-9]$`) - - // We currently append 6 characters to the prefix, therefore we remove 6 characters from the gcpIDRegex. - gcpPrefixRegex = regexp.MustCompile(`^[a-z][-a-z0-9]{4,22}[a-z0-9]$`) ) // newIAMCreateCmd returns a new cobra.Command for the iam create parent command. It needs another verb, and does nothing on its own. diff --git a/cli/internal/cmd/iamcreate_test.go b/cli/internal/cmd/iamcreate_test.go index b7d33c6c7..3a9c83051 100644 --- a/cli/internal/cmd/iamcreate_test.go +++ b/cli/internal/cmd/iamcreate_test.go @@ -456,7 +456,6 @@ func TestIAMCreateGCP(t *testing.T) { creator *stubIAMCreator zoneFlag string serviceAccountIDFlag string - namePrefixFlag string projectIDFlag string yesFlag bool updateConfigFlag bool @@ -467,14 +466,6 @@ func TestIAMCreateGCP(t *testing.T) { wantErr bool }{ "iam create gcp": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - }, - "iam create gcp with deprecated serice account flag": { setupFs: defaultFs, creator: &stubIAMCreator{id: validIAMIDFile}, zoneFlag: "europe-west1-a", @@ -483,91 +474,91 @@ func TestIAMCreateGCP(t *testing.T) { yesFlag: true, }, "iam create gcp with existing config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + yesFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "iam create gcp --update-config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - updateConfigFlag: true, - yesFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + updateConfigFlag: true, + yesFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "iam create gcp existing terraform dir": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", existingDirs: []string{constants.TerraformIAMWorkingDir}, yesFlag: true, wantErr: true, }, "iam create gcp invalid b64": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: invalidIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - wantErr: true, + setupFs: defaultFs, + creator: &stubIAMCreator{id: invalidIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + yesFlag: true, + wantErr: true, }, "interactive": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "yes\n", + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "yes\n", }, "interactive update config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "yes\n", - updateConfigFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "yes\n", + updateConfigFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "interactive abort": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "no\n", - wantAbort: true, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "no\n", + wantAbort: true, }, "interactive abort update config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "no\n", - wantAbort: true, - updateConfigFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "no\n", + wantAbort: true, + updateConfigFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "unwritable fs": { - setupFs: readOnlyFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - updateConfigFlag: true, - wantErr: true, + setupFs: readOnlyFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + yesFlag: true, + updateConfigFlag: true, + wantErr: true, }, } @@ -599,7 +590,6 @@ func TestIAMCreateGCP(t *testing.T) { flags: gcpIAMCreateFlags{ zone: tc.zoneFlag, serviceAccountID: tc.serviceAccountIDFlag, - namePrefix: tc.serviceAccountIDFlag, projectID: tc.projectIDFlag, }, }, diff --git a/cli/internal/cmd/iamcreategcp.go b/cli/internal/cmd/iamcreategcp.go index d957f7424..b6c55e5d1 100644 --- a/cli/internal/cmd/iamcreategcp.go +++ b/cli/internal/cmd/iamcreategcp.go @@ -31,19 +31,13 @@ func newIAMCreateGCPCmd() *cobra.Command { cmd.Flags().String("zone", "", "GCP zone the cluster will be deployed in (required)\n"+ "Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available") must(cobra.MarkFlagRequired(cmd.Flags(), "zone")) - - cmd.Flags().String("serviceAccountID", "", "[Deprecated use \"--prefix\"]ID for the service account that will be created (required)\n"+ - "Must be 6 to 30 lowercase letters, digits, or hyphens. This flag is mutually exclusive with --prefix.") - cmd.Flags().String("prefix", "", "Prefix for the service account ID and VM ID that will be created (required)\n"+ - "Must be letters, digits, or hyphens.") - + cmd.Flags().String("serviceAccountID", "", "ID for the service account that will be created (required)\n"+ + "Must be 6 to 30 lowercase letters, digits, or hyphens.") + must(cobra.MarkFlagRequired(cmd.Flags(), "serviceAccountID")) cmd.Flags().String("projectID", "", "ID of the GCP project the configuration will be created in (required)\n"+ "Find it on the welcome screen of your project: https://console.cloud.google.com/welcome") must(cobra.MarkFlagRequired(cmd.Flags(), "projectID")) - cmd.MarkFlagsMutuallyExclusive([]string{"prefix", "serviceAccountID"}...) - must(cmd.Flags().MarkDeprecated("serviceAccountID", "use --prefix instead")) - return cmd } @@ -59,7 +53,6 @@ func runIAMCreateGCP(cmd *cobra.Command, _ []string) error { type gcpIAMCreateFlags struct { rootFlags serviceAccountID string - namePrefix string zone string region string projectID string @@ -98,18 +91,9 @@ func (f *gcpIAMCreateFlags) parse(flags *pflag.FlagSet) error { if err != nil { return fmt.Errorf("getting 'serviceAccountID' flag: %w", err) } - if f.serviceAccountID != "" && !gcpIDRegex.MatchString(f.serviceAccountID) { + if !gcpIDRegex.MatchString(f.serviceAccountID) { return fmt.Errorf("serviceAccountID %q doesn't match %s", f.serviceAccountID, gcpIDRegex) } - - f.namePrefix, err = flags.GetString("prefix") - if err != nil { - return fmt.Errorf("getting 'prefix' flag: %w", err) - } - if f.namePrefix != "" && !gcpPrefixRegex.MatchString(f.namePrefix) { - return fmt.Errorf("prefix %q doesn't match %s", f.namePrefix, gcpIDRegex) - } - return nil } @@ -125,19 +109,13 @@ func (c *gcpIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions { Region: c.flags.region, ProjectID: c.flags.projectID, ServiceAccountID: c.flags.serviceAccountID, - NamePrefix: c.flags.namePrefix, }, } } func (c *gcpIAMCreator) printConfirmValues(cmd *cobra.Command) { cmd.Printf("Project ID:\t\t%s\n", c.flags.projectID) - if c.flags.namePrefix != "" { - cmd.Printf("Name Prefix:\t\t%s\n", c.flags.namePrefix) - } - if c.flags.serviceAccountID != "" { - cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID) - } + cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID) cmd.Printf("Region:\t\t\t%s\n", c.flags.region) cmd.Printf("Zone:\t\t\t%s\n\n", c.flags.zone) } @@ -149,12 +127,11 @@ func (c *gcpIAMCreator) printOutputValues(cmd *cobra.Command, _ cloudcmd.IAMOutp cmd.Printf("serviceAccountKeyPath:\t%s\n\n", c.flags.pathPrefixer.PrefixPrintablePath(constants.GCPServiceAccountKeyFilename)) } -func (c *gcpIAMCreator) writeOutputValuesToConfig(conf *config.Config, out cloudcmd.IAMOutput) { +func (c *gcpIAMCreator) writeOutputValuesToConfig(conf *config.Config, _ cloudcmd.IAMOutput) { conf.Provider.GCP.Project = c.flags.projectID conf.Provider.GCP.ServiceAccountKeyPath = constants.GCPServiceAccountKeyFilename // File was created in workspace, so only the filename is needed. conf.Provider.GCP.Region = c.flags.region conf.Provider.GCP.Zone = c.flags.zone - conf.Provider.GCP.IAMServiceAccountVM = out.GCPOutput.IAMServiceAccountVM for groupName, group := range conf.NodeGroups { group.Zone = c.flags.zone conf.NodeGroups[groupName] = group diff --git a/cli/internal/cmd/init_test.go b/cli/internal/cmd/init_test.go index 747e180ec..568c31ff8 100644 --- a/cli/internal/cmd/init_test.go +++ b/cli/internal/cmd/init_test.go @@ -217,7 +217,7 @@ func TestInitialize(t *testing.T) { require.NoError(fileHandler.WriteJSON(serviceAccPath, tc.serviceAccKey, file.OptNone)) } - ctx := t.Context() + ctx := context.Background() ctx, cancel := context.WithTimeout(ctx, 4*time.Second) defer cancel() cmd.SetContext(ctx) @@ -539,7 +539,6 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs conf.Provider.GCP.Project = "test-project" conf.Provider.GCP.Zone = "test-zone" conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path" - conf.Provider.GCP.IAMServiceAccountVM = "example@example.com" conf.Attestation.GCPSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength) conf.Attestation.GCPSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength) conf.Attestation.GCPSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength) diff --git a/cli/internal/cmd/recover.go b/cli/internal/cmd/recover.go index e8c9f83a6..17ffa4c32 100644 --- a/cli/internal/cmd/recover.go +++ b/cli/internal/cmd/recover.go @@ -11,6 +11,7 @@ import ( "errors" "fmt" "io" + "net" "sync" "time" @@ -77,7 +78,7 @@ func runRecover(cmd *cobra.Command, _ []string) error { } fileHandler := file.NewHandler(afero.NewOsFs()) newDialer := func(validator atls.Validator) *dialer.Dialer { - return dialer.New(nil, validator, nil) + return dialer.New(nil, validator, &net.Dialer{}) } r := &recoverCmd{log: log, configFetcher: attestationconfigapi.NewFetcher()} if err := r.flags.parse(cmd.Flags()); err != nil { diff --git a/cli/internal/cmd/recover_test.go b/cli/internal/cmd/recover_test.go index 04deddc87..41ca89817 100644 --- a/cli/internal/cmd/recover_test.go +++ b/cli/internal/cmd/recover_test.go @@ -138,7 +138,7 @@ func TestRecover(t *testing.T) { require := require.New(t) cmd := NewRecoverCmd() - cmd.SetContext(t.Context()) + cmd.SetContext(context.Background()) out := &bytes.Buffer{} cmd.SetOut(out) cmd.SetErr(out) @@ -225,7 +225,7 @@ func TestDoRecovery(t *testing.T) { log: r.log, } - err := recoverDoer.Do(t.Context()) + err := recoverDoer.Do(context.Background()) if tc.wantErr { assert.Error(err) } else { diff --git a/cli/internal/cmd/ssh.go b/cli/internal/cmd/ssh.go deleted file mode 100644 index 33ebabfaa..000000000 --- a/cli/internal/cmd/ssh.go +++ /dev/null @@ -1,113 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: AGPL-3.0-only -*/ - -package cmd - -import ( - "crypto/ed25519" - "crypto/rand" - "fmt" - "time" - - "github.com/edgelesssys/constellation/v2/internal/constants" - "github.com/edgelesssys/constellation/v2/internal/crypto" - "github.com/edgelesssys/constellation/v2/internal/file" - "github.com/edgelesssys/constellation/v2/internal/kms/setup" - "github.com/edgelesssys/constellation/v2/internal/kms/uri" - "github.com/spf13/afero" - "github.com/spf13/cobra" - - "golang.org/x/crypto/ssh" -) - -// NewSSHCmd returns a new cobra.Command for the ssh command. -func NewSSHCmd() *cobra.Command { - cmd := &cobra.Command{ - Use: "ssh", - Short: "Generate a certificate for emergency SSH access", - Long: "Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster.", - Args: cobra.ExactArgs(0), - RunE: runSSH, - } - cmd.Flags().String("key", "", "the path to an existing SSH public key") - must(cmd.MarkFlagRequired("key")) - return cmd -} - -func runSSH(cmd *cobra.Command, _ []string) error { - fh := file.NewHandler(afero.NewOsFs()) - debugLogger, err := newDebugFileLogger(cmd, fh) - if err != nil { - return err - } - - keyPath, err := cmd.Flags().GetString("key") - if err != nil { - return fmt.Errorf("retrieving path to public key from flags: %s", err) - } - - return writeCertificateForKey(cmd, keyPath, fh, debugLogger) -} - -func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, debugLogger debugLog) error { - // NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly. - var mastersecret uri.MasterSecret - if err := fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil { - return fmt.Errorf("reading master secret (does %q exist?): %w", constants.MasterSecretFilename, err) - } - - mastersecretURI := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt} - kms, err := setup.KMS(cmd.Context(), uri.NoStoreURI, mastersecretURI.EncodeToURI()) - if err != nil { - return fmt.Errorf("setting up KMS: %s", err) - } - sshCAKeySeed, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize) - if err != nil { - return fmt.Errorf("retrieving key from KMS: %s", err) - } - - ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed) - if err != nil { - return fmt.Errorf("generating SSH emergency CA key: %s", err) - } - - debugLogger.Debug("SSH CA KEY generated", "public-key", string(ssh.MarshalAuthorizedKey(ca.PublicKey()))) - - keyBuffer, err := fh.Read(keyPath) - if err != nil { - return fmt.Errorf("reading public key %q: %s", keyPath, err) - } - - pub, _, _, _, err := ssh.ParseAuthorizedKey(keyBuffer) - if err != nil { - return fmt.Errorf("parsing public key %q: %s", keyPath, err) - } - - certificate := ssh.Certificate{ - Key: pub, - CertType: ssh.UserCert, - ValidAfter: uint64(time.Now().Unix()), - ValidBefore: uint64(time.Now().Add(24 * time.Hour).Unix()), - ValidPrincipals: []string{"root"}, - Permissions: ssh.Permissions{ - Extensions: map[string]string{ - "permit-port-forwarding": "", - "permit-pty": "", - }, - }, - } - if err := certificate.SignCert(rand.Reader, ca); err != nil { - return fmt.Errorf("signing certificate: %s", err) - } - - debugLogger.Debug("Signed certificate", "certificate", string(ssh.MarshalAuthorizedKey(&certificate))) - if err := fh.Write("constellation_cert.pub", ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil { - return fmt.Errorf("writing certificate: %s", err) - } - cmd.Printf("You can now connect to a node using the \"constellation_cert.pub\" certificate.\nLook at the documentation for a how-to guide:\n\n\thttps://docs.edgeless.systems/constellation/workflows/troubleshooting#emergency-ssh-access\n") - - return nil -} diff --git a/cli/internal/cmd/ssh_test.go b/cli/internal/cmd/ssh_test.go deleted file mode 100644 index 1150b1105..000000000 --- a/cli/internal/cmd/ssh_test.go +++ /dev/null @@ -1,95 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: AGPL-3.0-only -*/ - -package cmd - -import ( - "bytes" - "testing" - - "github.com/edgelesssys/constellation/v2/internal/constants" - "github.com/edgelesssys/constellation/v2/internal/file" - "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/spf13/afero" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "golang.org/x/crypto/ssh" -) - -func TestSSH(t *testing.T) { - someSSHPubKey := "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDA1yYg1PIJNjAGjyuv66r8AJtpfBDFLdp3u9lVwkgbVKv1AzcaeTF/NEw+nhNJOjuCZ61LTPj12LZ8Wy/oSm0A= motte@lolcatghost" - someSSHPubKeyPath := "some-key.pub" - someMasterSecret := ` - { - "key": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK", - "salt": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK" - } - ` - testCases := map[string]struct { - fh file.Handler - pubKey string - masterSecret string - wantErr bool - }{ - "everything exists": { - fh: file.NewHandler(afero.NewMemMapFs()), - pubKey: someSSHPubKey, - masterSecret: someMasterSecret, - }, - "no public key": { - fh: file.NewHandler(afero.NewMemMapFs()), - masterSecret: someMasterSecret, - wantErr: true, - }, - "no master secret": { - fh: file.NewHandler(afero.NewMemMapFs()), - pubKey: someSSHPubKey, - wantErr: true, - }, - "malformed public key": { - fh: file.NewHandler(afero.NewMemMapFs()), - pubKey: "asdf", - masterSecret: someMasterSecret, - wantErr: true, - }, - "malformed master secret": { - fh: file.NewHandler(afero.NewMemMapFs()), - masterSecret: "asdf", - pubKey: someSSHPubKey, - wantErr: true, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - require := require.New(t) - - if tc.pubKey != "" { - require.NoError(tc.fh.Write(someSSHPubKeyPath, []byte(tc.pubKey))) - } - if tc.masterSecret != "" { - require.NoError(tc.fh.Write(constants.MasterSecretFilename, []byte(tc.masterSecret))) - } - - cmd := NewSSHCmd() - cmd.SetOut(&bytes.Buffer{}) - cmd.SetErr(&bytes.Buffer{}) - cmd.SetIn(&bytes.Buffer{}) - - err := writeCertificateForKey(cmd, someSSHPubKeyPath, tc.fh, logger.NewTest(t)) - if tc.wantErr { - assert.Error(err) - } else { - assert.NoError(err) - cert, err := tc.fh.Read("constellation_cert.pub") - require.NoError(err) - _, _, _, _, err = ssh.ParseAuthorizedKey(cert) - require.NoError(err) - } - }) - } -} diff --git a/cli/internal/cmd/upgradecheck_test.go b/cli/internal/cmd/upgradecheck_test.go index 0f1a83d2f..5e6f8329a 100644 --- a/cli/internal/cmd/upgradecheck_test.go +++ b/cli/internal/cmd/upgradecheck_test.go @@ -139,7 +139,7 @@ func TestGetCompatibleImageMeasurements(t *testing.T) { } }) - upgrades, err := getCompatibleImageMeasurements(t.Context(), &bytes.Buffer{}, client, &stubCosignVerifier{}, singleUUIDVerifier(), csp, attestationVariant, versionZero, logger.NewTest(t)) + upgrades, err := getCompatibleImageMeasurements(context.Background(), &bytes.Buffer{}, client, &stubCosignVerifier{}, singleUUIDVerifier(), csp, attestationVariant, versionZero, logger.NewTest(t)) assert.NoError(err) for _, measurement := range upgrades { @@ -344,7 +344,7 @@ func TestNewCLIVersions(t *testing.T) { t.Run(name, func(t *testing.T) { require := require.New(t) - _, err := tc.verCollector.newCLIVersions(t.Context()) + _, err := tc.verCollector.newCLIVersions(context.Background()) if tc.wantErr { require.Error(err) return @@ -385,7 +385,7 @@ func TestFilterCompatibleCLIVersions(t *testing.T) { t.Run(name, func(t *testing.T) { require := require.New(t) - _, err := tc.verCollector.filterCompatibleCLIVersions(t.Context(), tc.cliPatchVersions, consemver.NewFromInt(1, 24, 5, "")) + _, err := tc.verCollector.filterCompatibleCLIVersions(context.Background(), tc.cliPatchVersions, consemver.NewFromInt(1, 24, 5, "")) if tc.wantErr { require.Error(err) return diff --git a/cli/internal/cmd/verify.go b/cli/internal/cmd/verify.go index 264e794c2..523920a20 100644 --- a/cli/internal/cmd/verify.go +++ b/cli/internal/cmd/verify.go @@ -108,7 +108,7 @@ func runVerify(cmd *cobra.Command, _ []string) error { fileHandler := file.NewHandler(afero.NewOsFs()) verifyClient := &constellationVerifier{ - dialer: dialer.New(nil, nil, nil), + dialer: dialer.New(nil, nil, &net.Dialer{}), log: log, } diff --git a/cli/internal/cmd/verify_test.go b/cli/internal/cmd/verify_test.go index 6fa326a97..3e161c8c8 100644 --- a/cli/internal/cmd/verify_test.go +++ b/cli/internal/cmd/verify_test.go @@ -235,7 +235,7 @@ func TestFormatDefault(t *testing.T) { for name, tc := range testCases { t.Run(name, func(t *testing.T) { - _, err := formatDefault(t.Context(), tc.doc, tc.attCfg, logger.NewTest(t)) + _, err := formatDefault(context.Background(), tc.doc, tc.attCfg, logger.NewTest(t)) if tc.wantErr { assert.Error(t, err) } else { @@ -313,7 +313,7 @@ func TestVerifyClient(t *testing.T) { Nonce: tc.nonce, } - _, err = verifier.Verify(t.Context(), addr, request, atls.NewFakeValidator(variant.Dummy{})) + _, err = verifier.Verify(context.Background(), addr, request, atls.NewFakeValidator(variant.Dummy{})) if tc.wantErr { assert.Error(err) diff --git a/cli/internal/terraform/terraform.go b/cli/internal/terraform/terraform.go index f12de0fbc..f48d36e02 100644 --- a/cli/internal/terraform/terraform.go +++ b/cli/internal/terraform/terraform.go @@ -103,18 +103,9 @@ func (c *Client) ShowIAM(ctx context.Context, provider cloudprovider.Provider) ( if !ok { return IAMOutput{}, errors.New("invalid type in service_account_key output: not a string") } - IAMServiceAccountVMOutputRaw, ok := tfState.Values.Outputs["service_account_mail_vm"] - if !ok { - return IAMOutput{}, errors.New("no service_account_mail_vm output found") - } - IAMServiceAccountVMOutput, ok := IAMServiceAccountVMOutputRaw.Value.(string) - if !ok { - return IAMOutput{}, errors.New("invalid type in service_account_mail_vm output: not a string") - } return IAMOutput{ GCP: GCPIAMOutput{ - SaKey: saKeyOutput, - ServiceAccountVMMailAddress: IAMServiceAccountVMOutput, + SaKey: saKeyOutput, }, }, nil case cloudprovider.Azure: @@ -548,8 +539,7 @@ type IAMOutput struct { // GCPIAMOutput contains the output information of the Terraform IAM operation on GCP. type GCPIAMOutput struct { - SaKey string - ServiceAccountVMMailAddress string + SaKey string } // AzureIAMOutput contains the output information of the Terraform IAM operation on Microsoft Azure. diff --git a/cli/internal/terraform/terraform_test.go b/cli/internal/terraform/terraform_test.go index 8d88036c7..103f0e959 100644 --- a/cli/internal/terraform/terraform_test.go +++ b/cli/internal/terraform/terraform_test.go @@ -120,7 +120,6 @@ func TestPrepareIAM(t *testing.T) { Region: "europe-west1", Zone: "europe-west1-a", ServiceAccountID: "const-test-case", - NamePrefix: "test_iam", } azureVars := &AzureIAMVariables{ Location: "westus", @@ -483,7 +482,7 @@ func TestCreateCluster(t *testing.T) { path := path.Join(tc.pathBase, strings.ToLower(tc.provider.String())) require.NoError(c.PrepareWorkspace(path, tc.vars)) - infraState, err := c.ApplyCluster(t.Context(), tc.provider, LogLevelDebug) + infraState, err := c.ApplyCluster(context.Background(), tc.provider, LogLevelDebug) if tc.wantErr { assert.Error(err) @@ -510,9 +509,6 @@ func TestCreateIAM(t *testing.T) { "service_account_key": { Value: "12345678_abcdefg", }, - "service_account_mail_vm": { - Value: "test_iam_service_account_vm", - }, "subscription_id": { Value: "test_subscription_id", }, @@ -585,7 +581,7 @@ func TestCreateIAM(t *testing.T) { vars: gcpVars, tf: &stubTerraform{showState: newTestState()}, fs: afero.NewMemMapFs(), - want: IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg", ServiceAccountVMMailAddress: "test_iam_service_account_vm"}}, + want: IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg"}}, }, "gcp init fails": { pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"), @@ -618,25 +614,7 @@ func TestCreateIAM(t *testing.T) { tf: &stubTerraform{ showState: &tfjson.State{ Values: &tfjson.StateValues{ - Outputs: map[string]*tfjson.StateOutput{ - "service_account_mail_vm": {Value: "test_iam_service_account_vm"}, - }, - }, - }, - }, - fs: afero.NewMemMapFs(), - wantErr: true, - }, - "gcp no service_account_mail_vm": { - pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"), - provider: cloudprovider.GCP, - vars: gcpVars, - tf: &stubTerraform{ - showState: &tfjson.State{ - Values: &tfjson.StateValues{ - Outputs: map[string]*tfjson.StateOutput{ - "service_account_key": {Value: "12345678_abcdefg"}, - }, + Outputs: map[string]*tfjson.StateOutput{}, }, }, }, @@ -799,7 +777,7 @@ func TestCreateIAM(t *testing.T) { path := path.Join(tc.pathBase, strings.ToLower(tc.provider.String())) require.NoError(c.PrepareWorkspace(path, tc.vars)) - IAMoutput, err := c.ApplyIAM(t.Context(), tc.provider, LogLevelDebug) + IAMoutput, err := c.ApplyIAM(context.Background(), tc.provider, LogLevelDebug) if tc.wantErr { assert.Error(err) @@ -841,7 +819,7 @@ func TestDestroyInstances(t *testing.T) { tf: tc.tf, } - err := c.Destroy(t.Context(), LogLevelDebug) + err := c.Destroy(context.Background(), LogLevelDebug) if tc.wantErr { assert.Error(err) return @@ -1073,7 +1051,7 @@ func TestPlan(t *testing.T) { workingDir: tc.pathBase, } - _, err := c.Plan(t.Context(), LogLevelDebug) + _, err := c.Plan(context.Background(), LogLevelDebug) if tc.wantErr { require.Error(err) } else { @@ -1132,7 +1110,7 @@ func TestShowPlan(t *testing.T) { workingDir: tc.pathBase, } - err := c.ShowPlan(t.Context(), LogLevelDebug, bytes.NewBuffer(nil)) + err := c.ShowPlan(context.Background(), LogLevelDebug, bytes.NewBuffer(nil)) if tc.wantErr { require.Error(err) } else { @@ -1151,8 +1129,7 @@ func TestShowIAM(t *testing.T) { "GCP success": { tf: &stubTerraform{ showState: getTfjsonState(map[string]any{ - "service_account_key": "key", - "service_account_mail_vm": "example@example.com", + "service_account_key": "key", }), }, csp: cloudprovider.GCP, @@ -1160,8 +1137,7 @@ func TestShowIAM(t *testing.T) { "GCP wrong data type": { tf: &stubTerraform{ showState: getTfjsonState(map[string]any{ - "service_account_key": map[string]any{}, - "service_account_mail_vm": "example@example.com", + "service_account_key": map[string]any{}, }), }, csp: cloudprovider.GCP, @@ -1169,9 +1145,7 @@ func TestShowIAM(t *testing.T) { }, "GCP missing key": { tf: &stubTerraform{ - showState: getTfjsonState(map[string]any{ - "service_account_mail_vm": "example@example.com", - }), + showState: getTfjsonState(map[string]any{}), }, csp: cloudprovider.GCP, wantErr: true, @@ -1320,7 +1294,7 @@ func TestShowIAM(t *testing.T) { tf: tc.tf, } - _, err := c.ShowIAM(t.Context(), tc.csp) + _, err := c.ShowIAM(context.Background(), tc.csp) if tc.wantErr { assert.Error(err) return diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go index 4f341f0ab..86af569e0 100644 --- a/cli/internal/terraform/variables.go +++ b/cli/internal/terraform/variables.go @@ -141,8 +141,6 @@ type GCPClusterVariables struct { InternalLoadBalancer bool `hcl:"internal_load_balancer" cty:"internal_load_balancer"` // CCTechnology is the confidential computing technology to use on the VMs. (`SEV` or `SEV_SNP`) CCTechnology string `hcl:"cc_technology" cty:"cc_technology"` - // IAMServiceAccountControlPlane is the IAM service account mail address to attach to VMs. - IAMServiceAccountVM string `hcl:"iam_service_account_vm" cty:"iam_service_account_vm"` // AdditionalLables are (optional) additional labels that should be applied to created resources. AdditionalLabels cloudprovider.Tags `hcl:"additional_labels" cty:"additional_labels"` } @@ -184,9 +182,6 @@ type GCPIAMVariables struct { Zone string `hcl:"zone" cty:"zone"` // ServiceAccountID is the ID of the service account to use. ServiceAccountID string `hcl:"service_account_id" cty:"service_account_id"` - // IAMServiceAccountVM is the ID of the service account to attach to VMs. - // TODO(@3u13r): Eventually remove this field after v2.22 has been released. - NamePrefix string `hcl:"name_prefix,optional" cty:"name_prefix"` } // String returns a string representation of the IAM-specific variables, formatted as Terraform variables. diff --git a/cli/internal/terraform/variables_test.go b/cli/internal/terraform/variables_test.go index b39d7a161..02567c314 100644 --- a/cli/internal/terraform/variables_test.go +++ b/cli/internal/terraform/variables_test.go @@ -122,9 +122,8 @@ func TestGCPClusterVariables(t *testing.T) { DiskType: "pd-ssd", }, }, - CustomEndpoint: "example.com", - CCTechnology: "SEV_SNP", - IAMServiceAccountVM: "example@example.com", + CustomEndpoint: "example.com", + CCTechnology: "SEV_SNP", } // test that the variables are correctly rendered @@ -152,11 +151,10 @@ node_groups = { zone = "eu-central-1b" } } -custom_endpoint = "example.com" -internal_load_balancer = false -cc_technology = "SEV_SNP" -iam_service_account_vm = "example@example.com" -additional_labels = null +custom_endpoint = "example.com" +internal_load_balancer = false +cc_technology = "SEV_SNP" +additional_labels = null ` got := vars.String() assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences @@ -175,27 +173,9 @@ func TestGCPIAMVariables(t *testing.T) { region = "eu-central-1" zone = "eu-central-1a" service_account_id = "my-service-account" -name_prefix = "" ` got := vars.String() assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences - - vars = GCPIAMVariables{ - Project: "my-project", - Region: "eu-central-1", - Zone: "eu-central-1a", - NamePrefix: "my-prefix", - } - - // test that the variables are correctly rendered - want = `project_id = "my-project" -region = "eu-central-1" -zone = "eu-central-1a" -service_account_id = "" -name_prefix = "my-prefix" -` - got = vars.String() - assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences } func TestAzureClusterVariables(t *testing.T) { diff --git a/csi/cryptmapper/cryptmapper_test.go b/csi/cryptmapper/cryptmapper_test.go index e4ca49ca7..cef34cd18 100644 --- a/csi/cryptmapper/cryptmapper_test.go +++ b/csi/cryptmapper/cryptmapper_test.go @@ -202,7 +202,7 @@ func TestOpenCryptDevice(t *testing.T) { getDiskFormat: tc.diskInfo, } - out, err := mapper.OpenCryptDevice(t.Context(), tc.source, tc.volumeID, tc.integrity) + out, err := mapper.OpenCryptDevice(context.Background(), tc.source, tc.volumeID, tc.integrity) if tc.wantErr { assert.Error(err) } else { @@ -223,7 +223,7 @@ func TestOpenCryptDevice(t *testing.T) { kms: &fakeKMS{}, getDiskFormat: getDiskFormat, } - _, err := mapper.OpenCryptDevice(t.Context(), "/dev/some-device", "volume01", false) + _, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false) assert.NoError(t, err) } @@ -270,7 +270,7 @@ func TestResizeCryptDevice(t *testing.T) { mapper: testMapper(tc.device), } - res, err := mapper.ResizeCryptDevice(t.Context(), tc.volumeID) + res, err := mapper.ResizeCryptDevice(context.Background(), tc.volumeID) if tc.wantErr { assert.Error(err) } else { diff --git a/csi/kms/constellation_test.go b/csi/kms/constellation_test.go index 06427e672..3b82a8c1c 100644 --- a/csi/kms/constellation_test.go +++ b/csi/kms/constellation_test.go @@ -57,7 +57,7 @@ func TestConstellationKMS(t *testing.T) { endpoint: listener.Addr().String(), kms: tc.kms, } - res, err := kms.GetDEK(t.Context(), "data-key", 64) + res, err := kms.GetDEK(context.Background(), "data-key", 64) if tc.wantErr { assert.Error(err) diff --git a/csi/test/BUILD.bazel b/csi/test/BUILD.bazel index c2c5b1071..5a27fdf89 100644 --- a/csi/test/BUILD.bazel +++ b/csi/test/BUILD.bazel @@ -42,14 +42,14 @@ go_test( "//csi/cryptmapper", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "@io_bazel_rules_go//go/platform:linux": [ "//csi/cryptmapper", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "//conditions:default": [], diff --git a/csi/test/mount_integration_test.go b/csi/test/mount_integration_test.go index 585677998..36e9f7b15 100644 --- a/csi/test/mount_integration_test.go +++ b/csi/test/mount_integration_test.go @@ -105,7 +105,7 @@ func TestOpenAndClose(t *testing.T) { mapper := cryptmapper.New(&fakeKMS{}) - newPath, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, false) + newPath, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, false) require.NoError(err) defer func() { _ = mapper.CloseCryptDevice(deviceName) @@ -119,14 +119,14 @@ func TestOpenAndClose(t *testing.T) { assert.True(os.IsNotExist(err)) // Opening the same device should return the same path and not error - newPath2, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, false) + newPath2, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, false) require.NoError(err) assert.Equal(newPath, newPath2) // Resize the device resize(devicePath) - resizedPath, err := mapper.ResizeCryptDevice(t.Context(), deviceName) + resizedPath, err := mapper.ResizeCryptDevice(context.Background(), deviceName) require.NoError(err) assert.Equal("/dev/mapper/"+deviceName, resizedPath) @@ -137,7 +137,7 @@ func TestOpenAndClose(t *testing.T) { assert.True(os.IsNotExist(err)) // check if we can reopen the device - _, err = mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + _, err = mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) assert.NoError(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) } @@ -150,7 +150,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) { mapper := cryptmapper.New(&fakeKMS{}) - newPath, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + newPath, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) require.NoError(err) assert.Equal("/dev/mapper/"+deviceName, newPath) @@ -162,13 +162,13 @@ func TestOpenAndCloseIntegrity(t *testing.T) { assert.NoError(err) // Opening the same device should return the same path and not error - newPath2, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + newPath2, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) require.NoError(err) assert.Equal(newPath, newPath2) // integrity devices do not support resizing resize(devicePath) - _, err = mapper.ResizeCryptDevice(t.Context(), deviceName) + _, err = mapper.ResizeCryptDevice(context.Background(), deviceName) assert.Error(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) @@ -181,7 +181,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) { assert.True(os.IsNotExist(err)) // check if we can reopen the device - _, err = mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + _, err = mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) assert.NoError(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) } @@ -194,13 +194,13 @@ func TestDeviceCloning(t *testing.T) { mapper := cryptmapper.New(&dynamicKMS{}) - _, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, false) + _, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, false) assert.NoError(err) require.NoError(cp(devicePath, devicePath+"-copy")) defer teardown(devicePath + "-copy") - _, err = mapper.OpenCryptDevice(t.Context(), devicePath+"-copy", deviceName+"-copy", false) + _, err = mapper.OpenCryptDevice(context.Background(), devicePath+"-copy", deviceName+"-copy", false) assert.NoError(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) @@ -220,7 +220,7 @@ func TestConcurrency(t *testing.T) { wg := sync.WaitGroup{} runTest := func(path, name string) { - newPath, err := mapper.OpenCryptDevice(t.Context(), path, name, false) + newPath, err := mapper.OpenCryptDevice(context.Background(), path, name, false) assert.NoError(err) defer func() { _ = mapper.CloseCryptDevice(name) diff --git a/debugd/filebeat/Dockerfile b/debugd/filebeat/Dockerfile index f5badcf9a..2aa6f6b4c 100644 --- a/debugd/filebeat/Dockerfile +++ b/debugd/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release RUN dnf install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-x86_64.rpm diff --git a/debugd/internal/debugd/deploy/download_test.go b/debugd/internal/debugd/deploy/download_test.go index 6984f3e87..8477377c5 100644 --- a/debugd/internal/debugd/deploy/download_test.go +++ b/debugd/internal/debugd/deploy/download_test.go @@ -123,7 +123,7 @@ func TestDownloadDeployment(t *testing.T) { serviceManager: serviceMgr, } - err := download.DownloadDeployment(t.Context(), ip) + err := download.DownloadDeployment(context.Background(), ip) if tc.wantErr { assert.Error(err) @@ -194,7 +194,7 @@ func TestDownloadInfo(t *testing.T) { info: &tc.infoSetter, } - err := download.DownloadInfo(t.Context(), ip) + err := download.DownloadInfo(context.Background(), ip) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/deploy/service_test.go b/debugd/internal/debugd/deploy/service_test.go index 392809f9e..f0b398333 100644 --- a/debugd/internal/debugd/deploy/service_test.go +++ b/debugd/internal/debugd/deploy/service_test.go @@ -108,7 +108,7 @@ func TestSystemdAction(t *testing.T) { fs: fs, systemdUnitFilewriteLock: sync.Mutex{}, } - err := manager.SystemdAction(t.Context(), ServiceManagerRequest{ + err := manager.SystemdAction(context.Background(), ServiceManagerRequest{ Unit: unitName, Action: tc.action, }) @@ -188,7 +188,7 @@ func TestWriteSystemdUnitFile(t *testing.T) { fs: fs, systemdUnitFilewriteLock: sync.Mutex{}, } - err := manager.WriteSystemdUnitFile(t.Context(), tc.unit) + err := manager.WriteSystemdUnitFile(context.Background(), tc.unit) if tc.wantErr { assert.Error(err) @@ -302,7 +302,7 @@ func TestOverrideServiceUnitExecStart(t *testing.T) { fs: fs, systemdUnitFilewriteLock: sync.Mutex{}, } - err := manager.OverrideServiceUnitExecStart(t.Context(), tc.unitName, tc.execStart) + err := manager.OverrideServiceUnitExecStart(context.Background(), tc.unitName, tc.execStart) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/logcollector/credentials_test.go b/debugd/internal/debugd/logcollector/credentials_test.go index acbfee99c..19d113c99 100644 --- a/debugd/internal/debugd/logcollector/credentials_test.go +++ b/debugd/internal/debugd/logcollector/credentials_test.go @@ -67,7 +67,7 @@ func TestGetOpensearchCredentialsGCP(t *testing.T) { g := &gcpCloudCredentialGetter{secretsAPI: tc.gcpAPI} - gotCreds, err := g.GetOpensearchCredentials(t.Context()) + gotCreds, err := g.GetOpensearchCredentials(context.Background()) if tc.wantErr { assert.Error(err) @@ -127,7 +127,7 @@ func TestGetOpensearchCredentialsAzure(t *testing.T) { a := &azureCloudCredentialGetter{secretsAPI: tc.azureAPI} - gotCreds, err := a.GetOpensearchCredentials(t.Context()) + gotCreds, err := a.GetOpensearchCredentials(context.Background()) if tc.wantErr { assert.Error(err) @@ -184,7 +184,7 @@ func TestGetOpensearchCredentialsAWS(t *testing.T) { a := &awsCloudCredentialGetter{secretmanager: tc.awsAPI} - gotCreds, err := a.GetOpensearchCredentials(t.Context()) + gotCreds, err := a.GetOpensearchCredentials(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go index 2785165b4..e7cbf23e5 100644 --- a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go +++ b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go @@ -56,7 +56,7 @@ func TestRole(t *testing.T) { fetcher := Fetcher{tc.meta} - role, err := fetcher.Role(t.Context()) + role, err := fetcher.Role(context.Background()) if tc.wantErr { assert.Error(err) @@ -110,7 +110,7 @@ func TestDiscoverDebugIPs(t *testing.T) { fetcher := Fetcher{ metaAPI: &tc.meta, } - ips, err := fetcher.DiscoverDebugdIPs(t.Context()) + ips, err := fetcher.DiscoverDebugdIPs(context.Background()) if tc.wantErr { assert.Error(err) @@ -149,7 +149,7 @@ func TestDiscoverLoadBalancerIP(t *testing.T) { metaAPI: tc.metaAPI, } - ip, err := fetcher.DiscoverLoadBalancerIP(t.Context()) + ip, err := fetcher.DiscoverLoadBalancerIP(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/metadata/fallback/fallback_test.go b/debugd/internal/debugd/metadata/fallback/fallback_test.go index 62755d6e8..9ec2d4e0b 100644 --- a/debugd/internal/debugd/metadata/fallback/fallback_test.go +++ b/debugd/internal/debugd/metadata/fallback/fallback_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package fallback import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/role" @@ -22,19 +23,19 @@ func TestDiscoverDebugdIPs(t *testing.T) { assert := assert.New(t) fetcher := NewFallbackFetcher() - ips, err := fetcher.DiscoverDebugdIPs(t.Context()) + ips, err := fetcher.DiscoverDebugdIPs(context.Background()) assert.NoError(err) assert.Empty(ips) - rol, err := fetcher.Role(t.Context()) + rol, err := fetcher.Role(context.Background()) assert.NoError(err) assert.Equal(rol, role.Unknown) - uid, err := fetcher.UID(t.Context()) + uid, err := fetcher.UID(context.Background()) assert.NoError(err) assert.Empty(uid) - self, err := fetcher.Self(t.Context()) + self, err := fetcher.Self(context.Background()) assert.NoError(err) assert.Empty(self) } diff --git a/debugd/internal/debugd/metadata/scheduler_test.go b/debugd/internal/debugd/metadata/scheduler_test.go index ad543fb96..13f9d4707 100644 --- a/debugd/internal/debugd/metadata/scheduler_test.go +++ b/debugd/internal/debugd/metadata/scheduler_test.go @@ -91,7 +91,7 @@ func TestSchedulerStart(t *testing.T) { } wg := &sync.WaitGroup{} - scheduler.Start(t.Context(), wg) + scheduler.Start(context.Background(), wg) wg.Wait() assert.Equal(tc.wantDeploymentDownloads, tc.downloader.downloadDeploymentIPs) diff --git a/debugd/internal/debugd/server/server_test.go b/debugd/internal/debugd/server/server_test.go index 0152da7aa..30d2a2c9e 100644 --- a/debugd/internal/debugd/server/server_test.go +++ b/debugd/internal/debugd/server/server_test.go @@ -79,7 +79,7 @@ func TestSetInfo(t *testing.T) { defer conn.Close() client := pb.NewDebugdClient(conn) - setInfoStatus, err := client.SetInfo(t.Context(), &pb.SetInfoRequest{Info: tc.setInfo}) + setInfoStatus, err := client.SetInfo(context.Background(), &pb.SetInfoRequest{Info: tc.setInfo}) grpcServ.GracefulStop() assert.NoError(err) @@ -137,7 +137,7 @@ func TestGetInfo(t *testing.T) { defer conn.Close() client := pb.NewDebugdClient(conn) - resp, err := client.GetInfo(t.Context(), &pb.GetInfoRequest{}) + resp, err := client.GetInfo(context.Background(), &pb.GetInfoRequest{}) grpcServ.GracefulStop() if tc.wantErr { @@ -201,7 +201,7 @@ func TestUploadFiles(t *testing.T) { require.NoError(err) defer conn.Close() client := pb.NewDebugdClient(conn) - stream, err := client.UploadFiles(t.Context()) + stream, err := client.UploadFiles(context.Background()) require.NoError(err) resp, err := stream.CloseAndRecv() @@ -245,7 +245,7 @@ func TestDownloadFiles(t *testing.T) { require.NoError(err) defer conn.Close() client := pb.NewDebugdClient(conn) - stream, err := client.DownloadFiles(t.Context(), tc.request) + stream, err := client.DownloadFiles(context.Background(), tc.request) require.NoError(err) _, recvErr := stream.Recv() if tc.wantRecvErr { @@ -324,7 +324,7 @@ func TestUploadSystemServiceUnits(t *testing.T) { require.NoError(err) defer conn.Close() client := pb.NewDebugdClient(conn) - resp, err := client.UploadSystemServiceUnits(t.Context(), tc.request) + resp, err := client.UploadSystemServiceUnits(context.Background(), tc.request) grpcServ.GracefulStop() diff --git a/debugd/logstash/Dockerfile b/debugd/logstash/Dockerfile index 8d538596a..e0db1695a 100644 --- a/debugd/logstash/Dockerfile +++ b/debugd/logstash/Dockerfile @@ -1,11 +1,11 @@ -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS build +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS build ARG LOGSTASH_VER=8.6.1 RUN curl -fsSLO https://artifacts.opensearch.org/logstash/logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz RUN tar -zxvf logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release COPY --from=build logstash-* /usr/share/logstash diff --git a/debugd/metricbeat/Dockerfile b/debugd/metricbeat/Dockerfile index 11694af43..108882355 100644 --- a/debugd/metricbeat/Dockerfile +++ b/debugd/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release RUN dnf install -y https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-8.9.2-x86_64.rpm diff --git a/debugd/service/debugd.pb.go b/debugd/service/debugd.pb.go index 8414c895f..ac419ec40 100644 --- a/debugd/service/debugd.pb.go +++ b/debugd/service/debugd.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: debugd/service/debugd.proto package service @@ -15,7 +15,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -173,10 +172,11 @@ func (UploadSystemdServiceUnitsStatus) EnumDescriptor() ([]byte, []int) { } type SetInfoRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` } func (x *SetInfoRequest) Reset() { @@ -217,10 +217,11 @@ func (x *SetInfoRequest) GetInfo() []*Info { } type SetInfoResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Status SetInfoStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.SetInfoStatus" json:"status,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Status SetInfoStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.SetInfoStatus" json:"status,omitempty"` } func (x *SetInfoResponse) Reset() { @@ -261,9 +262,9 @@ func (x *SetInfoResponse) GetStatus() SetInfoStatus { } type GetInfoRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields } func (x *GetInfoRequest) Reset() { @@ -297,10 +298,11 @@ func (*GetInfoRequest) Descriptor() ([]byte, []int) { } type GetInfoResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` } func (x *GetInfoResponse) Reset() { @@ -341,11 +343,12 @@ func (x *GetInfoResponse) GetInfo() []*Info { } type Info struct { - state protoimpl.MessageState `protogen:"open.v1"` - Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` - Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` + Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` } func (x *Info) Reset() { @@ -393,9 +396,9 @@ func (x *Info) GetValue() string { } type DownloadFilesRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields } func (x *DownloadFilesRequest) Reset() { @@ -429,14 +432,15 @@ func (*DownloadFilesRequest) Descriptor() ([]byte, []int) { } type FileTransferMessage struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Types that are valid to be assigned to Kind: + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Kind: // // *FileTransferMessage_Header // *FileTransferMessage_Chunk - Kind isFileTransferMessage_Kind `protobuf_oneof:"kind"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Kind isFileTransferMessage_Kind `protobuf_oneof:"kind"` } func (x *FileTransferMessage) Reset() { @@ -469,27 +473,23 @@ func (*FileTransferMessage) Descriptor() ([]byte, []int) { return file_debugd_service_debugd_proto_rawDescGZIP(), []int{6} } -func (x *FileTransferMessage) GetKind() isFileTransferMessage_Kind { - if x != nil { - return x.Kind +func (m *FileTransferMessage) GetKind() isFileTransferMessage_Kind { + if m != nil { + return m.Kind } return nil } func (x *FileTransferMessage) GetHeader() *FileTransferHeader { - if x != nil { - if x, ok := x.Kind.(*FileTransferMessage_Header); ok { - return x.Header - } + if x, ok := x.GetKind().(*FileTransferMessage_Header); ok { + return x.Header } return nil } func (x *FileTransferMessage) GetChunk() *Chunk { - if x != nil { - if x, ok := x.Kind.(*FileTransferMessage_Chunk); ok { - return x.Chunk - } + if x, ok := x.GetKind().(*FileTransferMessage_Chunk); ok { + return x.Chunk } return nil } @@ -511,12 +511,13 @@ func (*FileTransferMessage_Header) isFileTransferMessage_Kind() {} func (*FileTransferMessage_Chunk) isFileTransferMessage_Kind() {} type FileTransferHeader struct { - state protoimpl.MessageState `protogen:"open.v1"` - TargetPath string `protobuf:"bytes,1,opt,name=targetPath,proto3" json:"targetPath,omitempty"` - Mode uint32 `protobuf:"varint,3,opt,name=mode,proto3" json:"mode,omitempty"` - OverrideServiceUnit *string `protobuf:"bytes,4,opt,name=overrideServiceUnit,proto3,oneof" json:"overrideServiceUnit,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + TargetPath string `protobuf:"bytes,1,opt,name=targetPath,proto3" json:"targetPath,omitempty"` + Mode uint32 `protobuf:"varint,3,opt,name=mode,proto3" json:"mode,omitempty"` + OverrideServiceUnit *string `protobuf:"bytes,4,opt,name=overrideServiceUnit,proto3,oneof" json:"overrideServiceUnit,omitempty"` } func (x *FileTransferHeader) Reset() { @@ -571,11 +572,12 @@ func (x *FileTransferHeader) GetOverrideServiceUnit() string { } type Chunk struct { - state protoimpl.MessageState `protogen:"open.v1"` - Content []byte `protobuf:"bytes,1,opt,name=content,proto3" json:"content,omitempty"` - Last bool `protobuf:"varint,2,opt,name=last,proto3" json:"last,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Content []byte `protobuf:"bytes,1,opt,name=content,proto3" json:"content,omitempty"` + Last bool `protobuf:"varint,2,opt,name=last,proto3" json:"last,omitempty"` } func (x *Chunk) Reset() { @@ -623,11 +625,12 @@ func (x *Chunk) GetLast() bool { } type UploadFilesResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Status UploadFilesStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadFilesStatus" json:"status,omitempty"` - Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Status UploadFilesStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadFilesStatus" json:"status,omitempty"` + Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"` } func (x *UploadFilesResponse) Reset() { @@ -675,11 +678,12 @@ func (x *UploadFilesResponse) GetError() string { } type ServiceUnit struct { - state protoimpl.MessageState `protogen:"open.v1"` - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - Contents string `protobuf:"bytes,2,opt,name=contents,proto3" json:"contents,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + Contents string `protobuf:"bytes,2,opt,name=contents,proto3" json:"contents,omitempty"` } func (x *ServiceUnit) Reset() { @@ -727,10 +731,11 @@ func (x *ServiceUnit) GetContents() string { } type UploadSystemdServiceUnitsRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - Units []*ServiceUnit `protobuf:"bytes,1,rep,name=units,proto3" json:"units,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Units []*ServiceUnit `protobuf:"bytes,1,rep,name=units,proto3" json:"units,omitempty"` } func (x *UploadSystemdServiceUnitsRequest) Reset() { @@ -771,10 +776,11 @@ func (x *UploadSystemdServiceUnitsRequest) GetUnits() []*ServiceUnit { } type UploadSystemdServiceUnitsResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Status UploadSystemdServiceUnitsStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadSystemdServiceUnitsStatus" json:"status,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Status UploadSystemdServiceUnitsStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadSystemdServiceUnitsStatus" json:"status,omitempty"` } func (x *UploadSystemdServiceUnitsResponse) Reset() { @@ -816,71 +822,130 @@ func (x *UploadSystemdServiceUnitsResponse) GetStatus() UploadSystemdServiceUnit var File_debugd_service_debugd_proto protoreflect.FileDescriptor -const file_debugd_service_debugd_proto_rawDesc = "" + - "\n" + - "\x1bdebugd/service/debugd.proto\x12\x06debugd\"2\n" + - "\x0eSetInfoRequest\x12 \n" + - "\x04info\x18\x01 \x03(\v2\f.debugd.InfoR\x04info\"@\n" + - "\x0fSetInfoResponse\x12-\n" + - "\x06status\x18\x01 \x01(\x0e2\x15.debugd.SetInfoStatusR\x06status\"\x10\n" + - "\x0eGetInfoRequest\"3\n" + - "\x0fGetInfoResponse\x12 \n" + - "\x04info\x18\x01 \x03(\v2\f.debugd.InfoR\x04info\".\n" + - "\x04Info\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value\"\x16\n" + - "\x14DownloadFilesRequest\"z\n" + - "\x13FileTransferMessage\x124\n" + - "\x06header\x18\x01 \x01(\v2\x1a.debugd.FileTransferHeaderH\x00R\x06header\x12%\n" + - "\x05chunk\x18\x02 \x01(\v2\r.debugd.ChunkH\x00R\x05chunkB\x06\n" + - "\x04kind\"\x97\x01\n" + - "\x12FileTransferHeader\x12\x1e\n" + - "\n" + - "targetPath\x18\x01 \x01(\tR\n" + - "targetPath\x12\x12\n" + - "\x04mode\x18\x03 \x01(\rR\x04mode\x125\n" + - "\x13overrideServiceUnit\x18\x04 \x01(\tH\x00R\x13overrideServiceUnit\x88\x01\x01B\x16\n" + - "\x14_overrideServiceUnit\"5\n" + - "\x05Chunk\x12\x18\n" + - "\acontent\x18\x01 \x01(\fR\acontent\x12\x12\n" + - "\x04last\x18\x02 \x01(\bR\x04last\"^\n" + - "\x13UploadFilesResponse\x121\n" + - "\x06status\x18\x01 \x01(\x0e2\x19.debugd.UploadFilesStatusR\x06status\x12\x14\n" + - "\x05error\x18\x02 \x01(\tR\x05error\"=\n" + - "\vServiceUnit\x12\x12\n" + - "\x04name\x18\x01 \x01(\tR\x04name\x12\x1a\n" + - "\bcontents\x18\x02 \x01(\tR\bcontents\"M\n" + - " UploadSystemdServiceUnitsRequest\x12)\n" + - "\x05units\x18\x01 \x03(\v2\x13.debugd.ServiceUnitR\x05units\"d\n" + - "!UploadSystemdServiceUnitsResponse\x12?\n" + - "\x06status\x18\x01 \x01(\x0e2'.debugd.UploadSystemdServiceUnitsStatusR\x06status*?\n" + - "\rSetInfoStatus\x12\x14\n" + - "\x10SET_INFO_SUCCESS\x10\x00\x12\x18\n" + - "\x14SET_INFO_ALREADY_SET\x10\x01*\xb1\x01\n" + - "\x11UploadFilesStatus\x12\x18\n" + - "\x14UPLOAD_FILES_SUCCESS\x10\x00\x12\x1e\n" + - "\x1aUPLOAD_FILES_UPLOAD_FAILED\x10\x01\x12 \n" + - "\x1cUPLOAD_FILES_ALREADY_STARTED\x10\x02\x12!\n" + - "\x1dUPLOAD_FILES_ALREADY_FINISHED\x10\x03\x12\x1d\n" + - "\x19UPLOAD_FILES_START_FAILED\x10\x04*u\n" + - "\x1fUploadSystemdServiceUnitsStatus\x12(\n" + - "$UPLOAD_SYSTEMD_SERVICE_UNITS_SUCCESS\x10\x00\x12(\n" + - "$UPLOAD_SYSTEMD_SERVICE_UNITS_FAILURE\x10\x012\x94\x03\n" + - "\x06Debugd\x12<\n" + - "\aSetInfo\x12\x16.debugd.SetInfoRequest\x1a\x17.debugd.SetInfoResponse\"\x00\x12<\n" + - "\aGetInfo\x12\x16.debugd.GetInfoRequest\x1a\x17.debugd.GetInfoResponse\"\x00\x12K\n" + - "\vUploadFiles\x12\x1b.debugd.FileTransferMessage\x1a\x1b.debugd.UploadFilesResponse\"\x00(\x01\x12N\n" + - "\rDownloadFiles\x12\x1c.debugd.DownloadFilesRequest\x1a\x1b.debugd.FileTransferMessage\"\x000\x01\x12q\n" + - "\x18UploadSystemServiceUnits\x12(.debugd.UploadSystemdServiceUnitsRequest\x1a).debugd.UploadSystemdServiceUnitsResponse\"\x00B8Z6github.com/edgelesssys/constellation/v2/debugd/serviceb\x06proto3" +var file_debugd_service_debugd_proto_rawDesc = []byte{ + 0x0a, 0x1b, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x64, + 0x65, 0x62, 0x75, 0x67, 0x64, 0x22, 0x32, 0x0a, 0x0e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x18, + 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x49, + 0x6e, 0x66, 0x6f, 0x52, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x22, 0x40, 0x0a, 0x0f, 0x53, 0x65, 0x74, + 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2d, 0x0a, 0x06, + 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x64, + 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x10, 0x0a, 0x0e, 0x47, + 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x33, 0x0a, + 0x0f, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x20, 0x0a, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c, + 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x04, 0x69, 0x6e, + 0x66, 0x6f, 0x22, 0x2e, 0x0a, 0x04, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, + 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, + 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x7a, 0x0a, 0x13, 0x46, 0x69, + 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, + 0x65, 0x12, 0x34, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, + 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, + 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x25, 0x0a, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, + 0x43, 0x68, 0x75, 0x6e, 0x6b, 0x48, 0x00, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x42, 0x06, + 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22, 0x97, 0x01, 0x0a, 0x12, 0x46, 0x69, 0x6c, 0x65, 0x54, + 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x1e, 0x0a, + 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, + 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x6d, 0x6f, 0x64, + 0x65, 0x12, 0x35, 0x0a, 0x13, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, + 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, + 0x52, 0x13, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x55, 0x6e, 0x69, 0x74, 0x88, 0x01, 0x01, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x6f, 0x76, 0x65, + 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, + 0x22, 0x35, 0x0a, 0x05, 0x43, 0x68, 0x75, 0x6e, 0x6b, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, + 0x74, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, + 0x65, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x61, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x04, 0x6c, 0x61, 0x73, 0x74, 0x22, 0x5e, 0x0a, 0x13, 0x55, 0x70, 0x6c, 0x6f, 0x61, + 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x31, + 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19, + 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, + 0x6c, 0x65, 0x73, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, + 0x73, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x3d, 0x0a, 0x0b, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x6f, + 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x6f, + 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x4d, 0x0a, 0x20, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, + 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, + 0x69, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x29, 0x0a, 0x05, 0x75, 0x6e, + 0x69, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x64, 0x65, 0x62, 0x75, + 0x67, 0x64, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x52, 0x05, + 0x75, 0x6e, 0x69, 0x74, 0x73, 0x22, 0x64, 0x0a, 0x21, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, + 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, + 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x06, 0x73, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x62, + 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, + 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2a, 0x3f, 0x0a, 0x0d, 0x53, + 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x10, + 0x53, 0x45, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, + 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x45, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x5f, 0x41, + 0x4c, 0x52, 0x45, 0x41, 0x44, 0x59, 0x5f, 0x53, 0x45, 0x54, 0x10, 0x01, 0x2a, 0xb1, 0x01, 0x0a, + 0x11, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x53, 0x74, 0x61, 0x74, + 0x75, 0x73, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, + 0x45, 0x53, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x1e, 0x0a, 0x1a, + 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x55, 0x50, 0x4c, + 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c, + 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x41, 0x4c, 0x52, + 0x45, 0x41, 0x44, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x52, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x21, + 0x0a, 0x1d, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x41, + 0x4c, 0x52, 0x45, 0x41, 0x44, 0x59, 0x5f, 0x46, 0x49, 0x4e, 0x49, 0x53, 0x48, 0x45, 0x44, 0x10, + 0x03, 0x12, 0x1d, 0x0a, 0x19, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, + 0x53, 0x5f, 0x53, 0x54, 0x41, 0x52, 0x54, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04, + 0x2a, 0x75, 0x0a, 0x1f, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, + 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x24, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x53, 0x59, + 0x53, 0x54, 0x45, 0x4d, 0x44, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, + 0x49, 0x54, 0x53, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x28, 0x0a, + 0x24, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x53, 0x59, 0x53, 0x54, 0x45, 0x4d, 0x44, 0x5f, + 0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, 0x49, 0x54, 0x53, 0x5f, 0x46, 0x41, + 0x49, 0x4c, 0x55, 0x52, 0x45, 0x10, 0x01, 0x32, 0x94, 0x03, 0x0a, 0x06, 0x44, 0x65, 0x62, 0x75, + 0x67, 0x64, 0x12, 0x3c, 0x0a, 0x07, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x16, 0x2e, + 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, + 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, + 0x12, 0x3c, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x16, 0x2e, 0x64, 0x65, + 0x62, 0x75, 0x67, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x47, 0x65, 0x74, + 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b, + 0x0a, 0x0b, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x1b, 0x2e, + 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, + 0x66, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1b, 0x2e, 0x64, 0x65, 0x62, + 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x12, 0x4e, 0x0a, 0x0d, 0x44, + 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x1c, 0x2e, 0x64, + 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, + 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x64, 0x65, 0x62, + 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, + 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x71, 0x0a, 0x18, 0x55, + 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x12, 0x28, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, + 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x29, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, + 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, + 0x6e, 0x69, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x38, + 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, + 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, + 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, + 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} var ( file_debugd_service_debugd_proto_rawDescOnce sync.Once - file_debugd_service_debugd_proto_rawDescData []byte + file_debugd_service_debugd_proto_rawDescData = file_debugd_service_debugd_proto_rawDesc ) func file_debugd_service_debugd_proto_rawDescGZIP() []byte { file_debugd_service_debugd_proto_rawDescOnce.Do(func() { - file_debugd_service_debugd_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_debugd_service_debugd_proto_rawDesc), len(file_debugd_service_debugd_proto_rawDesc))) + file_debugd_service_debugd_proto_rawDescData = protoimpl.X.CompressGZIP(file_debugd_service_debugd_proto_rawDescData) }) return file_debugd_service_debugd_proto_rawDescData } @@ -945,7 +1010,7 @@ func file_debugd_service_debugd_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_debugd_service_debugd_proto_rawDesc), len(file_debugd_service_debugd_proto_rawDesc)), + RawDescriptor: file_debugd_service_debugd_proto_rawDesc, NumEnums: 3, NumMessages: 13, NumExtensions: 0, @@ -957,6 +1022,7 @@ func file_debugd_service_debugd_proto_init() { MessageInfos: file_debugd_service_debugd_proto_msgTypes, }.Build() File_debugd_service_debugd_proto = out.File + file_debugd_service_debugd_proto_rawDesc = nil file_debugd_service_debugd_proto_goTypes = nil file_debugd_service_debugd_proto_depIdxs = nil } diff --git a/dev-docs/howto/longhorn.md b/dev-docs/howto/longhorn.md index 61e791a74..6c13c9d6e 100644 --- a/dev-docs/howto/longhorn.md +++ b/dev-docs/howto/longhorn.md @@ -1,6 +1,6 @@ # Longhorn on Constellatioin -To build Longhorn compatible images, apply the following changes. Those stem from [their installation guide](https://longhorn.io/docs/1.7.2/deploy/install/#installation-requirements). +To build Longhorn compatible images, apply the following changes. Those stem from [their installation guide](https://longhorn.io/docs/1.5.3/deploy/install/#installation-requirements). ```diff diff --git a/image/mkosi.conf.d/azure.conf b/image/mkosi.conf.d/azure.conf diff --git a/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl b/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl index a4e090c0d..0e0fc1026 100644 --- a/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl +++ b/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl @@ -2,62 +2,62 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/dev-docs/howto/vpn/on-prem-terraform/main.tf b/dev-docs/howto/vpn/on-prem-terraform/main.tf index b22ed0fd8..b6a021c0e 100644 --- a/dev-docs/howto/vpn/on-prem-terraform/main.tf +++ b/dev-docs/howto/vpn/on-prem-terraform/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl b/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl index 84170c34d..d22432c94 100644 --- a/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl +++ b/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl @@ -2,121 +2,121 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.7" - constraints = "2.3.7" + version = "2.3.5" + constraints = "2.3.5" hashes = [ - "h1:/hny5kXmhcnuJDD1V+5XCrZOYDIqja2U47VM4DPEnBA=", - "h1:A9COAUjeBJ+fgYAI/PKtDs4Wzs50srFSY+KkfpSVGLw=", - "h1:Lt8lqrdNgZRlkOTwSXZTyuJkiVXnpwTsWAqHQPL6sIY=", - "h1:M9TpQxKAE/hyOwytdX9MUNZw30HoD/OXqYIug5fkqH8=", - "h1:coZHiZww6hWZoOoWw0p+6oeYb/tMh1uTvX1Y2ZzzXqE=", - "h1:dgBaiMxxU61piW30emM6251LMFW66TbKR+p5ylPZvqc=", - "h1:h1Pr6uNwq+iDEGrnQJEHzOTz+yVTW0AJgZrGXuoO4Qs=", - "h1:ht83gEvyri0BD3sata7BDhx31N/KbCECIozG7UM/kC8=", - "h1:iZ27qylcH/2bs685LJTKOKcQ+g7cF3VwN3kHMrzm4Ow=", - "h1:ll35IR++uaXwfwqZFFRWrvS0idO1mX43Y/embsaOe4k=", - "h1:rafNPmTutVTO2Horq45DG9Pjqrs+vx42oc7b/3aVGEc=", - "zh:06f1c54e919425c3139f8aeb8fcf9bceca7e560d48c9f0c1e3bb0a8ad9d9da1e", - "zh:0e1e4cf6fd98b019e764c28586a386dc136129fef50af8c7165a067e7e4a31d5", - "zh:1871f4337c7c57287d4d67396f633d224b8938708b772abfc664d1f80bd67edd", - "zh:2b9269d91b742a71b2248439d5e9824f0447e6d261bfb86a8a88528609b136d1", - "zh:3d8ae039af21426072c66d6a59a467d51f2d9189b8198616888c1b7fc42addc7", - "zh:3ef4e2db5bcf3e2d915921adced43929214e0946a6fb11793085d9a48995ae01", - "zh:42ae54381147437c83cbb8790cc68935d71b6357728a154109d3220b1beb4dc9", - "zh:4496b362605ae4cbc9ef7995d102351e2fe311897586ffc7a4a262ccca0c782a", - "zh:652a2401257a12706d32842f66dac05a735693abcb3e6517d6b5e2573729ba13", - "zh:7406c30806f5979eaed5f50c548eced2ea18ea121e01801d2f0d4d87a04f6a14", - "zh:7848429fd5a5bcf35f6fee8487df0fb64b09ec071330f3ff240c0343fe2a5224", + "h1:C//ncldNugV8TpMQaj9ygoPXRVYOqltIxNB8LKrpzgU=", + "h1:HCoabXm6NQwCivl1q24+l9VUufc2mFqNeulsQBA9iFg=", + "h1:NCYXIt7zhG0pRLV9UAlBrKi4Rty/jRhRRHIZFEigUm8=", + "h1:Sf1Lt21oTADbzsnlU38ylpkl8YXP0Beznjcy5F/Yx64=", + "h1:TUljFfEUFn6szDfglwv150tNRUKPgqa5YiCTdF9Tc6c=", + "h1:W+6XNutLOfQxlm8XWg4wKAYvyDt/eoE1roSeFkn/KA4=", + "h1:cKe6NmJzRHiK0n73R5Dzkw8nK5i0nC4SedZhanMbQD0=", + "h1:jPzwR4Um4NU8EE6o5AIx2SoeGZG5bW9aAeFpcbodjHQ=", + "h1:sfaNIqomGVkYy6gGHbaFS2ehzh5CqoeBwR4QYae+cBY=", + "h1:wbw64JlCobcQCAdlzHpxksQ1GabewTW1yxnACBVZh4A=", + "h1:y0qqdBKvRt2MMcga7AVMkUb/vmJSKVBaimHaIHKLucs=", + "zh:17c20574de8eb925b0091c9b6a4d859e9d6e399cd890b44cfbc028f4f312ac7a", + "zh:348664d9a900f7baf7b091cf94d657e4c968b240d31d9e162086724e6afc19d5", + "zh:5a876a468ffabff0299f8348e719cb704daf81a4867f8c6892f3c3c4add2c755", + "zh:6ef97ee4c8c6a69a3d36746ba5c857cf4f4d78f32aa3d0e1ce68f2ece6a5dba5", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8283e5a785e3c518a440f6ac6e7cc4fc07fe266bf34974246f4e2ef05762feda", + "zh:a44eb5077950168b571b7eb65491246c00f45409110f0f172cc3a7605f19dba9", + "zh:aa0806cbff72b49c1b389c0b8e6904586e5259c08dabb7cb5040418568146530", + "zh:bec4613c3beaad9a7be7ca99cdb2852073f782355b272892e6ee97a22856aec1", + "zh:d7fe368577b6c8d1ae44c751ed42246754c10305c7f001cc0109833e95aa107d", + "zh:df2409fc6a364b1f0a0f8a9cd8a86e61e80307996979ce3790243c4ce88f2915", + "zh:ed3c263396ff1f4d29639cc43339b655235acf4d06296a7c120a80e4e0fd6409", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } provider "registry.terraform.io/hashicorp/tls" { - version = "4.1.0" - constraints = "4.1.0" + version = "4.0.6" + constraints = "4.0.6" hashes = [ - "h1:4gd/jiOS0zJxjTd5Q4o/gOp24RxcuwQ/TxwjTYQNPz4=", - "h1:C0J7AsrVHVqnDT9tICDNaKvA9iH6WTLS2EYzCEegpx0=", - "h1:Ka8mEwRFXBabR33iN/WTIEW6RP0z13vFsDlwn11Pf2I=", - "h1:ReNkTkCM64bktu54eGwQc29rhIejMLQsYA6kYNyBWno=", - "h1:UklaKJOCynnEJbpCVN0zJKIJ3SvO7RQJ00/6grBatnw=", - "h1:ZHcr1WIomuU6ZV+dzEwAG1+52JP0e0d/+l7bo3N5p88=", - "h1:eZa3vbx1pbiwnajuKvGWE7jWK+nHQ8lcLc/mO6Rhf4o=", - "h1:iSgnCUoLGMkt31RlflnL09NyjpAH0DX6bb9QBw5IE9Y=", - "h1:uDtqTpFJOseNUlPDx4TT/lXf6ie3CarsimL7sYCiVH4=", - "h1:y9cHrgcuaZt592In6xQzz1lx7k/B9EeWrAb8K7QqOgU=", - "h1:zEv9tY1KR5vaLSyp2lkrucNJ+Vq3c+sTFK9GyQGLtFs=", - "zh:14c35d89307988c835a7f8e26f1b83ce771e5f9b41e407f86a644c0152089ac2", - "zh:2fb9fe7a8b5afdbd3e903acb6776ef1be3f2e587fb236a8c60f11a9fa165faa8", - "zh:35808142ef850c0c60dd93dc06b95c747720ed2c40c89031781165f0c2baa2fc", - "zh:35b5dc95bc75f0b3b9c5ce54d4d7600c1ebc96fbb8dfca174536e8bf103c8cdc", - "zh:38aa27c6a6c98f1712aa5cc30011884dc4b128b4073a4a27883374bfa3ec9fac", - "zh:51fb247e3a2e88f0047cb97bb9df7c228254a3b3021c5534e4563b4007e6f882", - "zh:62b981ce491e38d892ba6364d1d0cdaadcee37cc218590e07b310b1dfa34be2d", - "zh:bc8e47efc611924a79f947ce072a9ad698f311d4a60d0b4dfff6758c912b7298", - "zh:c149508bd131765d1bc085c75a870abb314ff5a6d7f5ac1035a8892d686b6297", - "zh:d38d40783503d278b63858978d40e07ac48123a2925e1a6b47e62179c046f87a", + "h1:/GYlCthGsP6ooHpCFuMkjnuFoBX0xnvCNohf3suVw2A=", + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "h1:17Y+vdYNKgphpe1/SU5PBnGuYKEJkJZ7MZCnmAwsAGQ=", + "h1:3hTE3Ifpfh4ogQN60xa3Dw2Cbk2QyK8rJ5Zi2f5cYTo=", + "h1:N7VxdRDiNZoRS9dnXJ+QuKWKn514ahS+U6f9K3cF44s=", + "h1:QAuzEStYipyCgx5On0Rym6EiFfqXnBQOrgUjBY7MIbU=", + "h1:W1r1GqxtFMYVCcqFpN7U8WGjbpvpA/YPcqjZbx5THG8=", + "h1:dYSb3V94K5dDMtrBRLPzBpkMTPn+3cXZ/kIJdtFL+2M=", + "h1:dr3jNQWLXzZ2IJ1XH2XIHScQd4HGKo+7ZoyoEP9hRpY=", + "h1:irxVvxMIETCpSsiJKpu4A3htA0v2ohIkpPNXVt++pio=", + "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fb07f708e3316615f6d218cec198504984c0ce7000b9f1eebff7516e384f4b54", ] } diff --git a/dev-docs/miniconstellation/azure-terraform/main.tf b/dev-docs/miniconstellation/azure-terraform/main.tf index 9aeeebe21..8e0c2ac1d 100644 --- a/dev-docs/miniconstellation/azure-terraform/main.tf +++ b/dev-docs/miniconstellation/azure-terraform/main.tf @@ -2,19 +2,19 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } tls = { source = "hashicorp/tls" - version = "4.1.0" + version = "4.0.6" } cloudinit = { source = "hashicorp/cloudinit" - version = "2.3.7" + version = "2.3.5" } } } diff --git a/dev-docs/security-overview.md b/dev-docs/security-overview.md index 90393c182..a2b03ab0e 100644 --- a/dev-docs/security-overview.md +++ b/dev-docs/security-overview.md @@ -79,16 +79,12 @@ Abstractly, a remote-attestation statement `R` from a CVM looks as follows: R = Sig-CPU(, , ) ``` -The field `payload` is controlled by the software running inside the CVM. +The `payload` is controlled by the software running inside the CVM. In the case of a Constellation node, the `payload` is always the public key of the respective Bootstrapper running inside the CVM. Thus, `R` can be seen as a certificate for that public key issued by the CPU. Based on this, nodes establish attested TLS (aTLS) connections. aTLS is used during [cluster creation](#cluster-creation) and when [growing a cluster](#cluster-growth). -The field `auxiliary data` is populated automatically by the CVM platform and, among others, includes information like CPU firmware versions. - -Note that this description of `R` is highly abstract. - ### Measurements In the ideal case, the underlying CVM platform does not inject any of its own software into a CVM. @@ -101,26 +97,16 @@ In this case, the launch digest is the only measurement that's required to verif However, currently, all supported CVM platforms (AWS, Azure, and GCP) inject custom firmware into CVMs. Thus, in practice, Constellation relies on conventional [measured boot](https://docs.edgeless.systems/constellation/architecture/images#measured-boot) to reflect the identity and integrity of nodes. -In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 platform configuration registers (PCRs) of a Trusted Platform Module (TPM). +In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 registers of a Trusted Platform Module (TPM). The values of these registers are also called "runtime measurements". -All supported CVM platforms provide TPMs to CVMs. - -With measured boot, Constellation relies on TPM-based remote attestation for nodes. -TPM-based remote attestation is similar to confidential computing-based remote attestation. Instead of the value `R`, the value `R'` is used. - -``` -R' = Sig-TPM(, ) -``` - -The field `auxiliary data` is populated automatically by the TPM and most notably contains the 16 PCRs. -Constellation uses the field `payload` as usual and sets it to the public key of the respective CVM's Bootstrapper. -When verifying `R'`, Constellation compares the 16 PCRs to those given in the attestation config. - -#### Differences between CVM platforms - -Each supported CVM platform populates the 16 PCRs in different ways. Details can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements). -Sig-TPM itself is also verified differently for each cloud. +All supported CVM platforms provide TPMs to CVMs. +Constellation nodes use these to measure their boot process. +They include the 16 runtime measurements as `auxiliary data` in `R`. +On each CVM platform, runtime measurements are taken differently. +Details on this are given in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements). +With measured boot, Constellation only checks the 16 runtime measurements during the verification of a node's remote-attestation statement. +The launch digest is not considered, because it only covers the firmware injected by the CVM platform and may change whenever the CVM platform is updated. Currently, on AWS and GCP the TPM implementation resides outside the CVM. On Azure, the TPM implementation is part of the injected firmware and resides inside the CVM. More information can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/overview/clouds). diff --git a/dev-docs/workflows/attestationconfigapi.md b/dev-docs/workflows/attestationconfigapi.md index 4881497ce..5da8eda35 100644 --- a/dev-docs/workflows/attestationconfigapi.md +++ b/dev-docs/workflows/attestationconfigapi.md @@ -8,10 +8,10 @@ This estimate might make manual intervention necessary when a global rollout did ### Manually delete a version ``` -COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli -- delete azure-sev-snp attestation-report 2025-01-18-09-15 +COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli delete -- --version 2023-09-02-12-52 ``` ### Manually upload a version ``` -COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli -- upload azure-sev-snp attestation-report 2025-01-18-09-15 --force +COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli -- --force --version 2023-09-02-12-52 --maa-claims-path "${path}" ``` diff --git a/dev-docs/workflows/bump-go-version.md b/dev-docs/workflows/bump-go-version.md index f2736179b..09b3fad81 100644 --- a/dev-docs/workflows/bump-go-version.md +++ b/dev-docs/workflows/bump-go-version.md @@ -17,7 +17,7 @@ go_sdk.download( ``` -Replace `go-version: "1.xx.x"` with the new version in all GitHub actions/workflows, our go.mod files and Containerfiles. +Replace `go-version: "1.xx.x"` with the new version in all GitHub actions and workflows. You can use the following command to find replace all instances of `go-version: "1.xx.x"` in the `.github` directory: ```bash @@ -25,9 +25,7 @@ OLD_VERSION="1.xx.x" NEW_VERSION="1.xx.y" find .github -type f -exec sed -i "s/go-version: \"${OLD_VERSION}\"/go-version: \"${NEW_VERSION}\"/g" {} \; sed -i "s/go ${OLD_VERSION}/go ${NEW_VERSION}/g" go.mod -sed -i "s/go ${OLD_VERSION}/go ${NEW_VERSION}/g" hack/tools/go.mod sed -i "s/${OLD_VERSION}/${NEW_VERSION}/g" go.work -sed -i "s/GO_VER=${OLD_VERSION}/GO_VER=${NEW_VERSION}/g" 3rdparty/gcp-guest-agent/Dockerfile ``` Or manually: diff --git a/dev-docs/workflows/marketplace-publishing.md b/dev-docs/workflows/marketplace-publishing.md deleted file mode 100644 index aa0513b2f..000000000 --- a/dev-docs/workflows/marketplace-publishing.md +++ /dev/null @@ -1,33 +0,0 @@ -# Publishing Marketplace Images - -Constellation release images need to be manually published to AWS and Azure marketplaces due to the lack of automation features. -On GCP, marketplace image publishing is automated and takes place on release. - -This document explains how to perform the uploading on AWS and Azure. - -## AWS - -1. Log in to the [AWS marketplace management portal](https://aws.amazon.com/marketplace/management/) with your regular developer AWS account. -2. Select "Products -> Server -> Constellation" in the top menu. -3. Select "Versions" in the main menu and press "Add version". -4. Fill in the form. - 1. Enter the semantic version of the release (i.e. `vX.Y.Z`) as "Version title". - 2. Set the version tag in "Release notes" to the same version. - 3. For the "Amazon Machine Image (AMI) ID", enter the AMI ID of the release (SEV-SNP) image. This can be found in the regular - [AWS console](https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#Images:visibility=owned-by-me;search=:constellation-v;v=3;$case=tags:false%5C,client:false;$regex=tags:false%5C,client:false;sort=desc:creationDate). - 4. For "IAM access role ARN", enter `arn:aws:iam::795746500882:role/constellation-marketplace-ingest`. -5. Leave the other fields as they are and press "Add version". -6. Wait for the [request](https://aws.amazon.com/marketplace/management/requests) to be processed and available before publishing the release. - -## Azure - -1. Log in to the [Microsoft partner center](https://partner.microsoft.com/en-us/dashboard/home) with your regular developer Microsoft account. -2. Select "Marketplace offers -> Constellation -> Constellation Node" in the main menu. -3. Select "Technical configuration" in the sidebar on the left. -4. Select "Add VM Image". - 1. For the "Version number", enter the semantic version of the release without the `v` prefix. If the release version is `vX.Y.Z`, enter `X.Y.Z`. - 2. Press "Add a gallery image" and select the corresponding "Constellation_CVM" image version in the menu. - 3. Press "Save VM image". -5. **IMPORTANT**: Hit **Save draft**. Do **NOT** hit "Review and publish" directly. -6. **After** saving the draft, hit "Review and publish". -7. Go back to the [offer's home page](https://partner.microsoft.com/en-us/dashboard/commercial-marketplace/offers/a53ac90b-06f7-4a20-a845-8607ca352e61/overview) and wait for the process to complete before publishing the release. diff --git a/dev-docs/workflows/release.md b/dev-docs/workflows/release.md index 619d28744..be873d563 100644 --- a/dev-docs/workflows/release.md +++ b/dev-docs/workflows/release.md @@ -86,7 +86,15 @@ Releases should be performed using [the automated release pipeline](https://gith 1. Publish the [provider release](https://github.com/edgelesssys/terraform-provider-constellation/releases) 2. Merge the automated post release PR -3. Publish the [AWS and Azure marketplace images](./marketplace-publishing.md). +3. Write an email to STACKIT to inform them of the new release. For this, you require the name and UUID of the release image. You can find the email address in our internal [wiki](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/stackit.md): + + ```shell-session + export OS_CLOUD=stackit + openstack image list | grep constellation + # the output should look similar to this, where the first column is the UUID and the second column is the name + # | 25edf48d-161f-452b-b420-963c3a80abd8 | constellation-stable-v2.16.4-qemu-vtpm | active | + ``` + 4. Close fixed "known issues" 5. Move open issues and PRs from this release's closed milestone to next milestone 6. Reset `UpgradeRequiresIAMMigration` in [`iamupgrade.go`](https://github.com/edgelesssys/constellation/blob/a88a731576184e3c5ee8527741c4a0cdaa4e9b24/cli/internal/cloudcmd/iamupgrade.go#L23). diff --git a/disk-mapper/internal/recoveryserver/recoveryserver_test.go b/disk-mapper/internal/recoveryserver/recoveryserver_test.go index 3248c16f5..1a7722bb7 100644 --- a/disk-mapper/internal/recoveryserver/recoveryserver_test.go +++ b/disk-mapper/internal/recoveryserver/recoveryserver_test.go @@ -40,7 +40,7 @@ func TestServe(t *testing.T) { server := New(atls.NewFakeIssuer(variant.Dummy{}), newStubKMS(nil, nil), log) dialer := testdialer.NewBufconnDialer() listener := dialer.GetListener("192.0.2.1:1234") - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) var wg sync.WaitGroup // Serve method returns when context is canceled @@ -62,7 +62,7 @@ func TestServe(t *testing.T) { wg.Add(1) go func() { defer wg.Done() - _, _, err := server.Serve(t.Context(), listener, uuid) + _, _, err := server.Serve(context.Background(), listener, uuid) assert.NoError(err) }() time.Sleep(100 * time.Millisecond) @@ -70,7 +70,7 @@ func TestServe(t *testing.T) { wg.Wait() // Serve method returns an error when serving is unsuccessful - _, _, err := server.Serve(t.Context(), listener, uuid) + _, _, err := server.Serve(context.Background(), listener, uuid) assert.Error(err) } @@ -104,7 +104,7 @@ func TestRecover(t *testing.T) { assert := assert.New(t) require := require.New(t) - ctx := t.Context() + ctx := context.Background() serverUUID := "uuid" server := New(atls.NewFakeIssuer(variant.Dummy{}), tc.factory, logger.NewTest(t)) netDialer := testdialer.NewBufconnDialer() diff --git a/disk-mapper/internal/rejoinclient/rejoinclient_test.go b/disk-mapper/internal/rejoinclient/rejoinclient_test.go index bd77b3643..18bf15df1 100644 --- a/disk-mapper/internal/rejoinclient/rejoinclient_test.go +++ b/disk-mapper/internal/rejoinclient/rejoinclient_test.go @@ -71,7 +71,7 @@ func TestStartCancel(t *testing.T) { go rejoinServer.Serve(listener) defer rejoinServer.GracefulStop() - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) var wg sync.WaitGroup wg.Add(1) @@ -294,7 +294,7 @@ func TestStart(t *testing.T) { client := New(dialer, tc.nodeInfo, meta, logger.NewTest(t)) - passphrase, secret := client.Start(t.Context(), "uuid") + passphrase, secret := client.Start(context.Background(), "uuid") assert.Equal(diskKey, passphrase) assert.Equal(measurementSecret, secret) }) diff --git a/disk-mapper/internal/test/BUILD.bazel b/disk-mapper/internal/test/BUILD.bazel index 38e3ac89c..8d39f1a03 100644 --- a/disk-mapper/internal/test/BUILD.bazel +++ b/disk-mapper/internal/test/BUILD.bazel @@ -29,7 +29,7 @@ go_test( "@com_github_martinjungblut_go_cryptsetup//:go-cryptsetup", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "@io_bazel_rules_go//go/platform:linux": [ @@ -39,7 +39,7 @@ go_test( "@com_github_martinjungblut_go_cryptsetup//:go-cryptsetup", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "//conditions:default": [], diff --git a/disk-mapper/recoverproto/recover.pb.go b/disk-mapper/recoverproto/recover.pb.go index cf62209b3..51fd53b2b 100644 --- a/disk-mapper/recoverproto/recover.pb.go +++ b/disk-mapper/recoverproto/recover.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: disk-mapper/recoverproto/recover.proto package recoverproto @@ -15,7 +15,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -26,11 +25,12 @@ const ( ) type RecoverMessage struct { - state protoimpl.MessageState `protogen:"open.v1"` - KmsUri string `protobuf:"bytes,3,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"` - StorageUri string `protobuf:"bytes,4,opt,name=storage_uri,json=storageUri,proto3" json:"storage_uri,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + KmsUri string `protobuf:"bytes,3,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"` + StorageUri string `protobuf:"bytes,4,opt,name=storage_uri,json=storageUri,proto3" json:"storage_uri,omitempty"` } func (x *RecoverMessage) Reset() { @@ -78,9 +78,9 @@ func (x *RecoverMessage) GetStorageUri() string { } type RecoverResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields } func (x *RecoverResponse) Reset() { @@ -115,25 +115,37 @@ func (*RecoverResponse) Descriptor() ([]byte, []int) { var File_disk_mapper_recoverproto_recover_proto protoreflect.FileDescriptor -const file_disk_mapper_recoverproto_recover_proto_rawDesc = "" + - "\n" + - "&disk-mapper/recoverproto/recover.proto\x12\frecoverproto\"J\n" + - "\x0eRecoverMessage\x12\x17\n" + - "\akms_uri\x18\x03 \x01(\tR\x06kmsUri\x12\x1f\n" + - "\vstorage_uri\x18\x04 \x01(\tR\n" + - "storageUri\"\x11\n" + - "\x0fRecoverResponse2O\n" + - "\x03API\x12H\n" + - "\aRecover\x12\x1c.recoverproto.RecoverMessage\x1a\x1d.recoverproto.RecoverResponse\"\x00BBZ@github.com/edgelesssys/constellation/v2/disk-mapper/recoverprotob\x06proto3" +var file_disk_mapper_recoverproto_recover_proto_rawDesc = []byte{ + 0x0a, 0x26, 0x64, 0x69, 0x73, 0x6b, 0x2d, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x72, 0x65, + 0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x72, 0x65, 0x63, 0x6f, 0x76, + 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0c, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, + 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x4a, 0x0a, 0x0e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, + 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f, + 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x55, 0x72, + 0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x5f, 0x75, 0x72, 0x69, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x55, + 0x72, 0x69, 0x22, 0x11, 0x0a, 0x0f, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x4f, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x48, 0x0a, 0x07, + 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x12, 0x1c, 0x2e, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, + 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x4d, 0x65, + 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1d, 0x2e, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x42, 0x5a, 0x40, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, + 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x32, 0x2f, 0x64, 0x69, 0x73, 0x6b, 0x2d, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x72, 0x65, + 0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} var ( file_disk_mapper_recoverproto_recover_proto_rawDescOnce sync.Once - file_disk_mapper_recoverproto_recover_proto_rawDescData []byte + file_disk_mapper_recoverproto_recover_proto_rawDescData = file_disk_mapper_recoverproto_recover_proto_rawDesc ) func file_disk_mapper_recoverproto_recover_proto_rawDescGZIP() []byte { file_disk_mapper_recoverproto_recover_proto_rawDescOnce.Do(func() { - file_disk_mapper_recoverproto_recover_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_disk_mapper_recoverproto_recover_proto_rawDesc), len(file_disk_mapper_recoverproto_recover_proto_rawDesc))) + file_disk_mapper_recoverproto_recover_proto_rawDescData = protoimpl.X.CompressGZIP(file_disk_mapper_recoverproto_recover_proto_rawDescData) }) return file_disk_mapper_recoverproto_recover_proto_rawDescData } @@ -162,7 +174,7 @@ func file_disk_mapper_recoverproto_recover_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_disk_mapper_recoverproto_recover_proto_rawDesc), len(file_disk_mapper_recoverproto_recover_proto_rawDesc)), + RawDescriptor: file_disk_mapper_recoverproto_recover_proto_rawDesc, NumEnums: 0, NumMessages: 2, NumExtensions: 0, @@ -173,6 +185,7 @@ func file_disk_mapper_recoverproto_recover_proto_init() { MessageInfos: file_disk_mapper_recoverproto_recover_proto_msgTypes, }.Build() File_disk_mapper_recoverproto_recover_proto = out.File + file_disk_mapper_recoverproto_recover_proto_rawDesc = nil file_disk_mapper_recoverproto_recover_proto_goTypes = nil file_disk_mapper_recoverproto_recover_proto_depIdxs = nil } diff --git a/docs/docs/architecture/versions.md b/docs/docs/architecture/versions.md index 931e4660f..9d5a064e0 100644 --- a/docs/docs/architecture/versions.md +++ b/docs/docs/architecture/versions.md @@ -16,6 +16,6 @@ Subsequent Constellation releases drop support for the oldest (and deprecated) K The following Kubernetes versions are currently supported: -* v1.29.15 -* v1.30.13 -* v1.31.9 +* v1.28.15 +* v1.29.11 +* v1.30.7 diff --git a/docs/docs/getting-started/first-steps.md b/docs/docs/getting-started/first-steps.md index fb8437a06..128ac2849 100644 --- a/docs/docs/getting-started/first-steps.md +++ b/docs/docs/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. @@ -117,12 +117,6 @@ If you encounter any problem with the following steps, make sure to use the [lat * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md index f072407d8..fa481d9b8 100644 --- a/docs/docs/getting-started/install.md +++ b/docs/docs/getting-started/install.md @@ -234,9 +234,6 @@ Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/co To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: -* `iam.roles.create` -* `iam.roles.delete` -* `iam.roles.get` * `iam.serviceAccountKeys.create` * `iam.serviceAccountKeys.delete` * `iam.serviceAccountKeys.get` @@ -263,11 +260,6 @@ To [create a Constellation cluster](../workflows/create.md), you need the follow * `compute.firewalls.delete` * `compute.firewalls.get` * `compute.firewalls.update` -* `compute.forwardingRules.create` -* `compute.forwardingRules.delete` -* `compute.forwardingRules.get` -* `compute.forwardingRules.setLabels` -* `compute.forwardingRules.list` * `compute.globalAddresses.create` * `compute.globalAddresses.delete` * `compute.globalAddresses.get` @@ -416,7 +408,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 username: REPLACE_WITH_UAT_USERNAME password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID + project_id: REPLACE_WITH_STACKIT_PROJECT_ID project_name: REPLACE_WITH_STACKIT_PROJECT_NAME user_domain_name: portal_mvp project_domain_name: portal_mvp @@ -426,7 +418,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se :::caution -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. +`project_id` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `clouds.yaml` file. It's of the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. ::: diff --git a/docs/docs/reference/cli.md b/docs/docs/reference/cli.md index 7cbc0be8d..99acef520 100644 --- a/docs/docs/reference/cli.md +++ b/docs/docs/reference/cli.md @@ -39,7 +39,6 @@ Commands: * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile * [version](#constellation-version): Display version of this CLI * [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Generate a certificate for emergency SSH access ## constellation config @@ -81,7 +80,7 @@ constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] ``` -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") + -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.29") -t, --tags strings additional tags for created resources given a list of key=value ``` @@ -685,13 +684,13 @@ constellation iam create gcp [flags] ### Options ``` - -h, --help help for gcp - --prefix string Prefix for the service account ID and VM ID that will be created (required) - Must be letters, digits, or hyphens. - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available + -h, --help help for gcp + --projectID string ID of the GCP project the configuration will be created in (required) + Find it on the welcome screen of your project: https://console.cloud.google.com/welcome + --serviceAccountID string ID for the service account that will be created (required) + Must be 6 to 30 lowercase letters, digits, or hyphens. + --zone string GCP zone the cluster will be deployed in (required) + Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available ``` ### Options inherited from parent commands @@ -843,31 +842,3 @@ constellation init [flags] -C, --workspace string path to the Constellation workspace ``` -## constellation ssh - -Generate a certificate for emergency SSH access - -### Synopsis - -Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing SSH public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/docs/reference/migration.md b/docs/docs/reference/migration.md index eb55d650b..0252c409f 100644 --- a/docs/docs/reference/migration.md +++ b/docs/docs/reference/migration.md @@ -3,12 +3,6 @@ This document describes breaking changes and migrations between Constellation releases. Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. -## Migrations to v2.23.0 - -### GCP - -GCP will require the additional permission `compute.forwardingRules.list`. Please update your IAM roles using `constellation iam upgrade apply`. - ## Migrations to v2.19.1 ### Azure @@ -42,13 +36,7 @@ done echo "All specified rules have been deleted." ``` -## Migrating from CLI versions before 2.21.1 - -### AWS - -* AWS clusters that use `LoadBalancer` resources require more IAM permissions. Please upgrade your IAM roles using `constellation iam upgrade apply`. This will show necessary changes and apply them, if desired. - -## Migrating from CLI versions before 2.19.0 +## Migrations to v2.19.0 ### Azure @@ -58,7 +46,7 @@ echo "All specified rules have been deleted." If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them afterward. -## Migrating from CLI versions before 2.18.0 +## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0) * The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. * To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md index 7868ff1be..95f791acd 100644 --- a/docs/docs/workflows/config.md +++ b/docs/docs/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/docs/workflows/troubleshooting.md b/docs/docs/workflows/troubleshooting.md index 903c829e0..195bce1cc 100644 --- a/docs/docs/workflows/troubleshooting.md +++ b/docs/docs/workflows/troubleshooting.md @@ -149,52 +149,3 @@ Debugging via a shell on a node is [directly supported by Kubernetes](https://ku ```bash kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj ``` - -### Emergency SSH access - -Emergency SSH access to nodes can be useful to diagnose issues or download important data even if the Kubernetes API isn't reachable anymore. - -1. Enter the `constellation-terraform` directory in your Constellation workspace and enable emergency SSH access to the cluster: - - ```bash - cd constellation-terraform - echo "emergency_ssh = true" >> ./terraform.tfvars - terraform apply - ``` - -2. Sign an existing SSH key with your master secret: - - ```bash - cd ../ # go back to your Constellation workspace - constellation ssh --key your_public_key.pub - ``` - - A certificate is written to `constellation_cert.pub`. - - The certificate is valid for 24 hours and enables you to access your Constellation nodes using - [certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication). - -3. Now you can connect to any Constellation node using your certificate and your private key. - - ```bash - ssh -o CertificateFile=constellation_cert.pub -i root@ - ``` - - Normally, you don't have access to the Constellation nodes since they reside in a private network. - To access those nodes anyways, you can use your Constellation load balancer as a proxy jump host. - For this, use something along the following SSH client configuration: - - ```text - Host - ProxyJump none - - Host * - IdentityFile - PreferredAuthentications publickey - CertificateFile=constellation_cert.pub - User root - ProxyJump - ``` - - With this configuration you can connect to a Constellation node using `ssh -F `. - You can obtain the private node IP and the domain name of the load balancer using your CSP's web UI. diff --git a/docs/package-lock.json b/docs/package-lock.json index 99f36b953..41c393918 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -9,19 +9,19 @@ "version": "2.0.0", "dependencies": { "@cmfcmf/docusaurus-search-local": "1.2.0", - "@docusaurus/core": "3.7.0", - "@docusaurus/preset-classic": "3.7.0", - "@docusaurus/theme-mermaid": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/preset-classic": "3.6.2", + "@docusaurus/theme-mermaid": "3.6.2", "@mdx-js/react": "3.1.0", - "asciinema-player": "3.9.0", + "asciinema-player": "3.8.1", "clsx": "2.1.1", - "prism-react-renderer": "2.4.1", + "prism-react-renderer": "2.4.0", "react": "18.3.1", "react-dom": "18.3.1" }, "devDependencies": { - "@docusaurus/module-type-aliases": "3.7.0", - "@docusaurus/types": "3.7.0" + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/types": "3.6.2" }, "engines": { "node": ">=16.14" @@ -120,48 +120,48 @@ } }, "node_modules/@algolia/client-abtesting": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-abtesting/-/client-abtesting-5.19.0.tgz", - "integrity": "sha512-dMHwy2+nBL0SnIsC1iHvkBao64h4z+roGelOz11cxrDBrAdASxLxmfVMop8gmodQ2yZSacX0Rzevtxa+9SqxCw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-abtesting/-/client-abtesting-5.15.0.tgz", + "integrity": "sha512-FaEM40iuiv1mAipYyiptP4EyxkJ8qHfowCpEeusdHUC4C7spATJYArD2rX3AxkVeREkDIgYEOuXcwKUbDCr7Nw==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-abtesting/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-abtesting/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-abtesting/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -201,48 +201,48 @@ } }, "node_modules/@algolia/client-insights": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-insights/-/client-insights-5.19.0.tgz", - "integrity": "sha512-xPOiGjo6I9mfjdJO7Y+p035aWePcbsItizIp+qVyfkfZiGgD+TbNxM12g7QhFAHIkx/mlYaocxPY/TmwPzTe+A==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-insights/-/client-insights-5.15.0.tgz", + "integrity": "sha512-bDDEQGfFidDi0UQUCbxXOCdphbVAgbVmxvaV75cypBTQkJ+ABx/Npw7LkFGw1FsoVrttlrrQbwjvUB6mLVKs/w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-insights/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-insights/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-insights/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -260,48 +260,48 @@ } }, "node_modules/@algolia/client-query-suggestions": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-query-suggestions/-/client-query-suggestions-5.19.0.tgz", - "integrity": "sha512-6fcP8d4S8XRDtVogrDvmSM6g5g6DndLc0pEm1GCKe9/ZkAzCmM3ZmW1wFYYPxdjMeifWy1vVEDMJK7sbE4W7MA==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-query-suggestions/-/client-query-suggestions-5.15.0.tgz", + "integrity": "sha512-wu8GVluiZ5+il8WIRsGKu8VxMK9dAlr225h878GGtpTL6VBvwyJvAyLdZsfFIpY0iN++jiNb31q2C1PlPL+n/A==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-query-suggestions/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-query-suggestions/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-query-suggestions/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -325,48 +325,48 @@ "license": "MIT" }, "node_modules/@algolia/ingestion": { - "version": "1.19.0", - "resolved": "https://registry.npmjs.org/@algolia/ingestion/-/ingestion-1.19.0.tgz", - "integrity": "sha512-LO7w1MDV+ZLESwfPmXkp+KLeYeFrYEgtbCZG6buWjddhYraPQ9MuQWLhLLiaMlKxZ/sZvFTcZYuyI6Jx4WBhcg==", + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/@algolia/ingestion/-/ingestion-1.15.0.tgz", + "integrity": "sha512-MkqkAxBQxtQ5if/EX2IPqFA7LothghVyvPoRNA/meS2AW2qkHwcxjuiBxv4H6mnAVEPfJlhu9rkdVz9LgCBgJg==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/ingestion/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/ingestion/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/ingestion/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -388,48 +388,48 @@ } }, "node_modules/@algolia/monitoring": { - "version": "1.19.0", - "resolved": "https://registry.npmjs.org/@algolia/monitoring/-/monitoring-1.19.0.tgz", - "integrity": "sha512-Mg4uoS0aIKeTpu6iv6O0Hj81s8UHagi5TLm9k2mLIib4vmMtX7WgIAHAcFIaqIZp5D6s5EVy1BaDOoZ7buuJHA==", + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/@algolia/monitoring/-/monitoring-1.15.0.tgz", + "integrity": "sha512-QPrFnnGLMMdRa8t/4bs7XilPYnoUXDY8PMQJ1sf9ZFwhUysYYhQNX34/enoO0LBjpoOY6rLpha39YQEFbzgKyQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/monitoring/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/monitoring/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/monitoring/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -470,21 +470,21 @@ "license": "MIT" }, "node_modules/@algolia/requester-fetch": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-fetch/-/requester-fetch-5.19.0.tgz", - "integrity": "sha512-oyTt8ZJ4T4fYvW5avAnuEc6Laedcme9fAFryMD9ndUTIUe/P0kn3BuGcCLFjN3FDmdrETHSFkgPPf1hGy3sLCw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-fetch/-/requester-fetch-5.15.0.tgz", + "integrity": "sha512-rOZ+c0P7ajmccAvpeeNrUmEKoliYFL8aOR5qGW5pFq3oj3Iept7Y5mEtEsOBYsRt6qLnaXn4zUKf+N8nvJpcIw==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/requester-fetch/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" @@ -3450,21 +3450,21 @@ } }, "node_modules/@docsearch/css": { - "version": "3.8.2", - "resolved": "https://registry.npmjs.org/@docsearch/css/-/css-3.8.2.tgz", - "integrity": "sha512-y05ayQFyUmCXze79+56v/4HpycYF3uFqB78pLPrSV5ZKAlDuIAAJNhaRi8tTdRNXh05yxX/TyNnzD6LwSM89vQ==", + "version": "3.8.0", + "resolved": "https://registry.npmjs.org/@docsearch/css/-/css-3.8.0.tgz", + "integrity": "sha512-pieeipSOW4sQ0+bE5UFC51AOZp9NGxg89wAlZ1BAQFaiRAGK1IKUaPQ0UGZeNctJXyqZ1UvBtOQh2HH+U5GtmA==", "license": "MIT" }, "node_modules/@docsearch/react": { - "version": "3.8.2", - "resolved": "https://registry.npmjs.org/@docsearch/react/-/react-3.8.2.tgz", - "integrity": "sha512-xCRrJQlTt8N9GU0DG4ptwHRkfnSnD/YpdeaXe02iKfqs97TkZJv60yE+1eq/tjPcVnTW8dP5qLP7itifFVV5eg==", + "version": "3.8.0", + "resolved": "https://registry.npmjs.org/@docsearch/react/-/react-3.8.0.tgz", + "integrity": "sha512-WnFK720+iwTVt94CxY3u+FgX6exb3BfN5kE9xUY6uuAH/9W/UFboBZFLlrw/zxFRHoHZCOXRtOylsXF+6LHI+Q==", "license": "MIT", "dependencies": { "@algolia/autocomplete-core": "1.17.7", "@algolia/autocomplete-preset-algolia": "1.17.7", - "@docsearch/css": "3.8.2", - "algoliasearch": "^5.14.2" + "@docsearch/css": "3.8.0", + "algoliasearch": "^5.12.0" }, "peerDependencies": { "@types/react": ">= 16.8.0 < 19.0.0", @@ -3488,126 +3488,126 @@ } }, "node_modules/@docsearch/react/node_modules/@algolia/client-analytics": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-5.19.0.tgz", - "integrity": "sha512-CDW4RwnCHzU10upPJqS6N6YwDpDHno7w6/qXT9KPbPbt8szIIzCHrva4O9KIfx1OhdsHzfGSI5hMAiOOYl4DEQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-5.15.0.tgz", + "integrity": "sha512-lho0gTFsQDIdCwyUKTtMuf9nCLwq9jOGlLGIeQGKDxXF7HbiAysFIu5QW/iQr1LzMgDyM9NH7K98KY+BiIFriQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/client-personalization": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-5.19.0.tgz", - "integrity": "sha512-B9eoce/fk8NLboGje+pMr72pw+PV7c5Z01On477heTZ7jkxoZ4X92dobeGuEQop61cJ93Gaevd1of4mBr4hu2A==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-5.15.0.tgz", + "integrity": "sha512-LfaZqLUWxdYFq44QrasCDED5bSYOswpQjSiIL7Q5fYlefAAUO95PzBPKCfUhSwhb4rKxigHfDkd81AvEicIEoA==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/client-search": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.19.0.tgz", - "integrity": "sha512-Ctg3xXD/1VtcwmkulR5+cKGOMj4r0wC49Y/KZdGQcqpydKn+e86F6l3tb3utLJQVq4lpEJud6kdRykFgcNsp8Q==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.15.0.tgz", + "integrity": "sha512-Z32gEMrRRpEta5UqVQA612sLdoqY3AovvUPClDfMxYrbdDAebmGDVPtSogUba1FZ4pP5dx20D3OV3reogLKsRA==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/recommend": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/recommend/-/recommend-5.19.0.tgz", - "integrity": "sha512-PbgrMTbUPlmwfJsxjFhal4XqZO2kpBNRjemLVTkUiti4w/+kzcYO4Hg5zaBgVqPwvFDNQ8JS4SS3TBBem88u+g==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/recommend/-/recommend-5.15.0.tgz", + "integrity": "sha512-5eupMwSqMLDObgSMF0XG958zR6GJP3f7jHDQ3/WlzCM9/YIJiWIUoJFGsko9GYsA5xbLDHE/PhWtq4chcCdaGQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/algoliasearch": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.19.0.tgz", - "integrity": "sha512-zrLtGhC63z3sVLDDKGW+SlCRN9eJHFTgdEmoAOpsVh6wgGL1GgTTDou7tpCBjevzgIvi3AIyDAQO3Xjbg5eqZg==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.15.0.tgz", + "integrity": "sha512-Yf3Swz1s63hjvBVZ/9f2P1Uu48GjmjCN+Esxb6MAONMGtZB1fRX8/S1AhUTtsuTlcGovbYLxpHgc7wEzstDZBw==", "license": "MIT", "dependencies": { - "@algolia/client-abtesting": "5.19.0", - "@algolia/client-analytics": "5.19.0", - "@algolia/client-common": "5.19.0", - "@algolia/client-insights": "5.19.0", - "@algolia/client-personalization": "5.19.0", - "@algolia/client-query-suggestions": "5.19.0", - "@algolia/client-search": "5.19.0", - "@algolia/ingestion": "1.19.0", - "@algolia/monitoring": "1.19.0", - "@algolia/recommend": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-abtesting": "5.15.0", + "@algolia/client-analytics": "5.15.0", + "@algolia/client-common": "5.15.0", + "@algolia/client-insights": "5.15.0", + "@algolia/client-personalization": "5.15.0", + "@algolia/client-query-suggestions": "5.15.0", + "@algolia/client-search": "5.15.0", + "@algolia/ingestion": "1.15.0", + "@algolia/monitoring": "1.15.0", + "@algolia/recommend": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docusaurus/babel": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/babel/-/babel-3.7.0.tgz", - "integrity": "sha512-0H5uoJLm14S/oKV3Keihxvh8RV+vrid+6Gv+2qhuzbqHanawga8tYnsdpjEyt36ucJjqlby2/Md2ObWjA02UXQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/babel/-/babel-3.6.2.tgz", + "integrity": "sha512-v8N8TWGXDsb5sxQC3Rcqb1CZr0LlU1OgqqVBUchN6cpIUr7EJuVJs5eHcIu5Ag8mwO/hWN3f7FE9uaHTMapAbg==", "license": "MIT", "dependencies": { "@babel/core": "^7.25.9", @@ -3620,8 +3620,8 @@ "@babel/runtime": "^7.25.9", "@babel/runtime-corejs3": "^7.25.9", "@babel/traverse": "^7.25.9", - "@docusaurus/logger": "3.7.0", - "@docusaurus/utils": "3.7.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/utils": "3.6.2", "babel-plugin-dynamic-import-node": "^2.3.3", "fs-extra": "^11.1.1", "tslib": "^2.6.0" @@ -3631,17 +3631,17 @@ } }, "node_modules/@docusaurus/bundler": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/bundler/-/bundler-3.7.0.tgz", - "integrity": "sha512-CUUT9VlSGukrCU5ctZucykvgCISivct+cby28wJwCC/fkQFgAHRp/GKv2tx38ZmXb7nacrKzFTcp++f9txUYGg==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/bundler/-/bundler-3.6.2.tgz", + "integrity": "sha512-YkEifEVs4lV931SrHBB4n6WqRowMw+aM/QPH3z8aU+5t1dWa+1p2OPqARS+tSbh3la9ns+L1zIfSbd8RHi2/PQ==", "license": "MIT", "dependencies": { "@babel/core": "^7.25.9", - "@docusaurus/babel": "3.7.0", - "@docusaurus/cssnano-preset": "3.7.0", - "@docusaurus/logger": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", + "@docusaurus/babel": "3.6.2", + "@docusaurus/cssnano-preset": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", "babel-loader": "^9.2.1", "clean-css": "^5.3.2", "copy-webpack-plugin": "^11.0.0", @@ -3675,18 +3675,18 @@ } }, "node_modules/@docusaurus/core": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-3.7.0.tgz", - "integrity": "sha512-b0fUmaL+JbzDIQaamzpAFpTviiaU4cX3Qz8cuo14+HGBCwa0evEK0UYCBFY3n4cLzL8Op1BueeroUD2LYAIHbQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-3.6.2.tgz", + "integrity": "sha512-irMts/mGLZv8dWcy0WUtbY/U6b5qIfHgQd1/kXMyAxUJo99fL0wFSqhMI+tcxjk0HYy427MXerLMqFJj+Arg1w==", "license": "MIT", "dependencies": { - "@docusaurus/babel": "3.7.0", - "@docusaurus/bundler": "3.7.0", - "@docusaurus/logger": "3.7.0", - "@docusaurus/mdx-loader": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-common": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/babel": "3.6.2", + "@docusaurus/bundler": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "boxen": "^6.2.1", "chalk": "^4.1.2", "chokidar": "^3.5.3", @@ -3707,12 +3707,13 @@ "p-map": "^4.0.0", "prompts": "^2.4.2", "react-dev-utils": "^12.0.1", - "react-helmet-async": "npm:@slorber/react-helmet-async@1.3.0", + "react-helmet-async": "^1.3.0", "react-loadable": "npm:@docusaurus/react-loadable@6.0.0", "react-loadable-ssr-addon-v5-slorber": "^1.0.1", "react-router": "^5.3.4", "react-router-config": "^5.1.1", "react-router-dom": "^5.3.4", + "rtl-detect": "^1.0.4", "semver": "^7.5.4", "serve-handler": "^6.1.6", "shelljs": "^0.8.5", @@ -3731,14 +3732,14 @@ }, "peerDependencies": { "@mdx-js/react": "^3.0.0", - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/cssnano-preset": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-3.7.0.tgz", - "integrity": "sha512-X9GYgruZBSOozg4w4dzv9uOz8oK/EpPVQXkp0MM6Tsgp/nRIU9hJzJ0Pxg1aRa3xCeEQTOimZHcocQFlLwYajQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-3.6.2.tgz", + "integrity": "sha512-mBkVa4QMHRwCFCVLYdBlOZuAT1iVVsS7GGSgliSVAeTOagP/AbtlBsCVrBs+keEuDuRF1w/6QEcqDoZe9fa5pw==", "license": "MIT", "dependencies": { "cssnano-preset-advanced": "^6.1.2", @@ -3751,9 +3752,9 @@ } }, "node_modules/@docusaurus/logger": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-3.7.0.tgz", - "integrity": "sha512-z7g62X7bYxCYmeNNuO9jmzxLQG95q9QxINCwpboVcNff3SJiHJbGrarxxOVMVmAh1MsrSfxWkVGv4P41ktnFsA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-3.6.2.tgz", + "integrity": "sha512-1p4IQhhgLyIfsey4UAdAIW69aUE1Ei6O91Nsw30ryZeDWSG5dh4o3zaRGOLxfAX69Ac/yDm6YCwJOafUxL6Vxg==", "license": "MIT", "dependencies": { "chalk": "^4.1.2", @@ -3764,14 +3765,14 @@ } }, "node_modules/@docusaurus/mdx-loader": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-3.7.0.tgz", - "integrity": "sha512-OFBG6oMjZzc78/U3WNPSHs2W9ZJ723ewAcvVJaqS0VgyeUfmzUV8f1sv+iUHA0DtwiR5T5FjOxj6nzEE8LY6VA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-3.6.2.tgz", + "integrity": "sha512-7fbRmNgF3CR96Ja82Ya0/Cdu1OL9UJ/22llNMY8lr5gAbw718Y5ryXMVRIYn0JNLTiSxzgtvW4DIsUWEB8NMpw==", "license": "MIT", "dependencies": { - "@docusaurus/logger": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@mdx-js/mdx": "^3.0.0", "@slorber/remark-comment": "^1.0.0", "escape-html": "^1.0.3", @@ -3798,22 +3799,22 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/module-type-aliases": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-3.7.0.tgz", - "integrity": "sha512-g7WdPqDNaqA60CmBrr0cORTrsOit77hbsTj7xE2l71YhBn79sxdm7WMK7wfhcaafkbpIh7jv5ef5TOpf1Xv9Lg==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-3.6.2.tgz", + "integrity": "sha512-NrJkL2rLTCjHtWOqUvWzwqvJrsKLj0gVJeV6q5yeKdKKgItietcTf2fTRkM9LHKSUN8CBDXxwHABeQvTahvmXQ==", "license": "MIT", "dependencies": { - "@docusaurus/types": "3.7.0", + "@docusaurus/types": "3.6.2", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", "@types/react-router-dom": "*", - "react-helmet-async": "npm:@slorber/react-helmet-async@*", + "react-helmet-async": "*", "react-loadable": "npm:@docusaurus/react-loadable@6.0.0" }, "peerDependencies": { @@ -3822,19 +3823,19 @@ } }, "node_modules/@docusaurus/plugin-content-blog": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-3.7.0.tgz", - "integrity": "sha512-EFLgEz6tGHYWdPU0rK8tSscZwx+AsyuBW/r+tNig2kbccHYGUJmZtYN38GjAa3Fda4NU+6wqUO5kTXQSRBQD3g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-3.6.2.tgz", + "integrity": "sha512-6bJxr6Or4NslEVH3BJuPH30kUWiqUjDRdGPhvxpHmt9W/RY2/6u72WICG3bW3dLFxJ/2uDLBU92lHnatpvo7Ew==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/logger": "3.7.0", - "@docusaurus/mdx-loader": "3.7.0", - "@docusaurus/theme-common": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-common": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "cheerio": "1.0.0-rc.12", "feed": "^4.2.2", "fs-extra": "^11.1.1", @@ -3851,25 +3852,25 @@ }, "peerDependencies": { "@docusaurus/plugin-content-docs": "*", - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-content-docs": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-3.7.0.tgz", - "integrity": "sha512-GXg5V7kC9FZE4FkUZA8oo/NrlRb06UwuICzI6tcbzj0+TVgjq/mpUXXzSgKzMS82YByi4dY2Q808njcBCyy6tQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-3.6.2.tgz", + "integrity": "sha512-e6WW1g10RIXXLN/rrtqTi/FyJ1Hj3X9Mmgz4V11/0pDCxIGGI8m4ocbAglUlLtgvbLD5viNLefl/NwbOW3JXiQ==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/logger": "3.7.0", - "@docusaurus/mdx-loader": "3.7.0", - "@docusaurus/module-type-aliases": "3.7.0", - "@docusaurus/theme-common": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-common": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@types/react-router-config": "^5.0.7", "combine-promises": "^1.1.0", "fs-extra": "^11.1.1", @@ -3883,21 +3884,21 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-content-pages": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-3.7.0.tgz", - "integrity": "sha512-YJSU3tjIJf032/Aeao8SZjFOrXJbz/FACMveSMjLyMH4itQyZ2XgUIzt4y+1ISvvk5zrW4DABVT2awTCqBkx0Q==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-3.6.2.tgz", + "integrity": "sha512-fo4NyGkw10lYHyHaTxE6TZLYnxNtCfRHeZkNK1N9pBYqe7TT2dBUNAEeVW2U3ed9m6YuB7JKSQsa++GGmcP+6g==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/mdx-loader": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "fs-extra": "^11.1.1", "tslib": "^2.6.0", "webpack": "^5.88.1" @@ -3906,19 +3907,19 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-debug": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-3.7.0.tgz", - "integrity": "sha512-Qgg+IjG/z4svtbCNyTocjIwvNTNEwgRjSXXSJkKVG0oWoH0eX/HAPiu+TS1HBwRPQV+tTYPWLrUypYFepfujZA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-3.6.2.tgz", + "integrity": "sha512-T/eS3VvHElpeV5S8uwp7Si4ujEynmgFtJLvA2CSa5pzQuOF1EEghF9nekAIj0cWtDHsqNUDZNr8hK1brivFXSg==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", "fs-extra": "^11.1.1", "react-json-view-lite": "^1.2.0", "tslib": "^2.6.0" @@ -3927,38 +3928,38 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-google-analytics": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-3.7.0.tgz", - "integrity": "sha512-otIqiRV/jka6Snjf+AqB360XCeSv7lQC+DKYW+EUZf6XbuE8utz5PeUQ8VuOcD8Bk5zvT1MC4JKcd5zPfDuMWA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-3.6.2.tgz", + "integrity": "sha512-B7ihrr3wz8e4XqW+dIAtq844u3Z83u5CeiL1xrCqzFH+vDCjUZHTamS3zKXNcgi6YVVe6hUQXPG15ltaqQaVPQ==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "tslib": "^2.6.0" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-google-gtag": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-3.7.0.tgz", - "integrity": "sha512-M3vrMct1tY65ModbyeDaMoA+fNJTSPe5qmchhAbtqhDD/iALri0g9LrEpIOwNaoLmm6lO88sfBUADQrSRSGSWA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-3.6.2.tgz", + "integrity": "sha512-V8ijI6qddAAkJ0vd8sjZ7S/apRTLJn9dAwvj/rSMd93witGdKINemL+9TyfLkhcXKTxyqRT8zKdu8ewjPXqKHg==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@types/gtag.js": "^0.0.12", "tslib": "^2.6.0" }, @@ -3966,41 +3967,41 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-google-tag-manager": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-3.7.0.tgz", - "integrity": "sha512-X8U78nb8eiMiPNg3jb9zDIVuuo/rE1LjGDGu+5m5CX4UBZzjMy+klOY2fNya6x8ACyE/L3K2erO1ErheP55W/w==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-3.6.2.tgz", + "integrity": "sha512-fnWQ5FdN9f8c8VTgjaQ98208Y+d/JjHhD506rWIIL9rt1cJOf29XElxvOeKpMJadfkgY5KLZSAiHkGt+4qgN4g==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "tslib": "^2.6.0" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-sitemap": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-3.7.0.tgz", - "integrity": "sha512-bTRT9YLZ/8I/wYWKMQke18+PF9MV8Qub34Sku6aw/vlZ/U+kuEuRpQ8bTcNOjaTSfYsWkK4tTwDMHK2p5S86cA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-3.6.2.tgz", + "integrity": "sha512-qcAQAP1Ot0dZpeRoJ0L/Zck5FVDkll2IleVZQLzxeRVDZIw1P9/TK7/Aw1w2pmH7dmw/Cwk/cLSVRvLAmp9k7A==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/logger": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-common": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "fs-extra": "^11.1.1", "sitemap": "^7.1.1", "tslib": "^2.6.0" @@ -4009,81 +4010,57 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" - } - }, - "node_modules/@docusaurus/plugin-svgr": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-svgr/-/plugin-svgr-3.7.0.tgz", - "integrity": "sha512-HByXIZTbc4GV5VAUkZ2DXtXv1Qdlnpk3IpuImwSnEzCDBkUMYcec5282hPjn6skZqB25M1TYCmWS91UbhBGxQg==", - "license": "MIT", - "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", - "@svgr/core": "8.1.0", - "@svgr/webpack": "^8.1.0", - "tslib": "^2.6.0", - "webpack": "^5.88.1" - }, - "engines": { - "node": ">=18.0" - }, - "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/preset-classic": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-3.7.0.tgz", - "integrity": "sha512-nPHj8AxDLAaQXs+O6+BwILFuhiWbjfQWrdw2tifOClQoNfuXDjfjogee6zfx6NGHWqshR23LrcN115DmkHC91Q==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-3.6.2.tgz", + "integrity": "sha512-r2n5eHdhiNSrJGsrrYcw+WsyStmXxe0ZG3RdA9LVyK5+jBHM8blrUWJEDugnzCNbyhUzhdtcmgCC9fhdAvKuQw==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/plugin-content-blog": "3.7.0", - "@docusaurus/plugin-content-docs": "3.7.0", - "@docusaurus/plugin-content-pages": "3.7.0", - "@docusaurus/plugin-debug": "3.7.0", - "@docusaurus/plugin-google-analytics": "3.7.0", - "@docusaurus/plugin-google-gtag": "3.7.0", - "@docusaurus/plugin-google-tag-manager": "3.7.0", - "@docusaurus/plugin-sitemap": "3.7.0", - "@docusaurus/plugin-svgr": "3.7.0", - "@docusaurus/theme-classic": "3.7.0", - "@docusaurus/theme-common": "3.7.0", - "@docusaurus/theme-search-algolia": "3.7.0", - "@docusaurus/types": "3.7.0" + "@docusaurus/core": "3.6.2", + "@docusaurus/plugin-content-blog": "3.6.2", + "@docusaurus/plugin-content-docs": "3.6.2", + "@docusaurus/plugin-content-pages": "3.6.2", + "@docusaurus/plugin-debug": "3.6.2", + "@docusaurus/plugin-google-analytics": "3.6.2", + "@docusaurus/plugin-google-gtag": "3.6.2", + "@docusaurus/plugin-google-tag-manager": "3.6.2", + "@docusaurus/plugin-sitemap": "3.6.2", + "@docusaurus/theme-classic": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/theme-search-algolia": "3.6.2", + "@docusaurus/types": "3.6.2" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-classic": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-3.7.0.tgz", - "integrity": "sha512-MnLxG39WcvLCl4eUzHr0gNcpHQfWoGqzADCly54aqCofQX6UozOS9Th4RK3ARbM9m7zIRv3qbhggI53dQtx/hQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-3.6.2.tgz", + "integrity": "sha512-bCdOPqPNezhLx+hgNVO2Cf+8/1AHa9uHDOqTx/CKAx2I0J/jV9G+6JiMtpSRKGNfBoLT1O+56/7+WtkOf54xTw==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/logger": "3.7.0", - "@docusaurus/mdx-loader": "3.7.0", - "@docusaurus/module-type-aliases": "3.7.0", - "@docusaurus/plugin-content-blog": "3.7.0", - "@docusaurus/plugin-content-docs": "3.7.0", - "@docusaurus/plugin-content-pages": "3.7.0", - "@docusaurus/theme-common": "3.7.0", - "@docusaurus/theme-translations": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-common": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/plugin-content-blog": "3.6.2", + "@docusaurus/plugin-content-docs": "3.6.2", + "@docusaurus/plugin-content-pages": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/theme-translations": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@mdx-js/react": "^3.0.0", "clsx": "^2.0.0", "copy-text-to-clipboard": "^3.2.0", @@ -4102,20 +4079,20 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-common": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-3.7.0.tgz", - "integrity": "sha512-8eJ5X0y+gWDsURZnBfH0WabdNm8XMCXHv8ENy/3Z/oQKwaB/EHt5lP9VsTDTf36lKEp0V6DjzjFyFIB+CetL0A==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-3.6.2.tgz", + "integrity": "sha512-lfgsL064KEHpCkgGUc0OYoUPCpYfzggp6Hof8sz59UuKiLvb/Z7raewE9/NfocrJ2HZI17rLgMX3SQlRDh/5gg==", "license": "MIT", "dependencies": { - "@docusaurus/mdx-loader": "3.7.0", - "@docusaurus/module-type-aliases": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-common": "3.7.0", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", @@ -4130,21 +4107,21 @@ }, "peerDependencies": { "@docusaurus/plugin-content-docs": "*", - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-mermaid": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-mermaid/-/theme-mermaid-3.7.0.tgz", - "integrity": "sha512-7kNDvL7hm+tshjxSxIqYMtsLUPsEBYnkevej/ext6ru9xyLgCed+zkvTfGzTWNeq8rJIEe2YSS8/OV5gCVaPCw==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-mermaid/-/theme-mermaid-3.6.2.tgz", + "integrity": "sha512-Ui+rBtqMPKj3RCOxNlY04i1tEjNg+fZg4URTvkHmYR07hcKaJw+vkw+wlaYjd0HFZk+3Er9vUAcwsCWuea4cVQ==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.7.0", - "@docusaurus/module-type-aliases": "3.7.0", - "@docusaurus/theme-common": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "mermaid": ">=10.4", "tslib": "^2.6.0" }, @@ -4152,26 +4129,26 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-search-algolia": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-3.7.0.tgz", - "integrity": "sha512-Al/j5OdzwRU1m3falm+sYy9AaB93S1XF1Lgk9Yc6amp80dNxJVplQdQTR4cYdzkGtuQqbzUA8+kaoYYO0RbK6g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-3.6.2.tgz", + "integrity": "sha512-SFLS+Rq8Cg2yepnHucA9sRpIR97yHvZWlCgMzBLunV3KHbB6hD2h5HPhFV39wYHYCjJUAOH1lX9poJ1qKYuSvg==", "license": "MIT", "dependencies": { - "@docsearch/react": "^3.8.1", - "@docusaurus/core": "3.7.0", - "@docusaurus/logger": "3.7.0", - "@docusaurus/plugin-content-docs": "3.7.0", - "@docusaurus/theme-common": "3.7.0", - "@docusaurus/theme-translations": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-validation": "3.7.0", - "algoliasearch": "^5.17.1", - "algoliasearch-helper": "^3.22.6", + "@docsearch/react": "^3.5.2", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/plugin-content-docs": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/theme-translations": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", + "algoliasearch": "^4.18.0", + "algoliasearch-helper": "^3.13.3", "clsx": "^2.0.0", "eta": "^2.2.0", "fs-extra": "^11.1.1", @@ -4183,131 +4160,14 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-analytics": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-5.19.0.tgz", - "integrity": "sha512-CDW4RwnCHzU10upPJqS6N6YwDpDHno7w6/qXT9KPbPbt8szIIzCHrva4O9KIfx1OhdsHzfGSI5hMAiOOYl4DEQ==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", - "license": "MIT", - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-personalization": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-5.19.0.tgz", - "integrity": "sha512-B9eoce/fk8NLboGje+pMr72pw+PV7c5Z01On477heTZ7jkxoZ4X92dobeGuEQop61cJ93Gaevd1of4mBr4hu2A==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-search": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.19.0.tgz", - "integrity": "sha512-Ctg3xXD/1VtcwmkulR5+cKGOMj4r0wC49Y/KZdGQcqpydKn+e86F6l3tb3utLJQVq4lpEJud6kdRykFgcNsp8Q==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/recommend": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/recommend/-/recommend-5.19.0.tgz", - "integrity": "sha512-PbgrMTbUPlmwfJsxjFhal4XqZO2kpBNRjemLVTkUiti4w/+kzcYO4Hg5zaBgVqPwvFDNQ8JS4SS3TBBem88u+g==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/algoliasearch": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.19.0.tgz", - "integrity": "sha512-zrLtGhC63z3sVLDDKGW+SlCRN9eJHFTgdEmoAOpsVh6wgGL1GgTTDou7tpCBjevzgIvi3AIyDAQO3Xjbg5eqZg==", - "license": "MIT", - "dependencies": { - "@algolia/client-abtesting": "5.19.0", - "@algolia/client-analytics": "5.19.0", - "@algolia/client-common": "5.19.0", - "@algolia/client-insights": "5.19.0", - "@algolia/client-personalization": "5.19.0", - "@algolia/client-query-suggestions": "5.19.0", - "@algolia/client-search": "5.19.0", - "@algolia/ingestion": "1.19.0", - "@algolia/monitoring": "1.19.0", - "@algolia/recommend": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-translations": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-3.7.0.tgz", - "integrity": "sha512-Ewq3bEraWDmienM6eaNK7fx+/lHMtGDHQyd1O+4+3EsDxxUmrzPkV7Ct3nBWTuE0MsoZr3yNwQVKjllzCMuU3g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-3.6.2.tgz", + "integrity": "sha512-LIWrYoDUsOTKmb0c7IQzawiPUTAaczBs5IOx6srxOWoTHVUMLzJCkl5Y6whfuRrnul8G05qv2vk238bN5Ko62g==", "license": "MIT", "dependencies": { "fs-extra": "^11.1.1", @@ -4318,9 +4178,9 @@ } }, "node_modules/@docusaurus/types": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-3.7.0.tgz", - "integrity": "sha512-kOmZg5RRqJfH31m+6ZpnwVbkqMJrPOG5t0IOl4i/+3ruXyNfWzZ0lVtVrD0u4ONc/0NOsS9sWYaxxWNkH1LdLQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-3.6.2.tgz", + "integrity": "sha512-117Wsk6xXrWEAsCYCXS3TGJv5tkdIZDcd7T/V0UJvKYmY0gyVPPcEQChy8yTdjbIkbB2q4fa7Jpox72Qv86mqQ==", "license": "MIT", "dependencies": { "@mdx-js/mdx": "^3.0.0", @@ -4328,14 +4188,14 @@ "@types/react": "*", "commander": "^5.1.0", "joi": "^17.9.2", - "react-helmet-async": "npm:@slorber/react-helmet-async@1.3.0", + "react-helmet-async": "^1.3.0", "utility-types": "^3.10.0", "webpack": "^5.95.0", "webpack-merge": "^5.9.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/types/node_modules/webpack-merge": { @@ -4353,14 +4213,15 @@ } }, "node_modules/@docusaurus/utils": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-3.7.0.tgz", - "integrity": "sha512-e7zcB6TPnVzyUaHMJyLSArKa2AG3h9+4CfvKXKKWNx6hRs+p0a+u7HHTJBgo6KW2m+vqDnuIHK4X+bhmoghAFA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-3.6.2.tgz", + "integrity": "sha512-oxnpUcFZGE3uPCDoXr8GJriB3VWM9sFjPedFidX3Fsz87l1NZNc1wtbKPfQ7GYFDMYo2IGlAv5+47Me9RkM6lg==", "license": "MIT", "dependencies": { - "@docusaurus/logger": "3.7.0", - "@docusaurus/types": "3.7.0", - "@docusaurus/utils-common": "3.7.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@svgr/webpack": "^8.1.0", "escape-string-regexp": "^4.0.0", "file-loader": "^6.2.0", "fs-extra": "^11.1.1", @@ -4384,12 +4245,12 @@ } }, "node_modules/@docusaurus/utils-common": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-3.7.0.tgz", - "integrity": "sha512-IZeyIfCfXy0Mevj6bWNg7DG7B8G+S6o6JVpddikZtWyxJguiQ7JYr0SIZ0qWd8pGNuMyVwriWmbWqMnK7Y5PwA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-3.6.2.tgz", + "integrity": "sha512-dr5wK+OyU2QAWxG7S5siD2bPgS7+ZeqWHfgLNHZ5yalaZf8TbeNNLqydfngukAY56BGZN0NbMkX6jGIr7ZF0sA==", "license": "MIT", "dependencies": { - "@docusaurus/types": "3.7.0", + "@docusaurus/types": "3.6.2", "tslib": "^2.6.0" }, "engines": { @@ -4397,14 +4258,14 @@ } }, "node_modules/@docusaurus/utils-validation": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-3.7.0.tgz", - "integrity": "sha512-w8eiKk8mRdN+bNfeZqC4nyFoxNyI1/VExMKAzD9tqpJfLLbsa46Wfn5wcKH761g9WkKh36RtFV49iL9lh1DYBA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-3.6.2.tgz", + "integrity": "sha512-Y3EwblDz72KOcobb5t2zlhHSmrfE8EaHusPJ96Kx2JYtNXL2omqCoOb6FpaXWhES75wvjUpkFLYfiNqAqEov8g==", "license": "MIT", "dependencies": { - "@docusaurus/logger": "3.7.0", - "@docusaurus/utils": "3.7.0", - "@docusaurus/utils-common": "3.7.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", "fs-extra": "^11.2.0", "joi": "^17.9.2", "js-yaml": "^4.1.0", @@ -6027,9 +5888,9 @@ } }, "node_modules/algoliasearch-helper": { - "version": "3.23.0", - "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.23.0.tgz", - "integrity": "sha512-8CK4Gb/ju4OesAYcS+mjBpNiVA7ILWpg7D2vhBZohh0YkG8QT1KZ9LG+8+EntQBUGoKtPy06OFhiwP4f5zzAQg==", + "version": "3.22.5", + "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.22.5.tgz", + "integrity": "sha512-lWvhdnc+aKOKx8jyA3bsdEgHzm/sglC4cYdMG4xSQyRiPLJVJtH/IVYZG3Hp6PkTEhQqhyVYkeP9z2IlcHJsWw==", "license": "MIT", "dependencies": { "@algolia/events": "^4.0.1" @@ -6171,9 +6032,9 @@ } }, "node_modules/asciinema-player": { - "version": "3.9.0", - "resolved": "https://registry.npmjs.org/asciinema-player/-/asciinema-player-3.9.0.tgz", - "integrity": "sha512-SXVFImVzeNr8ZUdNIHABGuzlbnGWTKy245AquAjODsAnv+Lp6vxjYGN0LfA8ns30tnx/ag/bMrTbLq13TpHE6w==", + "version": "3.8.1", + "resolved": "https://registry.npmjs.org/asciinema-player/-/asciinema-player-3.8.1.tgz", + "integrity": "sha512-NkpbFg81Y6iJFpDRndakLCQ0G26XSpvuT3vJTFjMRgHb26lqHgRNY9gun54e5MehZ4fEDNYkMZv+z6MfZ8c2aA==", "license": "Apache-2.0", "dependencies": { "@babel/runtime": "^7.21.0", @@ -16226,9 +16087,9 @@ } }, "node_modules/prism-react-renderer": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/prism-react-renderer/-/prism-react-renderer-2.4.1.tgz", - "integrity": "sha512-ey8Ls/+Di31eqzUxC46h8MksNuGx/n0AAC8uKpwFau4RPDYLuE3EXTp8N8G2vX2N7UC/+IXeNUnlWBGGcAG+Ig==", + "version": "2.4.0", + "resolved": "https://registry.npmjs.org/prism-react-renderer/-/prism-react-renderer-2.4.0.tgz", + "integrity": "sha512-327BsVCD/unU4CNLZTWVHyUHKnsqcvj2qbPlQ8MiBE2eq2rgctjigPA1Gp9HLF83kZ20zNN6jgizHJeEsyFYOw==", "license": "MIT", "dependencies": { "@types/prismjs": "^1.26.0", @@ -17370,6 +17231,12 @@ "points-on-path": "^0.2.1" } }, + "node_modules/rtl-detect": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/rtl-detect/-/rtl-detect-1.1.2.tgz", + "integrity": "sha512-PGMBq03+TTG/p/cRB7HCLKJ1MgDIi07+QU1faSjiYRfmY5UsAttV9Hs08jDAHVwcOwmVLcSJkpwyfXszVjWfIQ==", + "license": "BSD-3-Clause" + }, "node_modules/rtlcss": { "version": "4.3.0", "resolved": "https://registry.npmjs.org/rtlcss/-/rtlcss-4.3.0.tgz", diff --git a/docs/package.json b/docs/package.json index e6ce2f372..5ee770b61 100644 --- a/docs/package.json +++ b/docs/package.json @@ -15,23 +15,23 @@ }, "dependencies": { "@cmfcmf/docusaurus-search-local": "1.2.0", - "@docusaurus/core": "3.7.0", - "@docusaurus/preset-classic": "3.7.0", - "@docusaurus/theme-mermaid": "3.7.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/preset-classic": "3.6.2", + "@docusaurus/theme-mermaid": "3.6.2", "@mdx-js/react": "3.1.0", - "asciinema-player": "3.9.0", + "asciinema-player": "3.8.1", "clsx": "2.1.1", - "prism-react-renderer": "2.4.1", + "prism-react-renderer": "2.4.0", "react": "18.3.1", "react-dom": "18.3.1" }, "devDependencies": { - "@docusaurus/module-type-aliases": "3.7.0", - "@docusaurus/types": "3.7.0" + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/types": "3.6.2" }, "overrides": { "@cmfcmf/docusaurus-search-local": { - "@docusaurus/core": "3.7.0", + "@docusaurus/core": "3.6.2", "cheerio": "1.0.0-rc.12" } }, diff --git a/docs/screencasts/docker/Dockerfile b/docs/screencasts/docker/Dockerfile index 404593d4d..0b965f876 100644 --- a/docs/screencasts/docker/Dockerfile +++ b/docs/screencasts/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 +FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 # Install requirements RUN apt-get update && apt-get install -y software-properties-common &&\ diff --git a/docs/versioned_docs/version-2.0/getting-started/first-steps.md b/docs/versioned_docs/version-2.0/getting-started/first-steps.md index caec42ded..08adfbd12 100644 --- a/docs/versioned_docs/version-2.0/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.0/getting-started/first-steps.md @@ -137,11 +137,11 @@ The following steps guide you through the process of creating a cluster and depl You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - * **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. + * **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. + * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.1/getting-started/first-steps.md b/docs/versioned_docs/version-2.1/getting-started/first-steps.md index 10cf3d7b9..d729fd0cf 100644 --- a/docs/versioned_docs/version-2.1/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.1/getting-started/first-steps.md @@ -142,11 +142,11 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - * **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. + * **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. + * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.10/getting-started/first-steps.md b/docs/versioned_docs/version-2.10/getting-started/first-steps.md index 4420eb708..9f6034e6b 100644 --- a/docs/versioned_docs/version-2.10/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.10/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.10/workflows/config.md b/docs/versioned_docs/version-2.10/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.10/workflows/config.md +++ b/docs/versioned_docs/version-2.10/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.11/getting-started/first-steps.md b/docs/versioned_docs/version-2.11/getting-started/first-steps.md index 9ebe21701..9811597e6 100644 --- a/docs/versioned_docs/version-2.11/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.11/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.11/workflows/config.md b/docs/versioned_docs/version-2.11/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.11/workflows/config.md +++ b/docs/versioned_docs/version-2.11/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.12/getting-started/first-steps.md b/docs/versioned_docs/version-2.12/getting-started/first-steps.md index 9ebe21701..9811597e6 100644 --- a/docs/versioned_docs/version-2.12/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.12/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.12/workflows/config.md b/docs/versioned_docs/version-2.12/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.12/workflows/config.md +++ b/docs/versioned_docs/version-2.12/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.13/getting-started/first-steps.md b/docs/versioned_docs/version-2.13/getting-started/first-steps.md index 3ec110064..287e0737a 100644 --- a/docs/versioned_docs/version-2.13/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.13/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.13/workflows/config.md b/docs/versioned_docs/version-2.13/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.13/workflows/config.md +++ b/docs/versioned_docs/version-2.13/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.13/workflows/terraform-module.md b/docs/versioned_docs/version-2.13/workflows/terraform-module.md index e38a4cc2c..07525cd27 100644 --- a/docs/versioned_docs/version-2.13/workflows/terraform-module.md +++ b/docs/versioned_docs/version-2.13/workflows/terraform-module.md @@ -100,11 +100,11 @@ The files are deleted on `terraform destroy`. name = "constell" project = "constell-proj" // replace with your project id service_account_id = "constid" - zone = "europe-west3-a" + zone = "europe-west2-a" node_groups = { control_plane_default = { role = "control-plane" - zone = "europe-west3-a" + zone = "europe-west2-a" instance_type = "n2d-standard-4" disk_size = 30 disk_type = "pd-ssd" @@ -112,7 +112,7 @@ The files are deleted on `terraform destroy`. }, worker_default = { role = "worker" - zone = "europe-west3-a" + zone = "europe-west2-a" instance_type = "n2d-standard-4" disk_size = 30 disk_type = "pd-ssd" diff --git a/docs/versioned_docs/version-2.14/getting-started/first-steps.md b/docs/versioned_docs/version-2.14/getting-started/first-steps.md index e4e6c8e48..a1f6cba25 100644 --- a/docs/versioned_docs/version-2.14/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.14/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.14/workflows/config.md b/docs/versioned_docs/version-2.14/workflows/config.md index 5e938c29c..81d2b49fd 100644 --- a/docs/versioned_docs/version-2.14/workflows/config.md +++ b/docs/versioned_docs/version-2.14/workflows/config.md @@ -152,10 +152,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -232,11 +232,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.15/getting-started/first-steps.md b/docs/versioned_docs/version-2.15/getting-started/first-steps.md index 8618fb843..a6efd758f 100644 --- a/docs/versioned_docs/version-2.15/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.15/getting-started/first-steps.md @@ -73,10 +73,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.15/workflows/config.md b/docs/versioned_docs/version-2.15/workflows/config.md index be9cc6a98..92ff9d040 100644 --- a/docs/versioned_docs/version-2.15/workflows/config.md +++ b/docs/versioned_docs/version-2.15/workflows/config.md @@ -157,10 +157,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -244,11 +244,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.16/getting-started/first-steps.md b/docs/versioned_docs/version-2.16/getting-started/first-steps.md index 738868551..d82d93836 100644 --- a/docs/versioned_docs/version-2.16/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.16/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.16/workflows/config.md b/docs/versioned_docs/version-2.16/workflows/config.md index 11cf31cbd..120bf8ed7 100644 --- a/docs/versioned_docs/version-2.16/workflows/config.md +++ b/docs/versioned_docs/version-2.16/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.17/getting-started/first-steps.md b/docs/versioned_docs/version-2.17/getting-started/first-steps.md index c31263ed3..9b37efa64 100644 --- a/docs/versioned_docs/version-2.17/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.17/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.17/workflows/config.md b/docs/versioned_docs/version-2.17/workflows/config.md index 11cf31cbd..120bf8ed7 100644 --- a/docs/versioned_docs/version-2.17/workflows/config.md +++ b/docs/versioned_docs/version-2.17/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.18/getting-started/first-steps.md b/docs/versioned_docs/version-2.18/getting-started/first-steps.md index 18b723565..128ac2849 100644 --- a/docs/versioned_docs/version-2.18/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.18/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.18/workflows/config.md b/docs/versioned_docs/version-2.18/workflows/config.md index a8a52980e..95f791acd 100644 --- a/docs/versioned_docs/version-2.18/workflows/config.md +++ b/docs/versioned_docs/version-2.18/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.19/getting-started/first-steps.md b/docs/versioned_docs/version-2.19/getting-started/first-steps.md index 2afe95635..128ac2849 100644 --- a/docs/versioned_docs/version-2.19/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.19/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. @@ -117,12 +117,6 @@ If you encounter any problem with the following steps, make sure to use the [lat * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - diff --git a/docs/versioned_docs/version-2.19/getting-started/install.md b/docs/versioned_docs/version-2.19/getting-started/install.md index 29be1e7f6..bc0a8c959 100644 --- a/docs/versioned_docs/version-2.19/getting-started/install.md +++ b/docs/versioned_docs/version-2.19/getting-started/install.md @@ -418,7 +418,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se :::caution -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. +`project_id` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `clouds.yaml` file. It's of the format "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX". ::: diff --git a/docs/versioned_docs/version-2.19/workflows/config.md b/docs/versioned_docs/version-2.19/workflows/config.md index a8a52980e..95f791acd 100644 --- a/docs/versioned_docs/version-2.19/workflows/config.md +++ b/docs/versioned_docs/version-2.19/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.2/getting-started/first-steps.md b/docs/versioned_docs/version-2.2/getting-started/first-steps.md index ef4861cbe..3dcb4f6c5 100644 --- a/docs/versioned_docs/version-2.2/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.2/getting-started/first-steps.md @@ -149,11 +149,11 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - * **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. + * **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. + * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.20/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.20/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.20/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/concept-constellation.svg b/docs/versioned_docs/version-2.20/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.20/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.20/_media/concept-managed.svg b/docs/versioned_docs/version-2.20/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.20/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.20/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.20/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.20/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.20/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.20/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.20/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.20/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/tcb.svg b/docs/versioned_docs/version-2.20/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.20/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.20/architecture/attestation.md b/docs/versioned_docs/version-2.20/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.20/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.20/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.20/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.20/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.20/architecture/images.md b/docs/versioned_docs/version-2.20/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.20/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.20/architecture/keys.md b/docs/versioned_docs/version-2.20/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.20/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.20/architecture/microservices.md b/docs/versioned_docs/version-2.20/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.20/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.20/architecture/networking.md b/docs/versioned_docs/version-2.20/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.20/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.20/architecture/observability.md b/docs/versioned_docs/version-2.20/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.20/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.20/architecture/orchestration.md b/docs/versioned_docs/version-2.20/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.20/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.20/architecture/overview.md b/docs/versioned_docs/version-2.20/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.20/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.20/architecture/versions.md b/docs/versioned_docs/version-2.20/architecture/versions.md deleted file mode 100644 index 9d5a064e0..000000000 --- a/docs/versioned_docs/version-2.20/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.28.15 -* v1.29.11 -* v1.30.7 diff --git a/docs/versioned_docs/version-2.20/getting-started/examples.md b/docs/versioned_docs/version-2.20/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.20/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.20/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.20/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.20/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.20/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.20/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.20/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.20/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.20/getting-started/first-steps.md b/docs/versioned_docs/version-2.20/getting-started/first-steps.md deleted file mode 100644 index 2afe95635..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.20/getting-started/install.md b/docs/versioned_docs/version-2.20/getting-started/install.md deleted file mode 100644 index 29be1e7f6..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/install.md +++ /dev/null @@ -1,439 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_STACKIT_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.20/getting-started/marketplaces.md b/docs/versioned_docs/version-2.20/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.20/intro.md b/docs/versioned_docs/version-2.20/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.20/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.20/overview/clouds.md b/docs/versioned_docs/version-2.20/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.20/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.20/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.20/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.20/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.20/overview/license.md b/docs/versioned_docs/version-2.20/overview/license.md deleted file mode 100644 index 34122c025..000000000 --- a/docs/versioned_docs/version-2.20/overview/license.md +++ /dev/null @@ -1,33 +0,0 @@ -# License - -## Source code - -Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -## Binaries - -Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). - -These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Terraform provider - -Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Community License - -You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. - -## Enterprise License - -Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.20/overview/performance/application.md b/docs/versioned_docs/version-2.20/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -
-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.20/overview/performance/compute.md b/docs/versioned_docs/version-2.20/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.20/overview/performance/io.md b/docs/versioned_docs/version-2.20/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.20/overview/performance/performance.md b/docs/versioned_docs/version-2.20/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.20/overview/product.md b/docs/versioned_docs/version-2.20/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.20/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.20/overview/security-benefits.md b/docs/versioned_docs/version-2.20/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.20/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.20/reference/cli.md b/docs/versioned_docs/version-2.20/reference/cli.md deleted file mode 100644 index 99acef520..000000000 --- a/docs/versioned_docs/version-2.20/reference/cli.md +++ /dev/null @@ -1,844 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.29") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --serviceAccountID string ID for the service account that will be created (required) - Must be 6 to 30 lowercase letters, digits, or hyphens. - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.20/reference/migration.md b/docs/versioned_docs/version-2.20/reference/migration.md deleted file mode 100644 index 0252c409f..000000000 --- a/docs/versioned_docs/version-2.20/reference/migration.md +++ /dev/null @@ -1,128 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrations to v2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0) - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.20/reference/slsa.md b/docs/versioned_docs/version-2.20/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.20/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.20/reference/terraform.md b/docs/versioned_docs/version-2.20/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.20/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.20/workflows/cert-manager.md b/docs/versioned_docs/version-2.20/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.20/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.20/workflows/config.md b/docs/versioned_docs/version-2.20/workflows/config.md deleted file mode 100644 index a8a52980e..000000000 --- a/docs/versioned_docs/version-2.20/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.20/workflows/create.md b/docs/versioned_docs/version-2.20/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.20/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.20/workflows/lb.md b/docs/versioned_docs/version-2.20/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.20/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.20/workflows/recovery.md b/docs/versioned_docs/version-2.20/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.20/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.20/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.20/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.20/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.20/workflows/s3proxy.md b/docs/versioned_docs/version-2.20/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.20/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.20/workflows/sbom.md b/docs/versioned_docs/version-2.20/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.20/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.20/workflows/scale.md b/docs/versioned_docs/version-2.20/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.20/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.20/workflows/storage.md b/docs/versioned_docs/version-2.20/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.20/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.20/workflows/terraform-provider.md b/docs/versioned_docs/version-2.20/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.20/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.20/workflows/troubleshooting.md b/docs/versioned_docs/version-2.20/workflows/troubleshooting.md deleted file mode 100644 index 195bce1cc..000000000 --- a/docs/versioned_docs/version-2.20/workflows/troubleshooting.md +++ /dev/null @@ -1,151 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` diff --git a/docs/versioned_docs/version-2.20/workflows/trusted-launch.md b/docs/versioned_docs/version-2.20/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.20/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.20/workflows/upgrade.md b/docs/versioned_docs/version-2.20/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.20/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.20/workflows/verify-cli.md b/docs/versioned_docs/version-2.20/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.20/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.20/workflows/verify-cluster.md b/docs/versioned_docs/version-2.20/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.20/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.21/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.21/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.21/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/concept-constellation.svg b/docs/versioned_docs/version-2.21/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.21/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.21/_media/concept-managed.svg b/docs/versioned_docs/version-2.21/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.21/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.21/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.21/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.21/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.21/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.21/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.21/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.21/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/tcb.svg b/docs/versioned_docs/version-2.21/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.21/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.21/architecture/attestation.md b/docs/versioned_docs/version-2.21/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.21/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.21/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.21/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.21/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.21/architecture/images.md b/docs/versioned_docs/version-2.21/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.21/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.21/architecture/keys.md b/docs/versioned_docs/version-2.21/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.21/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.21/architecture/microservices.md b/docs/versioned_docs/version-2.21/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.21/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.21/architecture/networking.md b/docs/versioned_docs/version-2.21/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.21/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.21/architecture/observability.md b/docs/versioned_docs/version-2.21/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.21/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.21/architecture/orchestration.md b/docs/versioned_docs/version-2.21/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.21/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.21/architecture/overview.md b/docs/versioned_docs/version-2.21/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.21/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.21/architecture/versions.md b/docs/versioned_docs/version-2.21/architecture/versions.md deleted file mode 100644 index 9acc866ed..000000000 --- a/docs/versioned_docs/version-2.21/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.29.14 -* v1.30.10 -* v1.31.6 diff --git a/docs/versioned_docs/version-2.21/getting-started/examples.md b/docs/versioned_docs/version-2.21/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.21/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.21/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.21/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.21/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.21/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.21/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.21/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.21/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.21/getting-started/first-steps.md b/docs/versioned_docs/version-2.21/getting-started/first-steps.md deleted file mode 100644 index 2afe95635..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.21/getting-started/install.md b/docs/versioned_docs/version-2.21/getting-started/install.md deleted file mode 100644 index f7b36770a..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/install.md +++ /dev/null @@ -1,439 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.21/getting-started/marketplaces.md b/docs/versioned_docs/version-2.21/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.21/intro.md b/docs/versioned_docs/version-2.21/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.21/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.21/overview/clouds.md b/docs/versioned_docs/version-2.21/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.21/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.21/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.21/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.21/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.21/overview/license.md b/docs/versioned_docs/version-2.21/overview/license.md deleted file mode 100644 index 34122c025..000000000 --- a/docs/versioned_docs/version-2.21/overview/license.md +++ /dev/null @@ -1,33 +0,0 @@ -# License - -## Source code - -Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -## Binaries - -Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). - -These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Terraform provider - -Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Community License - -You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. - -## Enterprise License - -Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.21/overview/performance/application.md b/docs/versioned_docs/version-2.21/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -
-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.21/overview/performance/compute.md b/docs/versioned_docs/version-2.21/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.21/overview/performance/io.md b/docs/versioned_docs/version-2.21/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.21/overview/performance/performance.md b/docs/versioned_docs/version-2.21/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.21/overview/product.md b/docs/versioned_docs/version-2.21/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.21/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.21/overview/security-benefits.md b/docs/versioned_docs/version-2.21/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.21/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.21/reference/cli.md b/docs/versioned_docs/version-2.21/reference/cli.md deleted file mode 100644 index 7bb4d5b40..000000000 --- a/docs/versioned_docs/version-2.21/reference/cli.md +++ /dev/null @@ -1,873 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Prepare your cluster for emergency ssh access - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --serviceAccountID string ID for the service account that will be created (required) - Must be 6 to 30 lowercase letters, digits, or hyphens. - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation ssh - -Prepare your cluster for emergency ssh access - -### Synopsis - -Prepare your cluster for emergency ssh access and sign a given key pair for authorization. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing ssh public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.21/reference/migration.md b/docs/versioned_docs/version-2.21/reference/migration.md deleted file mode 100644 index 0252c409f..000000000 --- a/docs/versioned_docs/version-2.21/reference/migration.md +++ /dev/null @@ -1,128 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrations to v2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0) - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.21/reference/slsa.md b/docs/versioned_docs/version-2.21/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.21/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.21/reference/terraform.md b/docs/versioned_docs/version-2.21/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.21/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.21/workflows/cert-manager.md b/docs/versioned_docs/version-2.21/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.21/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.21/workflows/config.md b/docs/versioned_docs/version-2.21/workflows/config.md deleted file mode 100644 index a8a52980e..000000000 --- a/docs/versioned_docs/version-2.21/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.21/workflows/create.md b/docs/versioned_docs/version-2.21/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.21/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.21/workflows/lb.md b/docs/versioned_docs/version-2.21/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.21/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.21/workflows/recovery.md b/docs/versioned_docs/version-2.21/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.21/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.21/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.21/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.21/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.21/workflows/s3proxy.md b/docs/versioned_docs/version-2.21/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.21/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.21/workflows/sbom.md b/docs/versioned_docs/version-2.21/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.21/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.21/workflows/scale.md b/docs/versioned_docs/version-2.21/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.21/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.21/workflows/storage.md b/docs/versioned_docs/version-2.21/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.21/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.21/workflows/terraform-provider.md b/docs/versioned_docs/version-2.21/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.21/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.21/workflows/troubleshooting.md b/docs/versioned_docs/version-2.21/workflows/troubleshooting.md deleted file mode 100644 index 195bce1cc..000000000 --- a/docs/versioned_docs/version-2.21/workflows/troubleshooting.md +++ /dev/null @@ -1,151 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` diff --git a/docs/versioned_docs/version-2.21/workflows/trusted-launch.md b/docs/versioned_docs/version-2.21/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.21/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.21/workflows/upgrade.md b/docs/versioned_docs/version-2.21/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.21/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.21/workflows/verify-cli.md b/docs/versioned_docs/version-2.21/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.21/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.21/workflows/verify-cluster.md b/docs/versioned_docs/version-2.21/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.21/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.22/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.22/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.22/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/concept-constellation.svg b/docs/versioned_docs/version-2.22/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.22/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.22/_media/concept-managed.svg b/docs/versioned_docs/version-2.22/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.22/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.22/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.22/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.22/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.22/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.22/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.22/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.22/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/tcb.svg b/docs/versioned_docs/version-2.22/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.22/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.22/architecture/attestation.md b/docs/versioned_docs/version-2.22/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.22/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.22/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.22/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.22/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.22/architecture/images.md b/docs/versioned_docs/version-2.22/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.22/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.22/architecture/keys.md b/docs/versioned_docs/version-2.22/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.22/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.22/architecture/microservices.md b/docs/versioned_docs/version-2.22/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.22/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.22/architecture/networking.md b/docs/versioned_docs/version-2.22/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.22/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.22/architecture/observability.md b/docs/versioned_docs/version-2.22/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.22/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.22/architecture/orchestration.md b/docs/versioned_docs/version-2.22/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.22/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.22/architecture/overview.md b/docs/versioned_docs/version-2.22/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.22/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.22/architecture/versions.md b/docs/versioned_docs/version-2.22/architecture/versions.md deleted file mode 100644 index 6f06c011b..000000000 --- a/docs/versioned_docs/version-2.22/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.29.15 -* v1.30.11 -* v1.31.7 diff --git a/docs/versioned_docs/version-2.22/getting-started/examples.md b/docs/versioned_docs/version-2.22/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.22/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.22/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.22/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.22/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.22/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.22/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.22/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.22/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.22/getting-started/first-steps.md b/docs/versioned_docs/version-2.22/getting-started/first-steps.md deleted file mode 100644 index fb8437a06..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.22/getting-started/install.md b/docs/versioned_docs/version-2.22/getting-started/install.md deleted file mode 100644 index f120b865a..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/install.md +++ /dev/null @@ -1,442 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.roles.create` -* `iam.roles.delete` -* `iam.roles.get` -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.22/getting-started/marketplaces.md b/docs/versioned_docs/version-2.22/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.22/intro.md b/docs/versioned_docs/version-2.22/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.22/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.22/overview/clouds.md b/docs/versioned_docs/version-2.22/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.22/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.22/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.22/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.22/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.22/overview/license.md b/docs/versioned_docs/version-2.22/overview/license.md deleted file mode 100644 index 34122c025..000000000 --- a/docs/versioned_docs/version-2.22/overview/license.md +++ /dev/null @@ -1,33 +0,0 @@ -# License - -## Source code - -Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -## Binaries - -Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). - -These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Terraform provider - -Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Community License - -You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. - -## Enterprise License - -Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.22/overview/performance/application.md b/docs/versioned_docs/version-2.22/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -
-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.22/overview/performance/compute.md b/docs/versioned_docs/version-2.22/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.22/overview/performance/io.md b/docs/versioned_docs/version-2.22/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.22/overview/performance/performance.md b/docs/versioned_docs/version-2.22/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.22/overview/product.md b/docs/versioned_docs/version-2.22/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.22/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.22/overview/security-benefits.md b/docs/versioned_docs/version-2.22/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.22/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.22/reference/cli.md b/docs/versioned_docs/version-2.22/reference/cli.md deleted file mode 100644 index 7cbc0be8d..000000000 --- a/docs/versioned_docs/version-2.22/reference/cli.md +++ /dev/null @@ -1,873 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Generate a certificate for emergency SSH access - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --prefix string Prefix for the service account ID and VM ID that will be created (required) - Must be letters, digits, or hyphens. - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation ssh - -Generate a certificate for emergency SSH access - -### Synopsis - -Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing SSH public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.22/reference/migration.md b/docs/versioned_docs/version-2.22/reference/migration.md deleted file mode 100644 index 36bfb1462..000000000 --- a/docs/versioned_docs/version-2.22/reference/migration.md +++ /dev/null @@ -1,134 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrating from CLI versions before 2.21.1 - -### AWS - -* AWS clusters that use `LoadBalancer` resources require more IAM permissions. Please upgrade your IAM roles using `constellation iam upgrade apply`. This will show necessary changes and apply them, if desired. - -## Migrating from CLI versions before 2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from CLI versions before 2.18.0 - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.22/reference/slsa.md b/docs/versioned_docs/version-2.22/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.22/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.22/reference/terraform.md b/docs/versioned_docs/version-2.22/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.22/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.22/workflows/cert-manager.md b/docs/versioned_docs/version-2.22/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.22/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.22/workflows/config.md b/docs/versioned_docs/version-2.22/workflows/config.md deleted file mode 100644 index 7868ff1be..000000000 --- a/docs/versioned_docs/version-2.22/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.22/workflows/create.md b/docs/versioned_docs/version-2.22/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.22/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.22/workflows/lb.md b/docs/versioned_docs/version-2.22/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.22/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.22/workflows/recovery.md b/docs/versioned_docs/version-2.22/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.22/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.22/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.22/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.22/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.22/workflows/s3proxy.md b/docs/versioned_docs/version-2.22/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.22/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.22/workflows/sbom.md b/docs/versioned_docs/version-2.22/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.22/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.22/workflows/scale.md b/docs/versioned_docs/version-2.22/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.22/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.22/workflows/storage.md b/docs/versioned_docs/version-2.22/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.22/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.22/workflows/terraform-provider.md b/docs/versioned_docs/version-2.22/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.22/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.22/workflows/troubleshooting.md b/docs/versioned_docs/version-2.22/workflows/troubleshooting.md deleted file mode 100644 index 903c829e0..000000000 --- a/docs/versioned_docs/version-2.22/workflows/troubleshooting.md +++ /dev/null @@ -1,200 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` - -### Emergency SSH access - -Emergency SSH access to nodes can be useful to diagnose issues or download important data even if the Kubernetes API isn't reachable anymore. - -1. Enter the `constellation-terraform` directory in your Constellation workspace and enable emergency SSH access to the cluster: - - ```bash - cd constellation-terraform - echo "emergency_ssh = true" >> ./terraform.tfvars - terraform apply - ``` - -2. Sign an existing SSH key with your master secret: - - ```bash - cd ../ # go back to your Constellation workspace - constellation ssh --key your_public_key.pub - ``` - - A certificate is written to `constellation_cert.pub`. - - The certificate is valid for 24 hours and enables you to access your Constellation nodes using - [certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication). - -3. Now you can connect to any Constellation node using your certificate and your private key. - - ```bash - ssh -o CertificateFile=constellation_cert.pub -i root@ - ``` - - Normally, you don't have access to the Constellation nodes since they reside in a private network. - To access those nodes anyways, you can use your Constellation load balancer as a proxy jump host. - For this, use something along the following SSH client configuration: - - ```text - Host - ProxyJump none - - Host * - IdentityFile - PreferredAuthentications publickey - CertificateFile=constellation_cert.pub - User root - ProxyJump - ``` - - With this configuration you can connect to a Constellation node using `ssh -F `. - You can obtain the private node IP and the domain name of the load balancer using your CSP's web UI. diff --git a/docs/versioned_docs/version-2.22/workflows/trusted-launch.md b/docs/versioned_docs/version-2.22/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.22/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.22/workflows/upgrade.md b/docs/versioned_docs/version-2.22/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.22/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.22/workflows/verify-cli.md b/docs/versioned_docs/version-2.22/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.22/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.22/workflows/verify-cluster.md b/docs/versioned_docs/version-2.22/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.22/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.23/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.23/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.23/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/concept-constellation.svg b/docs/versioned_docs/version-2.23/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.23/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.23/_media/concept-managed.svg b/docs/versioned_docs/version-2.23/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.23/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.23/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.23/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.23/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.23/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.23/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.23/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.23/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/tcb.svg b/docs/versioned_docs/version-2.23/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.23/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.23/architecture/attestation.md b/docs/versioned_docs/version-2.23/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.23/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.23/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.23/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.23/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.23/architecture/images.md b/docs/versioned_docs/version-2.23/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.23/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.23/architecture/keys.md b/docs/versioned_docs/version-2.23/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.23/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.23/architecture/microservices.md b/docs/versioned_docs/version-2.23/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.23/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.23/architecture/networking.md b/docs/versioned_docs/version-2.23/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.23/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.23/architecture/observability.md b/docs/versioned_docs/version-2.23/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.23/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.23/architecture/orchestration.md b/docs/versioned_docs/version-2.23/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.23/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.23/architecture/overview.md b/docs/versioned_docs/version-2.23/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.23/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.23/architecture/versions.md b/docs/versioned_docs/version-2.23/architecture/versions.md deleted file mode 100644 index d5cbc987b..000000000 --- a/docs/versioned_docs/version-2.23/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.29.15 -* v1.30.12 -* v1.31.8 diff --git a/docs/versioned_docs/version-2.23/getting-started/examples.md b/docs/versioned_docs/version-2.23/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.23/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.23/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.23/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.23/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.23/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.23/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.23/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.23/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.23/getting-started/first-steps.md b/docs/versioned_docs/version-2.23/getting-started/first-steps.md deleted file mode 100644 index fb8437a06..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.23/getting-started/install.md b/docs/versioned_docs/version-2.23/getting-started/install.md deleted file mode 100644 index f072407d8..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/install.md +++ /dev/null @@ -1,447 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.roles.create` -* `iam.roles.delete` -* `iam.roles.get` -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.forwardingRules.create` -* `compute.forwardingRules.delete` -* `compute.forwardingRules.get` -* `compute.forwardingRules.setLabels` -* `compute.forwardingRules.list` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.23/getting-started/marketplaces.md b/docs/versioned_docs/version-2.23/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.23/intro.md b/docs/versioned_docs/version-2.23/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.23/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.23/overview/clouds.md b/docs/versioned_docs/version-2.23/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.23/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.23/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.23/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.23/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.23/overview/license.md b/docs/versioned_docs/version-2.23/overview/license.md deleted file mode 100644 index 34122c025..000000000 --- a/docs/versioned_docs/version-2.23/overview/license.md +++ /dev/null @@ -1,33 +0,0 @@ -# License - -## Source code - -Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -## Binaries - -Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). - -These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Terraform provider - -Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Community License - -You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. - -## Enterprise License - -Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.23/overview/performance/application.md b/docs/versioned_docs/version-2.23/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -
-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.23/overview/performance/compute.md b/docs/versioned_docs/version-2.23/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.23/overview/performance/io.md b/docs/versioned_docs/version-2.23/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.23/overview/performance/performance.md b/docs/versioned_docs/version-2.23/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.23/overview/product.md b/docs/versioned_docs/version-2.23/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.23/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.23/overview/security-benefits.md b/docs/versioned_docs/version-2.23/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.23/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.23/reference/cli.md b/docs/versioned_docs/version-2.23/reference/cli.md deleted file mode 100644 index 7cbc0be8d..000000000 --- a/docs/versioned_docs/version-2.23/reference/cli.md +++ /dev/null @@ -1,873 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Generate a certificate for emergency SSH access - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --prefix string Prefix for the service account ID and VM ID that will be created (required) - Must be letters, digits, or hyphens. - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation ssh - -Generate a certificate for emergency SSH access - -### Synopsis - -Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing SSH public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.23/reference/migration.md b/docs/versioned_docs/version-2.23/reference/migration.md deleted file mode 100644 index eb55d650b..000000000 --- a/docs/versioned_docs/version-2.23/reference/migration.md +++ /dev/null @@ -1,140 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.23.0 - -### GCP - -GCP will require the additional permission `compute.forwardingRules.list`. Please update your IAM roles using `constellation iam upgrade apply`. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrating from CLI versions before 2.21.1 - -### AWS - -* AWS clusters that use `LoadBalancer` resources require more IAM permissions. Please upgrade your IAM roles using `constellation iam upgrade apply`. This will show necessary changes and apply them, if desired. - -## Migrating from CLI versions before 2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from CLI versions before 2.18.0 - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.23/reference/slsa.md b/docs/versioned_docs/version-2.23/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.23/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.23/reference/terraform.md b/docs/versioned_docs/version-2.23/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.23/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.23/workflows/cert-manager.md b/docs/versioned_docs/version-2.23/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.23/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.23/workflows/config.md b/docs/versioned_docs/version-2.23/workflows/config.md deleted file mode 100644 index 7868ff1be..000000000 --- a/docs/versioned_docs/version-2.23/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.23/workflows/create.md b/docs/versioned_docs/version-2.23/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.23/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.23/workflows/lb.md b/docs/versioned_docs/version-2.23/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.23/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.23/workflows/recovery.md b/docs/versioned_docs/version-2.23/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.23/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.23/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.23/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.23/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.23/workflows/s3proxy.md b/docs/versioned_docs/version-2.23/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.23/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.23/workflows/sbom.md b/docs/versioned_docs/version-2.23/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.23/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.23/workflows/scale.md b/docs/versioned_docs/version-2.23/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.23/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.23/workflows/storage.md b/docs/versioned_docs/version-2.23/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.23/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.23/workflows/terraform-provider.md b/docs/versioned_docs/version-2.23/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.23/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.23/workflows/troubleshooting.md b/docs/versioned_docs/version-2.23/workflows/troubleshooting.md deleted file mode 100644 index 903c829e0..000000000 --- a/docs/versioned_docs/version-2.23/workflows/troubleshooting.md +++ /dev/null @@ -1,200 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` - -### Emergency SSH access - -Emergency SSH access to nodes can be useful to diagnose issues or download important data even if the Kubernetes API isn't reachable anymore. - -1. Enter the `constellation-terraform` directory in your Constellation workspace and enable emergency SSH access to the cluster: - - ```bash - cd constellation-terraform - echo "emergency_ssh = true" >> ./terraform.tfvars - terraform apply - ``` - -2. Sign an existing SSH key with your master secret: - - ```bash - cd ../ # go back to your Constellation workspace - constellation ssh --key your_public_key.pub - ``` - - A certificate is written to `constellation_cert.pub`. - - The certificate is valid for 24 hours and enables you to access your Constellation nodes using - [certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication). - -3. Now you can connect to any Constellation node using your certificate and your private key. - - ```bash - ssh -o CertificateFile=constellation_cert.pub -i root@ - ``` - - Normally, you don't have access to the Constellation nodes since they reside in a private network. - To access those nodes anyways, you can use your Constellation load balancer as a proxy jump host. - For this, use something along the following SSH client configuration: - - ```text - Host - ProxyJump none - - Host * - IdentityFile - PreferredAuthentications publickey - CertificateFile=constellation_cert.pub - User root - ProxyJump - ``` - - With this configuration you can connect to a Constellation node using `ssh -F `. - You can obtain the private node IP and the domain name of the load balancer using your CSP's web UI. diff --git a/docs/versioned_docs/version-2.23/workflows/trusted-launch.md b/docs/versioned_docs/version-2.23/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.23/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.23/workflows/upgrade.md b/docs/versioned_docs/version-2.23/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.23/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.23/workflows/verify-cli.md b/docs/versioned_docs/version-2.23/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.23/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.23/workflows/verify-cluster.md b/docs/versioned_docs/version-2.23/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.23/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.3/getting-started/first-steps.md b/docs/versioned_docs/version-2.3/getting-started/first-steps.md index d1cd06cf6..02fbdb696 100644 --- a/docs/versioned_docs/version-2.3/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.3/getting-started/first-steps.md @@ -62,10 +62,10 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. diff --git a/docs/versioned_docs/version-2.3/workflows/config.md b/docs/versioned_docs/version-2.3/workflows/config.md index 20aa0dada..652e58a38 100644 --- a/docs/versioned_docs/version-2.3/workflows/config.md +++ b/docs/versioned_docs/version-2.3/workflows/config.md @@ -90,10 +90,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -183,11 +183,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.4/getting-started/first-steps.md b/docs/versioned_docs/version-2.4/getting-started/first-steps.md index 44e66ea95..d277b9e09 100644 --- a/docs/versioned_docs/version-2.4/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.4/getting-started/first-steps.md @@ -62,10 +62,10 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. diff --git a/docs/versioned_docs/version-2.4/workflows/config.md b/docs/versioned_docs/version-2.4/workflows/config.md index 20aa0dada..652e58a38 100644 --- a/docs/versioned_docs/version-2.4/workflows/config.md +++ b/docs/versioned_docs/version-2.4/workflows/config.md @@ -90,10 +90,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -183,11 +183,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.5/getting-started/first-steps.md b/docs/versioned_docs/version-2.5/getting-started/first-steps.md index 9ce1d6be2..02b60d45a 100644 --- a/docs/versioned_docs/version-2.5/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.5/getting-started/first-steps.md @@ -34,10 +34,10 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. diff --git a/docs/versioned_docs/version-2.5/workflows/config.md b/docs/versioned_docs/version-2.5/workflows/config.md index 71f2d019d..2edf3bdf6 100644 --- a/docs/versioned_docs/version-2.5/workflows/config.md +++ b/docs/versioned_docs/version-2.5/workflows/config.md @@ -96,10 +96,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -189,11 +189,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.6/getting-started/first-steps.md b/docs/versioned_docs/version-2.6/getting-started/first-steps.md index df489f52a..aba09f5c7 100644 --- a/docs/versioned_docs/version-2.6/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.6/getting-started/first-steps.md @@ -38,10 +38,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.6/workflows/config.md b/docs/versioned_docs/version-2.6/workflows/config.md index 56979ee13..5a1ba92d1 100644 --- a/docs/versioned_docs/version-2.6/workflows/config.md +++ b/docs/versioned_docs/version-2.6/workflows/config.md @@ -109,10 +109,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -202,11 +202,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.7/getting-started/first-steps.md b/docs/versioned_docs/version-2.7/getting-started/first-steps.md index c1c3a3fe0..eca497438 100644 --- a/docs/versioned_docs/version-2.7/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.7/getting-started/first-steps.md @@ -38,10 +38,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.7/workflows/config.md b/docs/versioned_docs/version-2.7/workflows/config.md index 032b22943..5640bfd7d 100644 --- a/docs/versioned_docs/version-2.7/workflows/config.md +++ b/docs/versioned_docs/version-2.7/workflows/config.md @@ -109,10 +109,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -204,11 +204,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.8/getting-started/first-steps.md b/docs/versioned_docs/version-2.8/getting-started/first-steps.md index 8d5cc5cbb..43ed0f923 100644 --- a/docs/versioned_docs/version-2.8/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.8/getting-started/first-steps.md @@ -39,10 +39,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.8/workflows/config.md b/docs/versioned_docs/version-2.8/workflows/config.md index f10ba14ec..3330abe8a 100644 --- a/docs/versioned_docs/version-2.8/workflows/config.md +++ b/docs/versioned_docs/version-2.8/workflows/config.md @@ -110,10 +110,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -206,11 +206,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.9/getting-started/first-steps.md b/docs/versioned_docs/version-2.9/getting-started/first-steps.md index 6b0a06a06..a29ff276c 100644 --- a/docs/versioned_docs/version-2.9/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.9/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.9/workflows/config.md b/docs/versioned_docs/version-2.9/workflows/config.md index 22a2821d8..43313d88e 100644 --- a/docs/versioned_docs/version-2.9/workflows/config.md +++ b/docs/versioned_docs/version-2.9/workflows/config.md @@ -117,10 +117,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -197,11 +197,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_sidebars/version-2.20-sidebars.json b/docs/versioned_sidebars/version-2.20-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.20-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versioned_sidebars/version-2.21-sidebars.json b/docs/versioned_sidebars/version-2.21-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.21-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versioned_sidebars/version-2.22-sidebars.json b/docs/versioned_sidebars/version-2.22-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.22-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versioned_sidebars/version-2.23-sidebars.json b/docs/versioned_sidebars/version-2.23-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.23-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versions.json b/docs/versions.json index 8cc6150df..89f88399a 100644 --- a/docs/versions.json +++ b/docs/versions.json @@ -1,8 +1,4 @@ [ - "2.23", - "2.22", - "2.21", - "2.20", "2.19", "2.18", "2.17", diff --git a/e2e/internal/lb/lb_test.go b/e2e/internal/lb/lb_test.go index 2596a800e..94c8d2ff3 100644 --- a/e2e/internal/lb/lb_test.go +++ b/e2e/internal/lb/lb_test.go @@ -12,6 +12,7 @@ package lb import ( "bufio" "bytes" + "context" "fmt" "io" "net/http" @@ -69,7 +70,7 @@ func TestLoadBalancer(t *testing.T) { t.Log("Change port of service to 8044") svc.Spec.Ports[0].Port = newPort - svc, err = k.CoreV1().Services(namespaceName).Update(t.Context(), svc, metaV1.UpdateOptions{}) + svc, err = k.CoreV1().Services(namespaceName).Update(context.Background(), svc, metaV1.UpdateOptions{}) require.NoError(err) assert.Equal(newPort, svc.Spec.Ports[0].Port) @@ -92,7 +93,7 @@ func gatherDebugInfo(t *testing.T, k *kubernetes.Clientset) { t.Log("Gathering additional debug information.") - pods, err := k.CoreV1().Pods(namespaceName).List(t.Context(), metaV1.ListOptions{ + pods, err := k.CoreV1().Pods(namespaceName).List(context.Background(), metaV1.ListOptions{ LabelSelector: "app=whoami", }) if err != nil { @@ -105,7 +106,7 @@ func gatherDebugInfo(t *testing.T, k *kubernetes.Clientset) { req := k.CoreV1().Pods(namespaceName).GetLogs(pod.Name, &coreV1.PodLogOptions{ LimitBytes: func() *int64 { i := int64(1024 * 1024); return &i }(), }) - logs, err := req.Stream(t.Context()) + logs, err := req.Stream(context.Background()) if err != nil { t.Logf("fetching logs: %v", err) return @@ -154,7 +155,7 @@ func testEventuallyStatusOK(t *testing.T, url string) { require := require.New(t) assert.Eventually(func() bool { - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) resp, err := http.DefaultClient.Do(req) @@ -182,7 +183,7 @@ func testEventuallyExternalIPAvailable(t *testing.T, k *kubernetes.Clientset) *c require.Eventually(t, func() bool { var err error - svc, err = k.CoreV1().Services(namespaceName).Get(t.Context(), serviceName, metaV1.GetOptions{}) + svc, err = k.CoreV1().Services(namespaceName).Get(context.Background(), serviceName, metaV1.GetOptions{}) if err != nil { t.Log("Getting service failed: ", err.Error()) return false @@ -211,7 +212,7 @@ func testEndpointAvailable(t *testing.T, url string, allHostnames []string, reqI assert := assert.New(t) require := require.New(t) - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) resp, err := http.DefaultClient.Do(req) diff --git a/e2e/internal/upgrade/BUILD.bazel b/e2e/internal/upgrade/BUILD.bazel index b97119e5f..8acfc7e94 100644 --- a/e2e/internal/upgrade/BUILD.bazel +++ b/e2e/internal/upgrade/BUILD.bazel @@ -20,7 +20,7 @@ go_library( "//internal/versions", "@com_github_spf13_afero//:afero", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@io_k8s_apimachinery//pkg/apis/meta/v1:meta", "@io_k8s_client_go//kubernetes", "@sh_helm_helm_v3//pkg/action", diff --git a/e2e/internal/upgrade/upgrade.go b/e2e/internal/upgrade/upgrade.go index 046c0bf4d..fd2483259 100644 --- a/e2e/internal/upgrade/upgrade.go +++ b/e2e/internal/upgrade/upgrade.go @@ -90,7 +90,7 @@ func testStatusEventuallyWorks(t *testing.T, cli string, timeout time.Duration) // Show versions set in cluster. // The string after "Cluster status:" in the output might not be updated yet. // This is only updated after the operator finishes one reconcile loop. - cmd := exec.CommandContext(t.Context(), cli, "status") + cmd := exec.CommandContext(context.Background(), cli, "status") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) if err != nil { log.Printf("Stdout: %s\nStderr: %s", string(stdout), string(stderr)) @@ -121,7 +121,7 @@ func testMicroservicesEventuallyHaveVersion(t *testing.T, wantMicroserviceVersio func testNodesEventuallyHaveVersion(t *testing.T, k *kubernetes.Clientset, targetVersions VersionContainer, totalNodeCount int, timeout time.Duration) { require.Eventually(t, func() bool { - nodes, err := k.CoreV1().Nodes().List(t.Context(), metaV1.ListOptions{}) + nodes, err := k.CoreV1().Nodes().List(context.Background(), metaV1.ListOptions{}) if err != nil { log.Println(err) return false diff --git a/e2e/internal/upgrade/upgrade_test.go b/e2e/internal/upgrade/upgrade_test.go index 7d24b1fde..be47bb197 100644 --- a/e2e/internal/upgrade/upgrade_test.go +++ b/e2e/internal/upgrade/upgrade_test.go @@ -72,7 +72,7 @@ func TestUpgrade(t *testing.T) { targetVersions := WriteUpgradeConfig(require, *targetImage, *targetKubernetes, *targetMicroservices, constants.ConfigFilename) log.Println("Fetching measurements for new image.") - cmd := exec.CommandContext(t.Context(), cli, "config", "fetch-measurements", "--insecure", "--debug") + cmd := exec.CommandContext(context.Background(), cli, "config", "fetch-measurements", "--insecure", "--debug") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) require.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) log.Println(string(stdout)) @@ -83,10 +83,10 @@ func TestUpgrade(t *testing.T) { log.Println("Checking upgrade.") assert := assert.New(t) // use assert because this part is more brittle and should not fail the entire test - runUpgradeCheck(t.Context(), assert, cli, *targetKubernetes) + runUpgradeCheck(assert, cli, *targetKubernetes) log.Println("Triggering upgrade.") - runUpgradeApply(t.Context(), require, cli) + runUpgradeApply(require, cli) AssertUpgradeSuccessful(t, cli, targetVersions, k, *wantControl, *wantWorker, *timeout) } @@ -96,7 +96,7 @@ func TestUpgrade(t *testing.T) { // 2) all pods have good status conditions. func testPodsEventuallyReady(t *testing.T, k *kubernetes.Clientset, namespace string) { require.Eventually(t, func() bool { - pods, err := k.CoreV1().Pods(namespace).List(t.Context(), metaV1.ListOptions{}) + pods, err := k.CoreV1().Pods(namespace).List(context.Background(), metaV1.ListOptions{}) if err != nil { log.Println(err) return false @@ -127,7 +127,7 @@ func testPodsEventuallyReady(t *testing.T, k *kubernetes.Clientset, namespace st // 2) the expected number of nodes have joined the cluster. func testNodesEventuallyAvailable(t *testing.T, k *kubernetes.Clientset, wantControlNodeCount, wantWorkerNodeCount int) { require.Eventually(t, func() bool { - nodes, err := k.CoreV1().Nodes().List(t.Context(), metaV1.ListOptions{}) + nodes, err := k.CoreV1().Nodes().List(context.Background(), metaV1.ListOptions{}) if err != nil { log.Println(err) return false @@ -172,8 +172,8 @@ func testNodesEventuallyAvailable(t *testing.T, k *kubernetes.Clientset, wantCon // runUpgradeCheck executes 'upgrade check' and does basic checks on the output. // We can not check images upgrades because we might use unpublished images. CLI uses public CDN to check for available images. -func runUpgradeCheck(ctx context.Context, assert *assert.Assertions, cli, targetKubernetes string) { - cmd := exec.CommandContext(ctx, cli, "upgrade", "check", "--debug") +func runUpgradeCheck(assert *assert.Assertions, cli, targetKubernetes string) { + cmd := exec.CommandContext(context.Background(), cli, "upgrade", "check", "--debug") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) assert.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) @@ -204,16 +204,16 @@ func containsAny(text string, substrs []string) bool { return false } -func runUpgradeApply(ctx context.Context, require *require.Assertions, cli string) { +func runUpgradeApply(require *require.Assertions, cli string) { tfLogFlag := "" - cmd := exec.CommandContext(ctx, cli, "--help") + cmd := exec.CommandContext(context.Background(), cli, "--help") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) require.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) if strings.Contains(string(stdout), "--tf-log") { tfLogFlag = "--tf-log=DEBUG" } - cmd = exec.CommandContext(ctx, cli, "apply", "--debug", "--yes", tfLogFlag) + cmd = exec.CommandContext(context.Background(), cli, "apply", "--debug", "--yes", tfLogFlag) stdout, stderr, err = runCommandWithSeparateOutputs(cmd) require.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) require.NoError(containsUnexepectedMsg(string(stdout))) diff --git a/e2e/miniconstellation/.terraform.lock.hcl b/e2e/miniconstellation/.terraform.lock.hcl index 87cddd3bb..d988c947c 100644 --- a/e2e/miniconstellation/.terraform.lock.hcl +++ b/e2e/miniconstellation/.terraform.lock.hcl @@ -2,91 +2,91 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.7" - constraints = "2.3.7" + version = "2.3.5" + constraints = "2.3.5" hashes = [ - "h1:/hny5kXmhcnuJDD1V+5XCrZOYDIqja2U47VM4DPEnBA=", - "h1:A9COAUjeBJ+fgYAI/PKtDs4Wzs50srFSY+KkfpSVGLw=", - "h1:Lt8lqrdNgZRlkOTwSXZTyuJkiVXnpwTsWAqHQPL6sIY=", - "h1:M9TpQxKAE/hyOwytdX9MUNZw30HoD/OXqYIug5fkqH8=", - "h1:coZHiZww6hWZoOoWw0p+6oeYb/tMh1uTvX1Y2ZzzXqE=", - "h1:dgBaiMxxU61piW30emM6251LMFW66TbKR+p5ylPZvqc=", - "h1:h1Pr6uNwq+iDEGrnQJEHzOTz+yVTW0AJgZrGXuoO4Qs=", - "h1:ht83gEvyri0BD3sata7BDhx31N/KbCECIozG7UM/kC8=", - "h1:iZ27qylcH/2bs685LJTKOKcQ+g7cF3VwN3kHMrzm4Ow=", - "h1:ll35IR++uaXwfwqZFFRWrvS0idO1mX43Y/embsaOe4k=", - "h1:rafNPmTutVTO2Horq45DG9Pjqrs+vx42oc7b/3aVGEc=", - "zh:06f1c54e919425c3139f8aeb8fcf9bceca7e560d48c9f0c1e3bb0a8ad9d9da1e", - "zh:0e1e4cf6fd98b019e764c28586a386dc136129fef50af8c7165a067e7e4a31d5", - "zh:1871f4337c7c57287d4d67396f633d224b8938708b772abfc664d1f80bd67edd", - "zh:2b9269d91b742a71b2248439d5e9824f0447e6d261bfb86a8a88528609b136d1", - "zh:3d8ae039af21426072c66d6a59a467d51f2d9189b8198616888c1b7fc42addc7", - "zh:3ef4e2db5bcf3e2d915921adced43929214e0946a6fb11793085d9a48995ae01", - "zh:42ae54381147437c83cbb8790cc68935d71b6357728a154109d3220b1beb4dc9", - "zh:4496b362605ae4cbc9ef7995d102351e2fe311897586ffc7a4a262ccca0c782a", - "zh:652a2401257a12706d32842f66dac05a735693abcb3e6517d6b5e2573729ba13", - "zh:7406c30806f5979eaed5f50c548eced2ea18ea121e01801d2f0d4d87a04f6a14", - "zh:7848429fd5a5bcf35f6fee8487df0fb64b09ec071330f3ff240c0343fe2a5224", + "h1:C//ncldNugV8TpMQaj9ygoPXRVYOqltIxNB8LKrpzgU=", + "h1:HCoabXm6NQwCivl1q24+l9VUufc2mFqNeulsQBA9iFg=", + "h1:NCYXIt7zhG0pRLV9UAlBrKi4Rty/jRhRRHIZFEigUm8=", + "h1:Sf1Lt21oTADbzsnlU38ylpkl8YXP0Beznjcy5F/Yx64=", + "h1:TUljFfEUFn6szDfglwv150tNRUKPgqa5YiCTdF9Tc6c=", + "h1:W+6XNutLOfQxlm8XWg4wKAYvyDt/eoE1roSeFkn/KA4=", + "h1:cKe6NmJzRHiK0n73R5Dzkw8nK5i0nC4SedZhanMbQD0=", + "h1:jPzwR4Um4NU8EE6o5AIx2SoeGZG5bW9aAeFpcbodjHQ=", + "h1:sfaNIqomGVkYy6gGHbaFS2ehzh5CqoeBwR4QYae+cBY=", + "h1:wbw64JlCobcQCAdlzHpxksQ1GabewTW1yxnACBVZh4A=", + "h1:y0qqdBKvRt2MMcga7AVMkUb/vmJSKVBaimHaIHKLucs=", + "zh:17c20574de8eb925b0091c9b6a4d859e9d6e399cd890b44cfbc028f4f312ac7a", + "zh:348664d9a900f7baf7b091cf94d657e4c968b240d31d9e162086724e6afc19d5", + "zh:5a876a468ffabff0299f8348e719cb704daf81a4867f8c6892f3c3c4add2c755", + "zh:6ef97ee4c8c6a69a3d36746ba5c857cf4f4d78f32aa3d0e1ce68f2ece6a5dba5", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8283e5a785e3c518a440f6ac6e7cc4fc07fe266bf34974246f4e2ef05762feda", + "zh:a44eb5077950168b571b7eb65491246c00f45409110f0f172cc3a7605f19dba9", + "zh:aa0806cbff72b49c1b389c0b8e6904586e5259c08dabb7cb5040418568146530", + "zh:bec4613c3beaad9a7be7ca99cdb2852073f782355b272892e6ee97a22856aec1", + "zh:d7fe368577b6c8d1ae44c751ed42246754c10305c7f001cc0109833e95aa107d", + "zh:df2409fc6a364b1f0a0f8a9cd8a86e61e80307996979ce3790243c4ce88f2915", + "zh:ed3c263396ff1f4d29639cc43339b655235acf4d06296a7c120a80e4e0fd6409", ] } provider "registry.terraform.io/hashicorp/tls" { - version = "4.1.0" - constraints = "4.1.0" + version = "4.0.6" + constraints = "4.0.6" hashes = [ - "h1:4gd/jiOS0zJxjTd5Q4o/gOp24RxcuwQ/TxwjTYQNPz4=", - "h1:C0J7AsrVHVqnDT9tICDNaKvA9iH6WTLS2EYzCEegpx0=", - "h1:Ka8mEwRFXBabR33iN/WTIEW6RP0z13vFsDlwn11Pf2I=", - "h1:ReNkTkCM64bktu54eGwQc29rhIejMLQsYA6kYNyBWno=", - "h1:UklaKJOCynnEJbpCVN0zJKIJ3SvO7RQJ00/6grBatnw=", - "h1:ZHcr1WIomuU6ZV+dzEwAG1+52JP0e0d/+l7bo3N5p88=", - "h1:eZa3vbx1pbiwnajuKvGWE7jWK+nHQ8lcLc/mO6Rhf4o=", - "h1:iSgnCUoLGMkt31RlflnL09NyjpAH0DX6bb9QBw5IE9Y=", - "h1:uDtqTpFJOseNUlPDx4TT/lXf6ie3CarsimL7sYCiVH4=", - "h1:y9cHrgcuaZt592In6xQzz1lx7k/B9EeWrAb8K7QqOgU=", - "h1:zEv9tY1KR5vaLSyp2lkrucNJ+Vq3c+sTFK9GyQGLtFs=", - "zh:14c35d89307988c835a7f8e26f1b83ce771e5f9b41e407f86a644c0152089ac2", - "zh:2fb9fe7a8b5afdbd3e903acb6776ef1be3f2e587fb236a8c60f11a9fa165faa8", - "zh:35808142ef850c0c60dd93dc06b95c747720ed2c40c89031781165f0c2baa2fc", - "zh:35b5dc95bc75f0b3b9c5ce54d4d7600c1ebc96fbb8dfca174536e8bf103c8cdc", - "zh:38aa27c6a6c98f1712aa5cc30011884dc4b128b4073a4a27883374bfa3ec9fac", - "zh:51fb247e3a2e88f0047cb97bb9df7c228254a3b3021c5534e4563b4007e6f882", - "zh:62b981ce491e38d892ba6364d1d0cdaadcee37cc218590e07b310b1dfa34be2d", - "zh:bc8e47efc611924a79f947ce072a9ad698f311d4a60d0b4dfff6758c912b7298", - "zh:c149508bd131765d1bc085c75a870abb314ff5a6d7f5ac1035a8892d686b6297", - "zh:d38d40783503d278b63858978d40e07ac48123a2925e1a6b47e62179c046f87a", + "h1:/GYlCthGsP6ooHpCFuMkjnuFoBX0xnvCNohf3suVw2A=", + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "h1:17Y+vdYNKgphpe1/SU5PBnGuYKEJkJZ7MZCnmAwsAGQ=", + "h1:3hTE3Ifpfh4ogQN60xa3Dw2Cbk2QyK8rJ5Zi2f5cYTo=", + "h1:N7VxdRDiNZoRS9dnXJ+QuKWKn514ahS+U6f9K3cF44s=", + "h1:QAuzEStYipyCgx5On0Rym6EiFfqXnBQOrgUjBY7MIbU=", + "h1:W1r1GqxtFMYVCcqFpN7U8WGjbpvpA/YPcqjZbx5THG8=", + "h1:dYSb3V94K5dDMtrBRLPzBpkMTPn+3cXZ/kIJdtFL+2M=", + "h1:dr3jNQWLXzZ2IJ1XH2XIHScQd4HGKo+7ZoyoEP9hRpY=", + "h1:irxVvxMIETCpSsiJKpu4A3htA0v2ohIkpPNXVt++pio=", + "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fb07f708e3316615f6d218cec198504984c0ce7000b9f1eebff7516e384f4b54", ] } diff --git a/e2e/miniconstellation/BUILD.bazel b/e2e/miniconstellation/BUILD.bazel index 47dd3b278..e8df73984 100644 --- a/e2e/miniconstellation/BUILD.bazel +++ b/e2e/miniconstellation/BUILD.bazel @@ -1,5 +1,4 @@ load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun") -load("@rules_shell//shell:sh_library.bzl", "sh_library") load("//bazel/sh:def.bzl", "sh_template") filegroup( diff --git a/e2e/miniconstellation/main.tf b/e2e/miniconstellation/main.tf index 2054a63a9..838008fa5 100644 --- a/e2e/miniconstellation/main.tf +++ b/e2e/miniconstellation/main.tf @@ -2,15 +2,15 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } tls = { source = "hashicorp/tls" - version = "4.1.0" + version = "4.0.6" } cloudinit = { source = "hashicorp/cloudinit" - version = "2.3.7" + version = "2.3.5" } } } diff --git a/flake.lock b/flake.lock index b424b9c4a..a633bfa33 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -18,13 +18,29 @@ "type": "github" } }, - "nixpkgs": { + "nixpkgsBazel": { "locked": { - "lastModified": 1743938762, - "narHash": "sha256-UgFYn8sGv9B8PoFpUfCa43CjMZBl1x/ShQhRDHBFQdI=", + "lastModified": 1717414489, + "narHash": "sha256-fhvJv8hkJwotkqxhoSQfvh6UfKG+sTYIQ3hchariEDk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "74a40410369a1c35ee09b8a1abee6f4acbedc059", + "rev": "c429fa2ffa21229eeadbe37c11a47aff35f53ce0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c429fa2ffa21229eeadbe37c11a47aff35f53ce0", + "type": "github" + } + }, + "nixpkgsUnstable": { + "locked": { + "lastModified": 1725816686, + "narHash": "sha256-0Kq2MkQ/sQX1rhWJ/ySBBQlBJBUK8mPMDcuDhhdBkSU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "add0443ee587a0c44f22793b8c8649a0dbc3bb00", "type": "github" }, "original": { @@ -37,7 +53,9 @@ "root": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgsBazel": "nixpkgsBazel", + "nixpkgsUnstable": "nixpkgsUnstable", + "uplosi": "uplosi" } }, "systems": { @@ -54,6 +72,29 @@ "repo": "default", "type": "github" } + }, + "uplosi": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgsUnstable" + ] + }, + "locked": { + "lastModified": 1725522308, + "narHash": "sha256-AtsFZ92WkVkH8fd0Xa0D6/PR84/dtOH6gpM4mtn32Hk=", + "owner": "edgelesssys", + "repo": "uplosi", + "rev": "c8a482de299b5442f558d7381f0cbf898e0de0e1", + "type": "github" + }, + "original": { + "owner": "edgelesssys", + "repo": "uplosi", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 1e1304460..ddd1521c7 100644 --- a/flake.nix +++ b/flake.nix @@ -2,70 +2,48 @@ description = "Constellation"; inputs = { - nixpkgs = { + nixpkgsUnstable = { url = "github:NixOS/nixpkgs/nixpkgs-unstable"; }; + # TODO(msanft): Remove once https://github.com/NixOS/nixpkgs/commit/c429fa2ffa21229eeadbe37c11a47aff35f53ce0 + # lands in nixpkgs-unstable. + nixpkgsBazel = { + url = "github:NixOS/nixpkgs/c429fa2ffa21229eeadbe37c11a47aff35f53ce0"; + }; flake-utils = { url = "github:numtide/flake-utils"; }; + uplosi = { + url = "github:edgelesssys/uplosi"; + inputs.nixpkgs.follows = "nixpkgsUnstable"; + inputs.flake-utils.follows = "flake-utils"; + }; }; outputs = { self, - nixpkgs, + nixpkgsUnstable, + nixpkgsBazel, flake-utils, + uplosi, }: flake-utils.lib.eachDefaultSystem ( system: let - overlay = final: prev: { - rpm = prev.rpm.overrideAttrs (old: { - nativeBuildInputs = old.nativeBuildInputs ++ [ prev.makeWrapper ]; - postFixup = '' - wrapProgram $out/lib/rpm/sysusers.sh \ - --set PATH ${ - prev.lib.makeBinPath ( - with prev; - [ - coreutils - findutils - su.out - gnugrep - ] - ) - } - ''; - }); + pkgsUnstable = import nixpkgsUnstable { inherit system; }; - # dnf5 assumes a TTY with a very small width by default, truncating its output instead of line-wrapping - # it. Force it to use more VT columns to avoid this, and make debugging errors easier. - dnf5-stub = prev.writeScriptBin "dnf5" '' - #!/usr/bin/env bash - FORCE_COLUMNS=200 ${final.dnf5}/bin/dnf5 $@ - ''; - }; + bazelPkgsUnstable = import nixpkgsBazel { inherit system; }; - pkgs = import nixpkgs { - inherit system; - config.allowUnfree = true; - - overlays = [ - (_final: prev: (import ./nix/packages { inherit (prev) lib callPackage; })) - (_final: prev: { lib = prev.lib // (import ./nix/lib { inherit (prev) lib callPackage; }); }) - overlay - ]; - }; - - callPackage = pkgs.callPackage; + callPackage = pkgsUnstable.callPackage; mkosiDev = ( - pkgs.mkosi.override { - extraDeps = ( - with pkgs; - [ + pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec { + propagatedBuildInputs = + oldAttrs.propagatedBuildInputs + ++ (with pkgsUnstable; [ # package management - dnf5-stub + dnf5 rpm createrepo_c @@ -83,54 +61,58 @@ # utils gnused # sed gnugrep # grep - ] - ); - } + ]); + }) ); + + uplosiDev = uplosi.outputs.packages."${system}".uplosi; + + openssl-static = pkgsUnstable.openssl.override { static = true; }; + + bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { + pkgs = bazelPkgsUnstable; + nixpkgs = nixpkgsBazel; + }; + in { - # Use `legacyPackages` instead of `packages` for the reason explained here: - # https://github.com/NixOS/nixpkgs/blob/34def00657d7c45c51b0762eb5f5309689a909a5/flake.nix#L138-L156 - # Note that it's *not* a legacy attribute. - legacyPackages = { - generate = pkgs.callPackage ./nix/generate.nix { }; - } // pkgs; - packages.mkosi = mkosiDev; - packages.uplosi = pkgs.uplosi; + packages.uplosi = uplosiDev; - packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgs; }; + packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; }; packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; packages.libvirt = callPackage ./nix/cc/libvirt.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; packages.vpn = callPackage ./nix/container/vpn/vpn.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; - packages.awscli2 = pkgs.awscli2; + packages.awscli2 = pkgsUnstable.awscli2; - packages.createrepo_c = pkgs.createrepo_c; + packages.bazel_7 = bazel_7; - packages.dnf5 = pkgs.dnf5; + packages.createrepo_c = pkgsUnstable.createrepo_c; - devShells.default = callPackage ./nix/shells/default.nix { }; + packages.dnf5 = pkgsUnstable.dnf5; - formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt; + devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; }; + + formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt; } ); } diff --git a/go.mod b/go.mod index f0d3fa6c0..27dae14d0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/edgelesssys/constellation/v2 -go 1.24.2 +go 1.23.2 // TODO(daniel-weisse): revert after merging https://github.com/martinjungblut/go-cryptsetup/pull/16. replace github.com/martinjungblut/go-cryptsetup => github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c @@ -11,151 +11,150 @@ replace github.com/martinjungblut/go-cryptsetup => github.com/daniel-weisse/go-c // See this issue: https://github.com/kubernetes/kubernetes/issues/79384 // And this README: https://github.com/kubernetes/kubernetes/blob/master/staging/README.md replace ( - k8s.io/cloud-provider => k8s.io/cloud-provider v0.33.1 - k8s.io/controller-manager => k8s.io/controller-manager v0.33.1 - k8s.io/cri-client => k8s.io/cri-client v0.33.1 - k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.33.1 - k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.33.1 - k8s.io/endpointslice => k8s.io/endpointslice v0.33.1 - k8s.io/externaljwt => k8s.io/externaljwt v0.33.1 - k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.33.1 - k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.33.1 - k8s.io/kube-proxy => k8s.io/kube-proxy v0.33.1 - k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.33.1 - k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.13 - k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.33.1 - k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.33.1 + k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.3 + k8s.io/controller-manager => k8s.io/controller-manager v0.31.3 + k8s.io/cri-client => k8s.io/cri-client v0.31.1 + k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.31.3 + k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.31.1 + k8s.io/endpointslice => k8s.io/endpointslice v0.31.1 + k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.31.3 + k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.31.3 + k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.3 + k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.3 + k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.7 + k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.3 + k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.31.3 ) require ( - cloud.google.com/go/compute v1.37.0 - cloud.google.com/go/compute/metadata v0.7.0 - cloud.google.com/go/kms v1.21.2 - cloud.google.com/go/secretmanager v1.14.7 - cloud.google.com/go/storage v1.54.0 - dario.cat/mergo v1.0.2 + cloud.google.com/go/compute v1.29.0 + cloud.google.com/go/compute/metadata v0.5.2 + cloud.google.com/go/kms v1.20.1 + cloud.google.com/go/secretmanager v1.14.2 + cloud.google.com/go/storage v1.47.0 + dario.cat/mergo v1.0.1 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0 - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 - github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 - github.com/BurntSushi/toml v1.5.0 - github.com/aws/aws-sdk-go v1.55.7 - github.com/aws/aws-sdk-go-v2 v1.36.3 - github.com/aws/aws-sdk-go-v2/config v1.29.14 - github.com/aws/aws-sdk-go-v2/credentials v1.17.67 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.75 - github.com/aws/aws-sdk-go-v2/service/autoscaling v1.52.4 - github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.218.0 - github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.2 - github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.3 - github.com/aws/aws-sdk-go-v2/service/s3 v1.79.3 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.4 - github.com/aws/smithy-go v1.22.3 - github.com/bazelbuild/buildtools v0.0.0-20250427233527-d9ed52af26ee - github.com/bazelbuild/rules_go v0.54.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0 + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0 + github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 + github.com/BurntSushi/toml v1.4.0 + github.com/aws/aws-sdk-go v1.55.5 + github.com/aws/aws-sdk-go-v2 v1.32.5 + github.com/aws/aws-sdk-go-v2/config v1.28.5 + github.com/aws/aws-sdk-go-v2/credentials v1.17.46 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 + github.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0 + github.com/aws/aws-sdk-go-v2/service/cloudfront v1.43.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.194.0 + github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.0 + github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.25.6 + github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6 + github.com/aws/smithy-go v1.22.1 + github.com/bazelbuild/buildtools v0.0.0-20240918101019-be1c24cc9a44 + github.com/bazelbuild/rules_go v0.50.1 github.com/coreos/go-systemd/v22 v22.5.0 - github.com/docker/docker v28.1.1+incompatible - github.com/edgelesssys/go-azguestattestation v0.0.0-20250408071817-8c4457b235ff - github.com/edgelesssys/go-tdx-qpl v0.0.0-20250129202750-607ac61e2377 - github.com/foxboron/go-uefi v0.0.0-20250207204325-69fb7dba244f - github.com/fsnotify/fsnotify v1.9.0 + github.com/docker/docker v27.3.1+incompatible + github.com/edgelesssys/go-azguestattestation v0.0.0-20240513062303-05f8770a633d + github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f + github.com/foxboron/go-uefi v0.0.0-20241017190036-fab4fdf2f2f3 + github.com/fsnotify/fsnotify v1.8.0 github.com/go-playground/locales v0.14.1 github.com/go-playground/universal-translator v0.18.1 - github.com/go-playground/validator/v10 v10.26.0 - github.com/golang-jwt/jwt/v5 v5.2.2 - github.com/google/go-sev-guest v0.13.0 - github.com/google/go-tdx-guest v0.3.2-0.20250505161510-9efd53b4a100 - github.com/google/go-tpm v0.9.5 + github.com/go-playground/validator/v10 v10.23.0 + github.com/golang-jwt/jwt/v5 v5.2.1 + github.com/google/go-sev-guest v0.11.2-0.20241122204452-64cd695124b1 + github.com/google/go-tdx-guest v0.3.1 + github.com/google/go-tpm v0.9.1 github.com/google/go-tpm-tools v0.4.4 github.com/google/uuid v1.6.0 - github.com/googleapis/gax-go/v2 v2.14.2 - github.com/gophercloud/gophercloud/v2 v2.7.0 - github.com/gophercloud/utils/v2 v2.0.0-20250506092640-af27464b6166 - github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 - github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 - github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11 - github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.14 - github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13 + github.com/googleapis/gax-go/v2 v2.14.0 + github.com/gophercloud/gophercloud/v2 v2.2.0 + github.com/gophercloud/utils/v2 v2.0.0-20241108144456-f4302a5ad8c6 + github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 + github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 + github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9 + github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11 + github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12 github.com/hashicorp/go-version v1.7.0 - github.com/hashicorp/hc-install v0.9.2 + github.com/hashicorp/hc-install v0.9.0 github.com/hashicorp/hcl/v2 v2.23.0 - github.com/hashicorp/terraform-exec v0.23.0 - github.com/hashicorp/terraform-json v0.25.0 - github.com/hashicorp/terraform-plugin-framework v1.15.0 - github.com/hashicorp/terraform-plugin-framework-validators v0.18.0 - github.com/hashicorp/terraform-plugin-go v0.27.0 + github.com/hashicorp/terraform-exec v0.21.0 + github.com/hashicorp/terraform-json v0.23.0 + github.com/hashicorp/terraform-plugin-framework v1.13.0 + github.com/hashicorp/terraform-plugin-framework-validators v0.15.0 + github.com/hashicorp/terraform-plugin-go v0.25.0 github.com/hashicorp/terraform-plugin-log v0.9.0 - github.com/hashicorp/terraform-plugin-testing v1.13.0 + github.com/hashicorp/terraform-plugin-testing v1.11.0 github.com/hexops/gotextdiff v1.0.3 github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6 github.com/mattn/go-isatty v0.0.20 github.com/mitchellh/go-homedir v1.1.0 - github.com/onsi/ginkgo/v2 v2.23.4 - github.com/onsi/gomega v1.37.0 + github.com/onsi/ginkgo/v2 v2.22.0 + github.com/onsi/gomega v1.36.0 github.com/pkg/errors v0.9.1 - github.com/regclient/regclient v0.8.3 - github.com/rogpeppe/go-internal v1.14.1 - github.com/samber/slog-multi v1.4.0 - github.com/schollz/progressbar/v3 v3.18.0 - github.com/secure-systems-lab/go-securesystemslib v0.9.0 - github.com/siderolabs/talos/pkg/machinery v1.10.2 - github.com/sigstore/rekor v1.3.10 - github.com/sigstore/sigstore v1.9.4 - github.com/spf13/afero v1.14.0 - github.com/spf13/cobra v1.9.1 - github.com/spf13/pflag v1.0.6 + github.com/regclient/regclient v0.7.2 + github.com/rogpeppe/go-internal v1.13.1 + github.com/samber/slog-multi v1.2.4 + github.com/schollz/progressbar/v3 v3.17.1 + github.com/secure-systems-lab/go-securesystemslib v0.8.0 + github.com/siderolabs/talos/pkg/machinery v1.8.3 + github.com/sigstore/rekor v1.3.7 + github.com/sigstore/sigstore v1.8.10 + github.com/spf13/afero v1.11.0 + github.com/spf13/cobra v1.8.1 + github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.10.0 - github.com/tink-crypto/tink-go/v2 v2.4.0 + github.com/tink-crypto/tink-go/v2 v2.2.0 github.com/vincent-petithory/dataurl v1.0.0 - go.etcd.io/etcd/api/v3 v3.6.0 - go.etcd.io/etcd/client/pkg/v3 v3.6.0 - go.etcd.io/etcd/client/v3 v3.6.0 + go.etcd.io/etcd/api/v3 v3.5.17 + go.etcd.io/etcd/client/pkg/v3 v3.5.17 + go.etcd.io/etcd/client/v3 v3.5.17 go.uber.org/goleak v1.3.0 - golang.org/x/crypto v0.38.0 - golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 - golang.org/x/mod v0.24.0 - golang.org/x/sys v0.33.0 - golang.org/x/text v0.25.0 - golang.org/x/tools v0.33.0 - google.golang.org/api v0.233.0 - google.golang.org/grpc v1.72.1 - google.golang.org/protobuf v1.36.6 + golang.org/x/crypto v0.29.0 + golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f + golang.org/x/mod v0.22.0 + golang.org/x/sys v0.27.0 + golang.org/x/text v0.20.0 + golang.org/x/tools v0.27.0 + google.golang.org/api v0.209.0 + google.golang.org/grpc v1.68.0 + google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.17.3 - k8s.io/api v0.33.1 - k8s.io/apiextensions-apiserver v0.33.1 - k8s.io/apimachinery v0.33.1 - k8s.io/apiserver v0.33.1 - k8s.io/client-go v0.33.1 - k8s.io/cluster-bootstrap v0.33.1 - k8s.io/kubelet v0.33.1 - k8s.io/kubernetes v1.33.1 - k8s.io/mount-utils v0.33.1 - k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 - libvirt.org/go/libvirt v1.11002.0 - sigs.k8s.io/controller-runtime v0.20.4 + helm.sh/helm/v3 v3.16.3 + k8s.io/api v0.31.3 + k8s.io/apiextensions-apiserver v0.31.3 + k8s.io/apimachinery v0.31.3 + k8s.io/apiserver v0.31.3 + k8s.io/client-go v0.31.3 + k8s.io/cluster-bootstrap v0.31.3 + k8s.io/kubelet v0.31.3 + k8s.io/kubernetes v1.31.3 + k8s.io/mount-utils v0.31.3 + k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 + libvirt.org/go/libvirt v1.10009.0 + sigs.k8s.io/controller-runtime v0.19.2 sigs.k8s.io/yaml v1.4.0 ) require ( - cel.dev/expr v0.23.1 // indirect - cloud.google.com/go v0.121.0 // indirect - cloud.google.com/go/auth v0.16.1 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect - cloud.google.com/go/iam v1.5.2 // indirect - cloud.google.com/go/longrunning v0.6.7 // indirect - cloud.google.com/go/monitoring v1.24.2 // indirect + cel.dev/expr v0.16.2 // indirect + cloud.google.com/go v0.116.0 // indirect + cloud.google.com/go/auth v0.10.2 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect + cloud.google.com/go/iam v1.2.2 // indirect + cloud.google.com/go/longrunning v0.6.2 // indirect + cloud.google.com/go/monitoring v1.21.2 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect - github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect + github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect @@ -164,137 +163,137 @@ require ( github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/ProtonMail/go-crypto v1.1.6 // indirect + github.com/ProtonMail/go-crypto v1.1.0-alpha.5.0.20240827111422-b5837fa4476e // indirect github.com/agext/levenshtein v1.2.2 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/blang/semver/v4 v4.0.0 // indirect + github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect - github.com/cloudflare/circl v1.6.0 // indirect - github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect - github.com/containerd/containerd v1.7.27 // indirect - github.com/containerd/errdefs v1.0.0 // indirect + github.com/cloudflare/circl v1.3.9 // indirect + github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect + github.com/containerd/containerd v1.7.23 // indirect + github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/coredns/caddy v1.1.1 // indirect - github.com/coredns/corefile-migration v1.0.25 // indirect + github.com/coredns/corefile-migration v1.0.23 // indirect github.com/coreos/go-semver v0.3.1 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/cyphar/filepath-securejoin v0.3.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v27.5.0+incompatible // indirect + github.com/docker/cli v27.1.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.2 // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect - github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect - github.com/evanphx/json-patch v5.9.11+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.9.11 // indirect - github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fatih/color v1.18.0 // indirect + github.com/envoyproxy/go-control-plane v0.13.0 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/evanphx/json-patch v5.9.0+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect + github.com/fatih/color v1.17.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect - github.com/gabriel-vasile/mimetype v1.4.8 // indirect + github.com/gabriel-vasile/mimetype v1.4.3 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.4 // indirect - github.com/go-jose/go-jose/v4 v4.0.5 // indirect + github.com/go-jose/go-jose/v3 v3.0.3 // indirect + github.com/go-jose/go-jose/v4 v4.0.2 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/analysis v0.23.0 // indirect - github.com/go-openapi/errors v0.22.1 // indirect + github.com/go-openapi/errors v0.22.0 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/loads v0.22.0 // indirect github.com/go-openapi/runtime v0.28.0 // indirect github.com/go-openapi/spec v0.21.0 // indirect github.com/go-openapi/strfmt v0.23.0 // indirect - github.com/go-openapi/swag v0.23.1 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect - github.com/gofrs/uuid/v5 v5.3.2 // indirect + github.com/gofrs/uuid/v5 v5.3.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/btree v1.1.3 // indirect + github.com/google/btree v1.1.2 // indirect github.com/google/certificate-transparency-go v1.1.8 // indirect - github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-attestation v0.5.1 // indirect - github.com/google/go-cmp v0.7.0 // indirect - github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc // indirect - github.com/google/go-containerregistry v0.20.3 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/go-configfs-tsm v0.2.2 // indirect + github.com/google/go-containerregistry v0.20.2 // indirect github.com/google/go-tspi v0.3.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect github.com/google/logger v1.1.1 // indirect - github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect - github.com/google/s2a-go v0.1.9 // indirect + github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect + github.com/google/s2a-go v0.1.8 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect github.com/gorilla/mux v1.8.1 // indirect - github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect + github.com/gorilla/websocket v1.5.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect - github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect + github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-checkpoint v0.5.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-cty v1.5.0 // indirect + github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect github.com/hashicorp/go-hclog v1.6.3 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-plugin v1.6.3 // indirect + github.com/hashicorp/go-plugin v1.6.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 // indirect - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 // indirect - github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect - github.com/hashicorp/go-sockaddr v1.0.6 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/logutils v1.0.0 // indirect - github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0 // indirect - github.com/hashicorp/terraform-registry-address v0.2.5 // indirect + github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0 // indirect + github.com/hashicorp/terraform-registry-address v0.2.3 // indirect github.com/hashicorp/terraform-svchost v0.1.1 // indirect github.com/hashicorp/yamux v0.1.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.18.0 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect @@ -302,9 +301,8 @@ require ( github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/lib/pq v1.10.9 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/lithammer/dedent v1.1.0 // indirect - github.com/mailru/easyjson v0.9.0 // indirect - github.com/mattn/go-colorable v0.1.14 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -314,9 +312,8 @@ require ( github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect - github.com/moby/spdystream v0.5.0 // indirect - github.com/moby/sys/atomicwriter v0.1.0 // indirect - github.com/moby/sys/mountinfo v0.7.2 // indirect + github.com/moby/spdystream v0.4.0 // indirect + github.com/moby/sys/mountinfo v0.7.1 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -326,27 +323,26 @@ require ( github.com/oklog/run v1.0.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.1 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect + github.com/opencontainers/runc v1.1.13 // indirect + github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect - github.com/planetscale/vtprotobuf v0.6.1-0.20241121165744-79df5c4772f2 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.22.0 // indirect + github.com/prometheus/client_golang v1.20.5 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.62.0 // indirect + github.com/prometheus/common v0.55.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/rivo/uniseg v0.4.7 // indirect - github.com/rubenv/sql-migrate v1.7.1 // indirect + github.com/rubenv/sql-migrate v1.7.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/ryanuber/go-glob v1.0.0 // indirect - github.com/samber/lo v1.49.1 // indirect + github.com/samber/lo v1.47.0 // indirect github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/shopspring/decimal v1.4.0 // indirect - github.com/sigstore/protobuf-specs v0.4.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cast v1.7.0 // indirect - github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect github.com/stretchr/objx v0.5.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect @@ -361,42 +357,42 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - github.com/zclconf/go-cty v1.16.2 // indirect - github.com/zeebo/errs v1.4.0 // indirect + github.com/zclconf/go-cty v1.15.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect - go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/detectors/gcp v1.35.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect - go.opentelemetry.io/otel v1.35.0 // indirect - go.opentelemetry.io/otel/metric v1.35.0 // indirect - go.opentelemetry.io/otel/sdk v1.35.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect - go.opentelemetry.io/otel/trace v1.35.0 // indirect - go.uber.org/automaxprocs v1.6.0 // indirect + go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect + go.opentelemetry.io/otel v1.29.0 // indirect + go.opentelemetry.io/otel/metric v1.29.0 // indirect + go.opentelemetry.io/otel/sdk v1.29.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect + go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.14.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/time v0.11.0 // indirect + golang.org/x/net v0.31.0 // indirect + golang.org/x/oauth2 v0.24.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/term v0.26.0 // indirect + golang.org/x/time v0.8.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2 // indirect + google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - k8s.io/cli-runtime v0.32.2 // indirect - k8s.io/component-base v0.33.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/cli-runtime v0.31.1 // indirect + k8s.io/component-base v0.31.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - k8s.io/kubectl v0.32.2 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/kubectl v0.31.1 // indirect oras.land/oras-go v1.2.5 // indirect - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect - sigs.k8s.io/kustomize/api v0.19.0 // indirect - sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect - sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/kustomize/api v0.17.2 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index 3ac076772..081bdc46c 100644 --- a/go.sum +++ b/go.sum @@ -1,33 +1,34 @@ -cel.dev/expr v0.23.1 h1:K4KOtPCJQjVggkARsjG9RWXP6O4R73aHeJMa/dmCQQg= -cel.dev/expr v0.23.1/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= -cloud.google.com/go v0.121.0 h1:pgfwva8nGw7vivjZiRfrmglGWiCJBP+0OmDpenG/Fwg= -cloud.google.com/go v0.121.0/go.mod h1:rS7Kytwheu/y9buoDmu5EIpMMCI4Mb8ND4aeN4Vwj7Q= -cloud.google.com/go/auth v0.16.1 h1:XrXauHMd30LhQYVRHLGvJiYeczweKQXZxsTbV9TiguU= -cloud.google.com/go/auth v0.16.1/go.mod h1:1howDHJ5IETh/LwYs3ZxvlkXF48aSqqJUM+5o02dNOI= -cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= -cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= -cloud.google.com/go/compute v1.37.0 h1:XxtZlXYkZXub3LNaLu90TTemcFqIU1yZ4E4q9VlR39A= -cloud.google.com/go/compute v1.37.0/go.mod h1:AsK4VqrSyXBo4SMbRtfAO1VfaMjUEjEwv1UB/AwVp5Q= -cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU= -cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo= -cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8= -cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE= -cloud.google.com/go/kms v1.21.2 h1:c/PRUSMNQ8zXrc1sdAUnsenWWaNXN+PzTXfXOcSFdoE= -cloud.google.com/go/kms v1.21.2/go.mod h1:8wkMtHV/9Z8mLXEXr1GK7xPSBdi6knuLXIhqjuWcI6w= -cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc= -cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA= -cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE= -cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY= -cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM= -cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U= -cloud.google.com/go/secretmanager v1.14.7 h1:VkscIRzj7GcmZyO4z9y1EH7Xf81PcoiAo7MtlD+0O80= -cloud.google.com/go/secretmanager v1.14.7/go.mod h1:uRuB4F6NTFbg0vLQ6HsT7PSsfbY7FqHbtJP1J94qxGc= -cloud.google.com/go/storage v1.54.0 h1:Du3XEyliAiftfyW0bwfdppm2MMLdpVAfiIg4T2nAI+0= -cloud.google.com/go/storage v1.54.0/go.mod h1:hIi9Boe8cHxTyaeqh7KMMwKg088VblFK46C2x/BWaZE= -cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4= -cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI= -dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= -dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= +cel.dev/expr v0.16.2 h1:RwRhoH17VhAu9U5CMvMhH1PDVgf0tuz9FT+24AfMLfU= +cel.dev/expr v0.16.2/go.mod h1:gXngZQMkWJoSbE8mOzehJlXQyubn/Vg0vR9/F3W7iw8= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE= +cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U= +cloud.google.com/go/auth v0.10.2 h1:oKF7rgBfSHdp/kuhXtqU/tNDr0mZqhYbEh+6SiqzkKo= +cloud.google.com/go/auth v0.10.2/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI= +cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk= +cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= +cloud.google.com/go/compute v1.29.0 h1:Lph6d8oPi38NHkOr6S55Nus/Pbbcp37m/J0ohgKAefs= +cloud.google.com/go/compute v1.29.0/go.mod h1:HFlsDurE5DpQZClAGf/cYh+gxssMhBxBovZDYkEn/Og= +cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo= +cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= +cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA= +cloud.google.com/go/iam v1.2.2/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY= +cloud.google.com/go/kms v1.20.1 h1:og29Wv59uf2FVaZlesaiDAqHFzHaoUyHI3HYp9VUHVg= +cloud.google.com/go/kms v1.20.1/go.mod h1:LywpNiVCvzYNJWS9JUcGJSVTNSwPwi0vBAotzDqn2nc= +cloud.google.com/go/logging v1.12.0 h1:ex1igYcGFd4S/RZWOCU51StlIEuey5bjqwH9ZYjHibk= +cloud.google.com/go/logging v1.12.0/go.mod h1:wwYBt5HlYP1InnrtYI0wtwttpVU1rifnMT7RejksUAM= +cloud.google.com/go/longrunning v0.6.2 h1:xjDfh1pQcWPEvnfjZmwjKQEcHnpz6lHjfy7Fo0MK+hc= +cloud.google.com/go/longrunning v0.6.2/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI= +cloud.google.com/go/monitoring v1.21.2 h1:FChwVtClH19E7pJ+e0xUhJPGksctZNVOk2UhMmblmdU= +cloud.google.com/go/monitoring v1.21.2/go.mod h1:hS3pXvaG8KgWTSz+dAdyzPrGUYmi2Q+WFX8g2hqVEZU= +cloud.google.com/go/secretmanager v1.14.2 h1:2XscWCfy//l/qF96YE18/oUaNJynAx749Jg3u0CjQr8= +cloud.google.com/go/secretmanager v1.14.2/go.mod h1:Q18wAPMM6RXLC/zVpWTlqq2IBSbbm7pKBlM3lCKsmjw= +cloud.google.com/go/storage v1.47.0 h1:ajqgt30fnOMmLfWfu1PWcb+V9Dxz6n+9WKjdNg5R4HM= +cloud.google.com/go/storage v1.47.0/go.mod h1:Ks0vP374w0PW6jOUameJbapbQKXqkjGd/OJRp2fb9IQ= +cloud.google.com/go/trace v1.11.2 h1:4ZmaBdL8Ng/ajrgKqY5jfvzqMXbrDcBsUGXOT9aqTtI= +cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= @@ -36,36 +37,36 @@ github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjq github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 h1:j8BorDEigD8UFOSZQiSqAMOOleyQOOQPnUAwV+Ls1gA= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4= -github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= -github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0/go.mod h1:fiPSssYvltE08HJchL04dOy+RD4hgrjph0cwGGMntdI= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvULkDNfdXOgrjtg6UYJPFBJyuEcRCAw= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM= github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE= github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw= github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0 h1:z7Mqz6l0EFH549GvHEqfjKvi+cRScxLWbaoeLm9wxVQ= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0/go.mod h1:v6gbfH+7DG7xH2kUNs+ZJ9tF6O3iNnR85wMtmr+F54o= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 h1:zDeQI/PaWztI2tcrGO/9RIMey9NvqYbnyttf/0P3QWM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsIIvxVT+uE6yrNldntJKlLRgxGbZ85kgtz5SNBhMw= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0 h1:HYGD75g0bQ3VO/Omedm54v4LrD3B1cGImuRF3AJ5wLo= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0/go.mod h1:ulHyBFJOI0ONiRL4vcJTmS7rx18jQQlEPmAgo80cRdM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0 h1:Fd+iaEa+JBwzYo6OTWYSNqyvlPSLciMGsmsnYCKcXM0= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0/go.mod h1:ulHyBFJOI0ONiRL4vcJTmS7rx18jQQlEPmAgo80cRdM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0 h1:LR0kAX9ykz8G4YgLCaRDVJ3+n43R8MneB5dTy2konZo= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0/go.mod h1:DWAciXemNf++PQJLeXUB4HHH5OpsAh12HZnu2wXE1jA= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 h1:mrkDCdkMsD4l9wjFGhofFHFrV43Y3c53RSLKOCJ5+Ow= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1/go.mod h1:hPv41DbqMmnxcGralanA/kVlfdH5jv3T4LxGku2E1BY= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww= -github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 h1:lhZdRq7TIx0GJQvSyX2Si406vrYsov2FXGp/RnSEtcs= -github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1/go.mod h1:8cl44BDmi+effbARHMQjgOKA2AYvcohNm7KEt42mSV8= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0 h1:PiSrjRPpkQNjrM8H0WwKMnZUdu1RGMtd/LdGKUrOo+c= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0/go.mod h1:oDrbWx4ewMylP7xHivfgixbfGBT6APAwsSoHRKotnIc= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0 h1:WLUIpeyv04H0RCcQHaA4TNoyrQ39Ox7V+re+iaqzTe0= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0/go.mod h1:hd8hTTIY3VmUVPRHNH7GVCHO3SHgXkJKZHReby/bnUQ= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 h1:eXnN9kaS8TiDwXjoie3hMRLuwdUBUMW9KRgOqB3mCaw= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0/go.mod h1:XIpam8wumeZ5rVMuhdDQLMfIPDf1WO3IzrCRO3e3e3o= +github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 h1:mlmW46Q0B79I+Aj4azKC6xDMFN9a9SyZWESlGWYXbFs= +github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0/go.mod h1:PXe2h+LKcWTX9afWdZoHyODqR4fBa5boUM/8uJfZ0Jo= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= @@ -88,20 +89,21 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs= -github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= -github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= -github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1 h1:gUDtaZk8heteyfdmv+pcfHvhR9llnh7c7GMwZ8RVG04= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= +github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0/go.mod h1:yAZHSGnqScoU556rBOVkwLze6WP5N+U11RHuWaGVxwY= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 h1:fYE9p3esPxA/C0rQ0AHhP0drtPXDRhaWiwg1DPqO7IU= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0/go.mod h1:BnBReJLvVYx2CS/UHOgVz2BXKXD9wsQPxZug20nZhd0= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.51.0 h1:OqVGm6Ei3x5+yZmSJG1Mh2NwHvpVmZ08CB5qJhT9Nuk= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.51.0/go.mod h1:SZiPHWGOOk3bl8tkevxkoiwPgsIl6CwrWcbwjfHZpdM= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 h1:6/0iUd0xrnX7qt+mLNRwg5c0PGv8wpE8K90ryANQwMI= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0/go.mod h1:otE2jQekW/PqXk1Awf5lmfokJx4uwuqcj1ab5SpGeW0= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 h1:pB2F2JKCj1Znmp2rwxxt1J0Fg0wezTMgWYk5Mpbi1kg= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 h1:UQ0AhxogsIRZDkElkblfnwjc3IaltCm2HUMvezQaL7s= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1/go.mod h1:jyqM3eLpJ3IbIFDTKVz2rF9T/xWGW0rIriGwnz8l9Tk= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.48.1 h1:oTX4vsorBZo/Zdum6OKPA4o7544hm6smoRv1QjpTwGo= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.48.1/go.mod h1:0wEl7vrAD8mehJyohS9HZy+WyEOaQO2mJx86Cvh93kM= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 h1:8nn+rsCvTq9axyEh382S0PFLBeaFwNsT43IrPWzctRU= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1/go.mod h1:viRWSEhtMZqz1rhwmOVKkWl6SwmVowfL9O2YR5gI2PE= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= @@ -116,8 +118,8 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/Microsoft/hcsshim v0.11.7 h1:vl/nj3Bar/CvJSYo7gIQPyRWc9f3c6IeSNavBTSZNZQ= github.com/Microsoft/hcsshim v0.11.7/go.mod h1:MV8xMfmECjl5HdO7U/3/hFVnkmSBjAjmA09d4bExKcU= -github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw= -github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/ProtonMail/go-crypto v1.1.0-alpha.5.0.20240827111422-b5837fa4476e h1:O1cSHAcGcbGEO66Qi2AIJeYmXO8iP4L/PNrbdN+RjJA= +github.com/ProtonMail/go-crypto v1.1.0-alpha.5.0.20240827111422-b5837fa4476e/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE= @@ -134,62 +136,62 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= -github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= -github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM= -github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14= -github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM= -github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g= -github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.75 h1:S61/E3N01oral6B3y9hZ2E1iFDqCZPPOBoBQretCnBI= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.75/go.mod h1:bDMQbkI1vJbNjnvJYpPTSNYBkI/VIv18ngWb/K84tkk= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 h1:ZNTqv4nIdE/DiBfUUfXcLZ/Spcuz+RjeziUtNJackkM= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34/go.mod h1:zf7Vcd1ViW7cPqYWEHLHJkS50X0JS2IKz9Cgaj6ugrs= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.52.4 h1:vzLD0FyNU4uxf2QE5UDG0jSEitiJXbVEUwf2Sk3usF4= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.52.4/go.mod h1:CDqMoc3KRdZJ8qziW96J35lKH01Wq3B2aihtHj2JbRs= -github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1 h1:6xZNYtuVwzBs8k+TmraERt0vL68Ppg9aUi+aTQmPaVM= -github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1/go.mod h1:FIBJ48TS+qJb+Ne4qJ+0NeIhtPTVXItXooTeNeVI4Po= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.218.0 h1:QPYsTfcPpPhkF+37pxLcl3xbQz2SRxsShQNB6VCkvLo= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.218.0/go.mod h1:ouvGEfHbLaIlWwpDpOVWPWR+YwO0HDv3vm5tYLq8ImY= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.2 h1:vX70Z4lNSr7XsioU0uJq5yvxgI50sB66MvD+V/3buS4= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.2/go.mod h1:xnCC3vFBfOKpU6PcsCKL2ktgBTZfOwTGxj6V8/X3IS4= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.1 h1:4nm2G6A4pV9rdlWzGMPv4BNtQp22v1hg3yrtkYpeLl8= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.1/go.mod h1:iu6FSzgt+M2/x3Dk8zhycdIcHjEFb36IS8HVUVFoMg0= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91LiqT1nbvzDukyqAlCv89ZmwaHw/ZFlFZg= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA= -github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.3 h1:P87jejqS8WvQvRWyXlHUylt99VXt0y/WUIFuU6gBU7A= -github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.3/go.mod h1:cgPfPTC/V3JqwCKed7Q6d0FrgarV7ltz4Bz6S4Q+Dqk= -github.com/aws/aws-sdk-go-v2/service/s3 v1.79.3 h1:BRXS0U76Z8wfF+bnkilA2QwpIch6URlm++yPUt9QPmQ= -github.com/aws/aws-sdk-go-v2/service/s3 v1.79.3/go.mod h1:bNXKFFyaiVvWuR6O16h/I1724+aXe/tAkA9/QS01t5k= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.4 h1:EKXYJ8kgz4fiqef8xApu7eH0eae2SrVG+oHCLFybMRI= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.4/go.mod h1:yGhDiLKguA3iFJYxbrQkQiNzuy+ddxesSZYWVeeEH5Q= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= -github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k= -github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= -github.com/bazelbuild/buildtools v0.0.0-20250427233527-d9ed52af26ee h1:bCB8uzOXSBWZk4Ss6zaoLjeSU0ZzrykiwDOR31KF4ak= -github.com/bazelbuild/buildtools v0.0.0-20250427233527-d9ed52af26ee/go.mod h1:PLNUetjLa77TCCziPsz0EI8a6CUxgC+1jgmWv0H25tg= -github.com/bazelbuild/rules_go v0.54.0 h1:D9aCU7j5rdRxg2rXOZX5zHZ395XC0KbgC4rnyaQ3ofM= -github.com/bazelbuild/rules_go v0.54.0/go.mod h1:T90Gpyq4HDFlsrvtQa2CBdHNJ2P4rAu/uUTmQbanzf0= +github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= +github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.32.5 h1:U8vdWJuY7ruAkzaOdD7guwJjD06YSKmnKCJs7s3IkIo= +github.com/aws/aws-sdk-go-v2 v1.32.5/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7/go.mod h1:QraP0UcVlQJsmHfioCrveWOC1nbiWUl3ej08h4mXWoc= +github.com/aws/aws-sdk-go-v2/config v1.28.5 h1:Za41twdCXbuyyWv9LndXxZZv3QhTG1DinqlFsSuvtI0= +github.com/aws/aws-sdk-go-v2/config v1.28.5/go.mod h1:4VsPbHP8JdcdUDmbTVgNL/8w9SqOkM5jyY8ljIxLO3o= +github.com/aws/aws-sdk-go-v2/credentials v1.17.46 h1:AU7RcriIo2lXjUfHFnFKYsLCwgbz1E7Mm95ieIRDNUg= +github.com/aws/aws-sdk-go-v2/credentials v1.17.46/go.mod h1:1FmYyLGL08KQXQ6mcTlifyFXfJVCNJTVGuQP4m0d/UA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 h1:sDSXIrlsFSFJtWKLQS4PUWRvrT580rrnuLydJrCQ/yA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20/go.mod h1:WZ/c+w0ofps+/OUqMwWgnfrgzZH1DZO1RIkktICsqnY= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 h1:hqcxMc2g/MwwnRMod9n6Bd+t+9Nf7d5qRg7RaXKPd6o= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41/go.mod h1:d1eH0VrttvPmrCraU68LOyNdu26zFxQFjrVSb5vdhog= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 h1:4usbeaes3yJnCFC7kfeyhkdkPtoRYPa/hTmCqMpKpLI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24/go.mod h1:5CI1JemjVwde8m2WG3cz23qHKPOxbpkq0HaoreEgLIY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 h1:N1zsICrQglfzaBnrfM0Ys00860C+QFwu6u/5+LomP+o= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24/go.mod h1:dCn9HbJ8+K31i8IQ8EWmWj0EiIk0+vKiHNMxTTYveAg= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 h1:JX70yGKLj25+lMC5Yyh8wBtvB01GDilyRuJvXJ4piD0= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24/go.mod h1:+Ln60j9SUTD0LEwnhEB0Xhg61DHqplBrbZpLgyjoEHg= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0 h1:1KzQVZi7OTixxaVJ8fWaJAUBjme+iQ3zBOCZhE4RgxQ= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0/go.mod h1:I1+/2m+IhnK5qEbhS3CrzjeiVloo9sItE/2K+so0fkU= +github.com/aws/aws-sdk-go-v2/service/cloudfront v1.43.0 h1:Ny0HHch5IyjWd3Hh/csFvAZFPDHvu7eeePFh7+BnbZ8= +github.com/aws/aws-sdk-go-v2/service/cloudfront v1.43.0/go.mod h1:KC7JSdRScZQpZJDJp4ze9elsg8QIWIoABjmCzDS4rtg= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.194.0 h1:56YXcRmryw9wiTrvdVeJEUwBCoN/+o33R52PA7CCi08= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.194.0/go.mod h1:mzj8EEjIHSN2oZRXiw1Dd+uB4HZTl7hC8nBzX9IZMWw= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.0 h1:fIAJ5VM/ANpYV81C1Jbf4ePbElMSzuWFljezD6weU9k= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.0/go.mod h1:pZP3I+Ts+XuhJJtZE49+ABVjfxm7u9/hxcNUYSpY3OE= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 h1:gvZOjQKPxFXy1ft3QnEyXmT+IqneM9QAUWlM3r0mfqw= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5/go.mod h1:DLWnfvIcm9IET/mmjdxeXbBKmTCm0ZB8p1za9BVteM8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 h1:wtpJ4zcwrSbwhECWQoI/g6WM9zqCcSpHDJIWSbMLOu4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5/go.mod h1:qu/W9HXQbbQ4+1+JcZp0ZNPV31ym537ZJN+fiS7Ti8E= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 h1:P1doBzv5VEg1ONxnJss1Kh5ZG/ewoIE4MQtKKc6Crgg= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5/go.mod h1:NOP+euMW7W3Ukt28tAxPuoWao4rhhqJD3QEBk7oCg7w= +github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.25.6 h1:I+a2rKx253mIClu5QtBkYWtko1k3nC+SvAtWTomengI= +github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.25.6/go.mod h1:hmJ9BhvEvDx0TrC16/p9UdoBRyCD2+k23ritPq5ctdM= +github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0 h1:Q2ax8S21clKOnHhhr933xm3JxdJebql+R7aNo7p7GBQ= +github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0/go.mod h1:ralv4XawHjEMaHOWnTFushl0WRqim/gQWesAMF6hTow= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6 h1:1KDMKvOKNrpD667ORbZ/+4OgvUoaok1gg/MLzrHF9fw= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6/go.mod h1:DmtyfCfONhOyVAJ6ZMTrDSFIeyCBlEO93Qkfhxwbxu0= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 h1:3zu537oLmsPfDMyjnUS2g+F2vITgy5pB74tHI+JBNoM= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.6/go.mod h1:WJSZH2ZvepM6t6jwu4w/Z45Eoi75lPN7DcydSRtJg6Y= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 h1:K0OQAsDywb0ltlFrZm0JHPY3yZp/S9OaoLU33S7vPS8= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5/go.mod h1:ORITg+fyuMoeiQFiVGoqB3OydVTLkClw/ljbblMq6Cc= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 h1:6SZUVRQNvExYlMLbHdlKB48x0fLbc2iVROyaNEwBHbU= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.1/go.mod h1:GqWyYCwLXnlUB1lOAXQyNSPqPLQJvmo8J0DWBzp9mtg= +github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= +github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/bazelbuild/buildtools v0.0.0-20240918101019-be1c24cc9a44 h1:FGzENZi+SX9I7h9xvMtRA3rel8hCEfyzSixteBgn7MU= +github.com/bazelbuild/buildtools v0.0.0-20240918101019-be1c24cc9a44/go.mod h1:PLNUetjLa77TCCziPsz0EI8a6CUxgC+1jgmWv0H25tg= +github.com/bazelbuild/rules_go v0.50.1 h1:/BUvuaB8MEiUA2oLPPCGtuw5V+doAYyiGTFyoSWlkrw= +github.com/bazelbuild/rules_go v0.50.1/go.mod h1:Dhcz716Kqg1RHNWos+N6MlXNkjNP2EwZQ0LukRKJfMs= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -210,49 +212,58 @@ github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXe github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/chengxilo/virtualterm v1.0.4 h1:Z6IpERbRVlfB8WkOmtbHiDbBANU7cimRIof7mk9/PwM= github.com/chengxilo/virtualterm v1.0.4/go.mod h1:DyxxBZz/x1iqJjFxTFcr6/x+jSpqN0iwWCOK1q10rlY= -github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk= -github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= -github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk= -github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudflare/circl v1.3.9 h1:QFrlgFYf2Qpi8bSpVPK1HBvWpx16v/1TZivyo7pGuBE= +github.com/cloudflare/circl v1.3.9/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= -github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= -github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= -github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII= -github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= -github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= -github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= +github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= +github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= +github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0= github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4= -github.com/coredns/corefile-migration v1.0.25 h1:/XexFhM8FFlFLTS/zKNEWgIZ8Gl5GaWrHsMarGj/PRQ= -github.com/coredns/corefile-migration v1.0.25/go.mod h1:56DPqONc3njpVPsdilEnfijCwNGC3/kTJLl7i7SPavY= +github.com/coredns/corefile-migration v1.0.23 h1:Fp4FETmk8sT/IRgnKX2xstC2dL7+QdcU+BL5AYIN3Jw= +github.com/coredns/corefile-migration v1.0.23/go.mod h1:8HyMhuyzx9RLZp8cRc9Uf3ECpEAafHOFxQWUPqktMQI= github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= -github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0= github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8= +github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c h1:ToajP6trZoiqlZ3Z4uoG1P02/wtqSw1AcowOXOYjATk= github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c/go.mod h1:gZoZ0+POlM1ge/VUxWpMmZVNPzzMJ7l436CgkQ5+qzU= -github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= -github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= +github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= +github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -263,14 +274,14 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM= -github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v28.1.1+incompatible h1:49M11BFLsVO1gxY9UX9p/zwkE/rswggs8AdFmXQw51I= -github.com/docker/docker v28.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= -github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= +github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= @@ -281,63 +292,63 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4= github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= -github.com/edgelesssys/go-azguestattestation v0.0.0-20250408071817-8c4457b235ff h1:V6A5kD0+c1Qg4X72Lg+zxhCZk+par436sQdgLvMCBBc= -github.com/edgelesssys/go-azguestattestation v0.0.0-20250408071817-8c4457b235ff/go.mod h1:Lz4QaomI4wU2YbatD4/W7vatW2Q35tnkoJezB1clscc= -github.com/edgelesssys/go-tdx-qpl v0.0.0-20250129202750-607ac61e2377 h1:5JMJiBhvOUUR7EZ0UyeSy7a1WrqB2eM+DX3odLSHAh4= -github.com/edgelesssys/go-tdx-qpl v0.0.0-20250129202750-607ac61e2377/go.mod h1:IC72qyykUIWl0ZmSk53L4xbLCFDBEGZVaujUmPQOEyw= +github.com/edgelesssys/go-azguestattestation v0.0.0-20240513062303-05f8770a633d h1:XcoMVhZve0RRkSxFDn9Bs/z4FpHqZ3eHgVNWNCNOkqc= +github.com/edgelesssys/go-azguestattestation v0.0.0-20240513062303-05f8770a633d/go.mod h1:Lz4QaomI4wU2YbatD4/W7vatW2Q35tnkoJezB1clscc= +github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f h1:TCGUmmH50cQBGXPJsn32APf93fmWQXcSMi7pMbDPtV0= +github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f/go.mod h1:IC72qyykUIWl0ZmSk53L4xbLCFDBEGZVaujUmPQOEyw= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= -github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M= -github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA= -github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A= -github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4= -github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= -github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= -github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= -github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= -github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= -github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= -github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= +github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= -github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= -github.com/foxboron/go-uefi v0.0.0-20250207204325-69fb7dba244f h1:SGo7y1xmmGWiQzp7QU3ueehmdMVkjj9Yyo1IDEuHbYw= -github.com/foxboron/go-uefi v0.0.0-20250207204325-69fb7dba244f/go.mod h1:q85c4IRlhhwdRJgGIUWrisDjU8dgcMj8dnXZCXo3hus= +github.com/foxboron/go-uefi v0.0.0-20241017190036-fab4fdf2f2f3 h1:K8ADp66ulnZ0NhjzwVwE4E3g6Id5KMWu86l0vURusA8= +github.com/foxboron/go-uefi v0.0.0-20241017190036-fab4fdf2f2f3/go.mod h1:ffg/fkDeOYicEQLoO2yFFGt00KUTYVXI+rfnc8il6vQ= github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= -github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= -github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= -github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM= -github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8= +github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= +github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= -github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM= -github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= -github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60= -github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k= +github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= +github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow= +github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys= +github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= -github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= -github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= -github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= -github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= +github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= +github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= +github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= @@ -350,8 +361,8 @@ github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo= -github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU= -github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= +github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w= +github.com/go-openapi/errors v0.22.0/go.mod h1:J3DmZScxCDufmIMsdOuDHxJbdOGC0xtUynjIx092vXE= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= @@ -364,8 +375,8 @@ github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9Z github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk= github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c= github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4= -github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= -github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= @@ -374,12 +385,11 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= -github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k= -github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo= +github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o= +github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= -github.com/go-sql-driver/mysql v1.9.1 h1:FrjNGn/BsJQjVRuSa8CBrM5BWA9BWoXXat3KrtSb/iI= -github.com/go-sql-driver/mysql v1.9.1/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= @@ -390,54 +400,68 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gofrs/uuid/v5 v5.3.2 h1:2jfO8j3XgSwlz/wHqemAEugfnTlikAYHhnqQ8Xh4fE0= -github.com/gofrs/uuid/v5 v5.3.2/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= +github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk= +github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= -github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= -github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= -github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= -github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k= github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= -github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= -github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to= github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-attestation v0.5.1 h1:jqtOrLk5MNdliTKjPbIPrAaRKJaKW+0LIU2n/brJYms= github.com/google/go-attestation v0.5.1/go.mod h1:KqGatdUhg5kPFkokyzSBDxwSCFyRgIgtRkMp6c3lOBQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= -github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc h1:SG12DWUUM5igxm+//YX5Yq4vhdoRnOG9HkCodkOn+YU= -github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo= -github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI= -github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI= -github.com/google/go-sev-guest v0.13.0 h1:DJB6ACdykyweMU0HGOp/TQ7cjsnbV2ecbYunu2E0qy0= -github.com/google/go-sev-guest v0.13.0/go.mod h1:SK9vW+uyfuzYdVN0m8BShL3OQCtXZe/JPF7ZkpD3760= -github.com/google/go-tdx-guest v0.3.2-0.20250505161510-9efd53b4a100 h1:E5ArM6vmtaUbgTZM8W3G+bgseO3i5l8BpJCKuUH7WVc= -github.com/google/go-tdx-guest v0.3.2-0.20250505161510-9efd53b4a100/go.mod h1:uHy3VaNXNXhl0fiPxKqTxieeouqQmW6A0EfLcaeCYBk= -github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU= -github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-configfs-tsm v0.2.2 h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98= +github.com/google/go-configfs-tsm v0.2.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= +github.com/google/go-sev-guest v0.11.2-0.20241122204452-64cd695124b1 h1:K33T2ardZgY4LVxPakM85KSip9aag2jTwmOZs4i1dJg= +github.com/google/go-sev-guest v0.11.2-0.20241122204452-64cd695124b1/go.mod h1:8+UOtSaqVIZjJJ9DDmgRko3J/kNc6jI5KLHxoeao7cA= +github.com/google/go-tdx-guest v0.3.1 h1:gl0KvjdsD4RrJzyLefDOvFOUH3NAJri/3qvaL5m83Iw= +github.com/google/go-tdx-guest v0.3.1/go.mod h1:/rc3d7rnPykOPuY8U9saMyEps0PZDThLk/RygXm04nE= +github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM= +github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY= github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98= github.com/google/go-tpm-tools v0.4.4/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= @@ -449,37 +473,39 @@ github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ= github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc= github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= -github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= -github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM= +github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4= -github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= -github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0= -github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w= -github.com/gophercloud/gophercloud/v2 v2.7.0 h1:o0m4kgVcPgHlcXiWAjoVxGd8QCmvM5VU+YM71pFbn0E= -github.com/gophercloud/gophercloud/v2 v2.7.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk= -github.com/gophercloud/utils/v2 v2.0.0-20250506092640-af27464b6166 h1:U82pil2tMV/BkeWmy3eKT9mTmodSfwOw+Czl/s5eBrw= -github.com/gophercloud/utils/v2 v2.0.0-20250506092640-af27464b6166/go.mod h1:WypkO28BNmRXS8EPyW6I58L3qrBUy3w60schxwx7ZVc= +github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= +github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA= +github.com/googleapis/gax-go/v2 v2.14.0 h1:f+jMrjBPl+DL9nI4IQzLUxMq7XrAqFYB7hBPqMNIe8o= +github.com/googleapis/gax-go/v2 v2.14.0/go.mod h1:lhBCnjdLrWRaPvLWhmc8IS24m9mr07qSYnHncrgo+zk= +github.com/gophercloud/gophercloud/v2 v2.2.0 h1:STqqnSXuhcg1OPBOZ14z6JDm8fKIN13H2bJg6bBuHp8= +github.com/gophercloud/gophercloud/v2 v2.2.0/go.mod h1:f2hMRC7Kakbv5vM7wSGHrIPZh6JZR60GVHryJlF/K44= +github.com/gophercloud/utils/v2 v2.0.0-20241108144456-f4302a5ad8c6 h1:NPpHSXdkl9OWs9W46zmFBADEDIkY+r+W71vuiHo3se4= +github.com/gophercloud/utils/v2 v2.0.0-20241108144456-f4302a5ad8c6/go.mod h1:Uvv82D3uPdyOormmJ9fZbQyf7q7CHo6By55QIT+0l+0= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= -github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 h1:sGm2vDRFUrQJO/Veii4h4zG2vvqG6uWNkBHSTqXOZk0= -github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2/go.mod h1:wd1YpapPLivG6nQgbf7ZkG1hhSOXDhhn4MLTknx2aAc= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 h1:pRhl55Yx1eC7BZ1N+BBWwnKaMyD8uC+34TLdndZMAKk= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0/go.mod h1:XKMd7iuf/RGPSMJ/U4HP0zS2Z9Fh8Ps9a+6X26m/tmI= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -488,33 +514,27 @@ github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuD github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-cty v1.5.0 h1:EkQ/v+dDNUqnuVpmS5fPqyY71NXVgT5gf32+57xY8g0= -github.com/hashicorp/go-cty v1.5.0/go.mod h1:lFUCG5kd8exDobgSfyj4ONE/dc822kiYMguVKdHGMLM= +github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI= +github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBMaudVLy8fmjf9Npq1dq9RalhveqZG5w/yz3mHWs= github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 h1:DLfC677GfKEpSAFpEWvl1vXsGpEcSHmbhBaPLrdDQHc= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.18/go.mod h1:t/eaR/mi2mw3klfl1WEAuiLKrlZ/Q8cosmsT+RIPLu0= -github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11 h1:J9zGa9SlcOHT3SQTj0Vv3shHo0anWbs58weURGCgChI= -github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11/go.mod h1:iAOCu7/lG5eugg8+k7NVvQt0IpWT8s2Q9wnMtC/guM4= -github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.14 h1:oK4OQ5EPbx/66dAvitksV+OdrQ86SZEj3B6VSZrbdEY= -github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.14/go.mod h1:fWxrv9YkAMqtsISde5mcutoMvuiH4kyg1AlDzzmqRh8= -github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13 h1:NGBZnF+yPRZ3gjFl69Y2m58/U0iyB2oH9HaznL9tekA= -github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13/go.mod h1:4Xb+6d8VPeDcUNuh4toPqJlDpkajeJyIQeg36TtWhKw= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 h1:WZeXfD26QMWYC35at25KgE021SF9L3u9UMHK8fJAdV0= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.16/go.mod h1:ZiKZctjRTLEppuRwrttWkp71VYMbTTCkazK4xT7U/NQ= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9 h1:qdxeZvDMRGZ3YSE4Oz0Pp7WUSUn5S6cWZguEOkEVL50= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9/go.mod h1:DcXbvVpgNWbxGmxgmu3QN64bEydMu14Cpe34RRR30HY= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11 h1:/7SKkYIhA8cr3l8m1EKT6Q90bPoSVqqVBuQ6HgoMIkw= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11/go.mod h1:LepS5s6ESGE0qQMpYaui5lX+mQYeiYiy06VzwWRioO8= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12 h1:PCqWzT/Hii0KL07JsBZ3lJbv/wx02IAHYlhWQq8rxRY= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12/go.mod h1:HSaOaX/lv3ShCdilUYbOTPnSvmoZ9xtQhgw+8hYcZkg= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-plugin v1.6.3 h1:xgHB+ZUSYeuJi96WtxEjzi23uh7YQpznjGh0U0UUrwg= -github.com/hashicorp/go-plugin v1.6.3/go.mod h1:MRobyh+Wc/nYy1V4KAXUiYfzxoYhs7V1mlH1Z7iY2h0= +github.com/hashicorp/go-plugin v1.6.2 h1:zdGAEd0V1lCaU0u+MxWQhtSDQmahpkwOun8U8EiRVog= +github.com/hashicorp/go-plugin v1.6.2/go.mod h1:CkgLQ5CZqNmdL9U9JzM532t8ZiYQ35+pj3b1FD37R0Q= github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 h1:W9WN8p6moV1fjKLkeqEgkAMu5rauy9QeYDAmIaPuuiA= github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 h1:FW0YttEnUNDJ2WL9XcrrfteS1xW8u+sh4ggM8pN5isQ= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0= -github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= -github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= -github.com/hashicorp/go-sockaddr v1.0.6 h1:RSG8rKU28VTUTvEKghe5gIhIQpv8evvNpnDEyqO4u9I= -github.com/hashicorp/go-sockaddr v1.0.6/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -522,30 +542,30 @@ github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKe github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/hashicorp/hc-install v0.9.2 h1:v80EtNX4fCVHqzL9Lg/2xkp62bbvQMnvPQ0G+OmtO24= -github.com/hashicorp/hc-install v0.9.2/go.mod h1:XUqBQNnuT4RsxoxiM9ZaUk0NX8hi2h+Lb6/c0OZnC/I= +github.com/hashicorp/hc-install v0.9.0 h1:2dIk8LcvANwtv3QZLckxcjyF5w8KVtiMxu6G6eLhghE= +github.com/hashicorp/hc-install v0.9.0/go.mod h1:+6vOP+mf3tuGgMApVYtmsnDoKWMDcFXeTxCACYZ8SFg= github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos= github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/terraform-exec v0.23.0 h1:MUiBM1s0CNlRFsCLJuM5wXZrzA3MnPYEsiXmzATMW/I= -github.com/hashicorp/terraform-exec v0.23.0/go.mod h1:mA+qnx1R8eePycfwKkCRk3Wy65mwInvlpAeOwmA7vlY= -github.com/hashicorp/terraform-json v0.25.0 h1:rmNqc/CIfcWawGiwXmRuiXJKEiJu1ntGoxseG1hLhoQ= -github.com/hashicorp/terraform-json v0.25.0/go.mod h1:sMKS8fiRDX4rVlR6EJUMudg1WcanxCMoWwTLkgZP/vc= -github.com/hashicorp/terraform-plugin-framework v1.15.0 h1:LQ2rsOfmDLxcn5EeIwdXFtr03FVsNktbbBci8cOKdb4= -github.com/hashicorp/terraform-plugin-framework v1.15.0/go.mod h1:hxrNI/GY32KPISpWqlCoTLM9JZsGH3CyYlir09bD/fI= -github.com/hashicorp/terraform-plugin-framework-validators v0.18.0 h1:OQnlOt98ua//rCw+QhBbSqfW3QbwtVrcdWeQN5gI3Hw= -github.com/hashicorp/terraform-plugin-framework-validators v0.18.0/go.mod h1:lZvZvagw5hsJwuY7mAY6KUz45/U6fiDR0CzQAwWD0CA= -github.com/hashicorp/terraform-plugin-go v0.27.0 h1:ujykws/fWIdsi6oTUT5Or4ukvEan4aN9lY+LOxVP8EE= -github.com/hashicorp/terraform-plugin-go v0.27.0/go.mod h1:FDa2Bb3uumkTGSkTFpWSOwWJDwA7bf3vdP3ltLDTH6o= +github.com/hashicorp/terraform-exec v0.21.0 h1:uNkLAe95ey5Uux6KJdua6+cv8asgILFVWkd/RG0D2XQ= +github.com/hashicorp/terraform-exec v0.21.0/go.mod h1:1PPeMYou+KDUSSeRE9szMZ/oHf4fYUmB923Wzbq1ICg= +github.com/hashicorp/terraform-json v0.23.0 h1:sniCkExU4iKtTADReHzACkk8fnpQXrdD2xoR+lppBkI= +github.com/hashicorp/terraform-json v0.23.0/go.mod h1:MHdXbBAbSg0GvzuWazEGKAn/cyNfIB7mN6y7KJN6y2c= +github.com/hashicorp/terraform-plugin-framework v1.13.0 h1:8OTG4+oZUfKgnfTdPTJwZ532Bh2BobF4H+yBiYJ/scw= +github.com/hashicorp/terraform-plugin-framework v1.13.0/go.mod h1:j64rwMGpgM3NYXTKuxrCnyubQb/4VKldEKlcG8cvmjU= +github.com/hashicorp/terraform-plugin-framework-validators v0.15.0 h1:RXMmu7JgpFjnI1a5QjMCBb11usrW2OtAG+iOTIj5c9Y= +github.com/hashicorp/terraform-plugin-framework-validators v0.15.0/go.mod h1:Bh89/hNmqsEWug4/XWKYBwtnw3tbz5BAy1L1OgvbIaY= +github.com/hashicorp/terraform-plugin-go v0.25.0 h1:oi13cx7xXA6QciMcpcFi/rwA974rdTxjqEhXJjbAyks= +github.com/hashicorp/terraform-plugin-go v0.25.0/go.mod h1:+SYagMYadJP86Kvn+TGeV+ofr/R3g4/If0O5sO96MVw= github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0= github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow= -github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0 h1:NFPMacTrY/IdcIcnUB+7hsore1ZaRWU9cnB6jFoBnIM= -github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0/go.mod h1:QYmYnLfsosrxjCnGY1p9c7Zj6n9thnEE+7RObeYs3fA= -github.com/hashicorp/terraform-plugin-testing v1.13.0 h1:vTELm6x3Z4H9VO3fbz71wbJhbs/5dr5DXfIwi3GMmPY= -github.com/hashicorp/terraform-plugin-testing v1.13.0/go.mod h1:b/hl6YZLm9fjeud/3goqh/gdqhZXbRfbHMkEiY9dZwc= -github.com/hashicorp/terraform-registry-address v0.2.5 h1:2GTftHqmUhVOeuu9CW3kwDkRe4pcBDq0uuK5VJngU1M= -github.com/hashicorp/terraform-registry-address v0.2.5/go.mod h1:PpzXWINwB5kuVS5CA7m1+eO2f1jKb5ZDIxrOPfpnGkg= +github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0 h1:wyKCCtn6pBBL46c1uIIBNUOWlNfYXfXpVo16iDyLp8Y= +github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0/go.mod h1:B0Al8NyYVr8Mp/KLwssKXG1RqnTk7FySqSn4fRuLNgw= +github.com/hashicorp/terraform-plugin-testing v1.11.0 h1:MeDT5W3YHbONJt2aPQyaBsgQeAIckwPX41EUHXEn29A= +github.com/hashicorp/terraform-plugin-testing v1.11.0/go.mod h1:WNAHQ3DcgV/0J+B15WTE6hDvxcUdkPPpnB1FR3M910U= +github.com/hashicorp/terraform-registry-address v0.2.3 h1:2TAiKJ1A3MAkZlH1YI/aTVcLZRu7JseiXNRHbOAyoTI= +github.com/hashicorp/terraform-registry-address v0.2.3/go.mod h1:lFHA76T8jfQteVfT7caREqguFrW3c4MFSPhZB7HHgUM= github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ= github.com/hashicorp/terraform-svchost v0.1.1/go.mod h1:mNsjQfZyf/Jhz35v6/0LWcv26+X7JPS+buii2c9/ctc= github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= @@ -556,6 +576,8 @@ github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -582,12 +604,12 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= -github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU= -github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= -github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -614,25 +636,25 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY= github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= -github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= -github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= -github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM= -github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4= github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY= @@ -654,14 +676,10 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= -github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= -github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= -github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= -github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= -github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= -github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= -github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= -github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g= +github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= @@ -686,111 +704,109 @@ github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/olareg/olareg v0.1.2 h1:75G8X6E9FUlzL/CSjgFcYfMgNzlc7CxULpUUNsZBIvI= -github.com/olareg/olareg v0.1.2/go.mod h1:TWs+N6pO1S4bdB6eerzUm/ITRQ6kw91mVf9ZYeGtw+Y= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/olareg/olareg v0.1.1 h1:Ui7q93zjcoF+U9U71sgqgZWByDoZOpqHitUXEu2xV+g= +github.com/olareg/olareg v0.1.1/go.mod h1:w8NP4SWrHHtxsFaUiv1lnCnYPm4sN1seCd2h7FK/dc0= +github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= +github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= +github.com/onsi/gomega v1.36.0 h1:Pb12RlruUtj4XUuPUqeEWc6j5DkVVVA49Uf6YLfC95Y= +github.com/onsi/gomega v1.36.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= -github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs= +github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= +github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= +github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= -github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4= -github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/planetscale/vtprotobuf v0.6.1-0.20241121165744-79df5c4772f2 h1:1sLMdKq4gNANTj0dUibycTLzpIEKVnLnbaEkxws78nw= -github.com/planetscale/vtprotobuf v0.6.1-0.20241121165744-79df5c4772f2/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= -github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= -github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io= -github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI= -github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= -github.com/regclient/regclient v0.8.3 h1:AFAPu/vmOYGyY22AIgzdBUKbzH+83lEpRioRYJ/reCs= -github.com/regclient/regclient v0.8.3/go.mod h1:gjQh5uBVZoo/CngchghtQh9Hx81HOMKRRDd5WPcPkbk= +github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= +github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= +github.com/regclient/regclient v0.7.2 h1:vcldDAwBMLtighYVMeb6qNt5+0hKg3AN2IkCc0JIJNM= +github.com/regclient/regclient v0.7.2/go.mod h1:QlA7W9/pvmbblOXM4d49JgfuOTwVXcUMKt3bFuOSVIQ= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= -github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= -github.com/rubenv/sql-migrate v1.7.1 h1:f/o0WgfO/GqNuVg+6801K/KW3WdDSupzSjDYODmiUq4= -github.com/rubenv/sql-migrate v1.7.1/go.mod h1:Ob2Psprc0/3ggbM6wCzyYVFFuc6FyZrb2AS+ezLDFb4= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlXpTI= +github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= -github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/samber/lo v1.49.1 h1:4BIFyVfuQSEpluc7Fua+j1NolZHiEHEpaSEKdsH0tew= -github.com/samber/lo v1.49.1/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o= -github.com/samber/slog-multi v1.4.0 h1:pwlPMIE7PrbTHQyKWDU+RIoxP1+HKTNOujk3/kdkbdg= -github.com/samber/slog-multi v1.4.0/go.mod h1:FsQ4Uv2L+E/8TZt+/BVgYZ1LoDWCbfCU21wVIoMMrO8= +github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc= +github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= +github.com/samber/slog-multi v1.2.4 h1:k9x3JAWKJFPKffx+oXZ8TasaNuorIW4tG+TXxkt6Ry4= +github.com/samber/slog-multi v1.2.4/go.mod h1:ACuZ5B6heK57TfMVkVknN2UZHoFfjCwRxR0Q2OXKHlo= github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= -github.com/schollz/progressbar/v3 v3.18.0 h1:uXdoHABRFmNIjUfte/Ex7WtuyVslrw2wVPQmCN62HpA= -github.com/schollz/progressbar/v3 v3.18.0/go.mod h1:IsO3lpbaGuzh8zIMzgY3+J8l4C8GjO0Y9S69eFvNsec= -github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= -github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= +github.com/schollz/progressbar/v3 v3.17.1 h1:bI1MTaoQO+v5kzklBjYNRQLoVpe0zbyRZNK6DFkVC5U= +github.com/schollz/progressbar/v3 v3.17.1/go.mod h1:RzqpnsPQNjUyIgdglUjRLgD7sVnxN1wpmBMV+UiEbL4= +github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= +github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= -github.com/siderolabs/talos/pkg/machinery v1.10.2 h1:i9aNYmFSpiSOVM7dlAL5iNMYnFG19087x2QLJ0MbTEE= -github.com/siderolabs/talos/pkg/machinery v1.10.2/go.mod h1:MVJs1hsKm7N2GkQVeByjoDoLJmU/VhQO0cLJRZPxlZk= -github.com/sigstore/protobuf-specs v0.4.1 h1:5SsMqZbdkcO/DNHudaxuCUEjj6x29tS2Xby1BxGU7Zc= -github.com/sigstore/protobuf-specs v0.4.1/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/rekor v1.3.10 h1:/mSvRo4MZ/59ECIlARhyykAlQlkmeAQpvBPlmJtZOCU= -github.com/sigstore/rekor v1.3.10/go.mod h1:JvryKJ40O0XA48MdzYUPu0y4fyvqt0C4iSY7ri9iu3A= -github.com/sigstore/sigstore v1.9.4 h1:64+OGed80+A4mRlNzRd055vFcgBeDghjZw24rPLZgDU= -github.com/sigstore/sigstore v1.9.4/go.mod h1:Q7tGTC3gbtK7c3jcxEmGc2MmK4rRpIRzi3bxRFWKvEY= +github.com/siderolabs/talos/pkg/machinery v1.8.3 h1:raK1oLzSMpwpy/AqkeFyBYkJS+QuOnlRMznVl/rZ25k= +github.com/siderolabs/talos/pkg/machinery v1.8.3/go.mod h1:cNR2TELu2T9AzYOHAoNr/7ZS3ZVDLzM/KnuOr4XW4s4= +github.com/sigstore/rekor v1.3.7 h1:Z5UW5TmqbTZnyOFkMRfi32q/CWcxK6VuzIkx+33mbq8= +github.com/sigstore/rekor v1.3.7/go.mod h1:TihqJscZ6L6398x68EHY82t0AOnGYfrQ0siXe3WgbR4= +github.com/sigstore/sigstore v1.8.10 h1:r4t+TYzJlG9JdFxMy+um9GZhZ2N1hBTyTex0AHEZxFs= +github.com/sigstore/sigstore v1.8.10/go.mod h1:BekjqxS5ZtHNJC4u3Q3Stvfx2eyisbW/lUZzmPU2u4A= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= -github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= -github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA= -github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo= +github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A= +github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE= -github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -800,18 +816,18 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0= -github.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw= +github.com/tink-crypto/tink-go/v2 v2.2.0 h1:L2Da0F2Udh2agtKztdr69mV/KpnY3/lGTkMgLTVIXlA= +github.com/tink-crypto/tink-go/v2 v2.2.0/go.mod h1:JJ6PomeNPF3cJpfWC0lgyTES6zpJILkAX0cJNwlS3xU= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= @@ -853,52 +869,48 @@ github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms= github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk= -github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70= -github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +github.com/zclconf/go-cty v1.15.0 h1:tTCRWxsexYUmtt/wVxgDClUe+uQusuI443uL6e+5sXQ= +github.com/zclconf/go-cty v1.15.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= -github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= -github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= -go.etcd.io/etcd/api/v3 v3.6.0 h1:vdbkcUBGLf1vfopoGE/uS3Nv0KPyIpUV/HM6w9yx2kM= -go.etcd.io/etcd/api/v3 v3.6.0/go.mod h1:Wt5yZqEmxgTNJGHob7mTVBJDZNXiHPtXTcPab37iFOw= -go.etcd.io/etcd/client/pkg/v3 v3.6.0 h1:nchnPqpuxvv3UuGGHaz0DQKYi5EIW5wOYsgUNRc365k= -go.etcd.io/etcd/client/pkg/v3 v3.6.0/go.mod h1:Jv5SFWMnGvIBn8o3OaBq/PnT0jjsX8iNokAUessNjoA= -go.etcd.io/etcd/client/v3 v3.6.0 h1:/yjKzD+HW5v/3DVj9tpwFxzNbu8hjcKID183ug9duWk= -go.etcd.io/etcd/client/v3 v3.6.0/go.mod h1:Jzk/Knqe06pkOZPHXsQ0+vNDvMQrgIqJ0W8DwPdMJMg= +go.etcd.io/etcd/api/v3 v3.5.17 h1:cQB8eb8bxwuxOilBpMJAEo8fAONyrdXTHUNcMd8yT1w= +go.etcd.io/etcd/api/v3 v3.5.17/go.mod h1:d1hvkRuXkts6PmaYk2Vrgqbv7H4ADfAKhyJqHNLJCB4= +go.etcd.io/etcd/client/pkg/v3 v3.5.17 h1:XxnDXAWq2pnxqx76ljWwiQ9jylbpC4rvkAeRVOUKKVw= +go.etcd.io/etcd/client/pkg/v3 v3.5.17/go.mod h1:4DqK1TKacp/86nJk4FLQqo6Mn2vvQFBmruW3pP14H/w= +go.etcd.io/etcd/client/v3 v3.5.17 h1:o48sINNeWz5+pjy/Z0+HKpj/xSnBkuVhVvXkjEXbqZY= +go.etcd.io/etcd/client/v3 v3.5.17/go.mod h1:j2d4eXTHWkT2ClBgnnEPm/Wuu7jsqku41v9DZ3OtjQo= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/detectors/gcp v1.35.0 h1:bGvFt68+KTiAKFlacHW6AhA56GF2rS0bdD3aJYEnmzA= -go.opentelemetry.io/contrib/detectors/gcp v1.35.0/go.mod h1:qGWP8/+ILwMRIUf9uIVLloR1uo5ZYAslM4O6OqUi1DA= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ= -go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ= -go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 h1:PB3Zrjs1sG1GBX51SXyTSoOTqcDglmsk7nT6tkKPb/k= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0/go.mod h1:U2R3XyVPzn0WX7wOIypPuptulsMcPDPs/oiSVOMVnHY= -go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M= -go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= -go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY= -go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg= -go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o= -go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w= -go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs= -go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= -go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= -go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= +go.opentelemetry.io/contrib/detectors/gcp v1.29.0 h1:TiaiXB4DpGD3sdzNlYQxruQngn5Apwzi1X0DRhuGvDQ= +go.opentelemetry.io/contrib/detectors/gcp v1.29.0/go.mod h1:GW2aWZNwR2ZxDLdv8OyC2G8zkRoQBuURgV7RPQgcPoU= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= +go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= +go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= +go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= +go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= +go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= +go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBwe1m8xFXiSY= +go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= +go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= +go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -913,32 +925,42 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= -golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI= -golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= +golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -947,8 +969,9 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -971,21 +994,24 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= @@ -993,41 +1019,65 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= -golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= -golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg= +golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= -golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/api v0.233.0 h1:iGZfjXAJiUFSSaekVB7LzXl6tRfEKhUN7FkZN++07tI= -google.golang.org/api v0.233.0/go.mod h1:TCIVLLlcwunlMpZIhIp7Ltk77W+vUSdUKAAIlbxY44c= +google.golang.org/api v0.209.0 h1:Ja2OXNlyRlWCWu8o+GgI4yUn/wz9h/5ZfFbKz+dQX+w= +google.golang.org/api v0.209.0/go.mod h1:I53S168Yr/PNDNMi5yPnDc0/LGRZO6o7PoEbl/HY3CM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78= -google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk= -google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 h1:vPV0tzlsK6EzEDHNNH5sa7Hs9bd7iXR7B1tSiPepkV0= -google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:pKLAc5OolXC3ViWGI62vvC0n10CpwAtRcTNCFwTKBEw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2 h1:IqsN8hx+lWLqlN+Sc3DoMy/watjofWiU8sRFgQ8fhKM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= -google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA= -google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f h1:zDoHYmMzMacIdjNe+P2XiTmPsLawi/pCbSPfxt6lTfw= +google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f/go.mod h1:Q5m6g8b5KaFFzsQFIGdJkSJDGeJiybVenoYFMMa3ohI= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f h1:C1QccEa9kUwvMgEUORqQD9S17QesQijxjZ84sO82mfo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= +google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a h1:UIpYSuWdWHSzjwcAFRLjKcPXFZVVLXGEM23W+NWqipw= +google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a/go.mod h1:9i1T9n4ZinTUZGgzENMi8MDDgbGC5mqTS75JAv6xN3A= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1050,55 +1100,54 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= -helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg= -helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8= -k8s.io/api v0.33.1 h1:tA6Cf3bHnLIrUK4IqEgb2v++/GYUtqiu9sRVk3iBXyw= -k8s.io/api v0.33.1/go.mod h1:87esjTn9DRSRTD4fWMXamiXxJhpOIREjWOSjsW1kEHw= -k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguEE91zI= -k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA= -k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4= -k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/apiserver v0.33.1 h1:yLgLUPDVC6tHbNcw5uE9mo1T6ELhJj7B0geifra3Qdo= -k8s.io/apiserver v0.33.1/go.mod h1:VMbE4ArWYLO01omz+k8hFjAdYfc3GVAYPrhP2tTKccs= -k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks= -k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8= -k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4= -k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA= -k8s.io/cluster-bootstrap v0.33.1 h1:esGY+qXFJ78myppBzMVqqj37ReGLOJpQNslRiqmQGes= -k8s.io/cluster-bootstrap v0.33.1/go.mod h1:YA4FsgPShsVoP84DkBJEkCKDgsH4PpgTa0NzNBf6y4I= -k8s.io/component-base v0.33.1 h1:EoJ0xA+wr77T+G8p6T3l4efT2oNwbqBVKR71E0tBIaI= -k8s.io/component-base v0.33.1/go.mod h1:guT/w/6piyPfTgq7gfvgetyXMIh10zuXA6cRRm3rDuY= +helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY= +helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8= +k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE= +k8s.io/apiextensions-apiserver v0.31.3 h1:+GFGj2qFiU7rGCsA5o+p/rul1OQIq6oYpQw4+u+nciE= +k8s.io/apiextensions-apiserver v0.31.3/go.mod h1:2DSpFhUZZJmn/cr/RweH1cEVVbzFw9YBu4T+U3mf1e4= +k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= +k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.3 h1:+1oHTtCB+OheqFEz375D0IlzHZ5VeQKX1KGXnx+TTuY= +k8s.io/apiserver v0.31.3/go.mod h1:PrxVbebxrxQPFhJk4powDISIROkNMKHibTg9lTRQ0Qg= +k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= +k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4= +k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs= +k8s.io/cluster-bootstrap v0.31.3 h1:O1Yxk1bLaxZvmQCXLaJjj5iJD+lVMfJdRUuKgbUHPlA= +k8s.io/cluster-bootstrap v0.31.3/go.mod h1:TI6TCsQQB4FfcryWgNO3SLXSKWBqHjx4DfyqSFwixj8= +k8s.io/component-base v0.31.3 h1:DMCXXVx546Rfvhj+3cOm2EUxhS+EyztH423j+8sOwhQ= +k8s.io/component-base v0.31.3/go.mod h1:xME6BHfUOafRgT0rGVBGl7TuSg8Z9/deT7qq6w7qjIU= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us= -k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8= -k8s.io/kubelet v0.33.1 h1:x4LCw1/iZVWOKA4RoITnuB8gMHnw31HPB3S0EF0EexE= -k8s.io/kubelet v0.33.1/go.mod h1:8WpdC9M95VmsqIdGSQrajXooTfT5otEj8pGWOm+KKfQ= -k8s.io/kubernetes v1.33.1 h1:86+VVY/f11taZdpEZrNciLw1MIQhu6BFXf/OMFn5EUg= -k8s.io/kubernetes v1.33.1/go.mod h1:2nWuPk0seE4+6sd0x60wQ6rYEXcV7SoeMbU0YbFm/5k= -k8s.io/mount-utils v0.33.1 h1:hodPhfyoK+gG0SgnYwx1iPrlnpaESZiJ9GFzF5V/imE= -k8s.io/mount-utils v0.33.1/go.mod h1:1JR4rKymg8B8bCPo618hpSAdrpO6XLh0Acqok/xVwPE= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 h1:jgJW5IePPXLGB8e/1wvd0Ich9QE97RvvF3a8J3fP/Lg= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -libvirt.org/go/libvirt v1.11002.0 h1:cb8KJG3D97pc/hxQ2n6P82hRX3rlgdzO7bih6W1AAQ8= -libvirt.org/go/libvirt v1.11002.0/go.mod h1:1WiFE8EjZfq+FCVog+rvr1yatKbKZ9FaFMZgEqxEJqQ= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= +k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= +k8s.io/kubelet v0.31.3 h1:DIXRAmvVGp42mV2vpA1GCLU6oO8who0/vp3Oq6kSpbI= +k8s.io/kubelet v0.31.3/go.mod h1:KSdbEfNy5VzqUlAHlytA/fH12s+sE1u8fb/8JY9sL/8= +k8s.io/kubernetes v1.31.3 h1:oqb7HdfnTelrGlZ6ziNugvQ/L/aJWR704114EAhUn9Q= +k8s.io/kubernetes v1.31.3/go.mod h1:9xmT2buyTYj8TRKwRae7FcuY8k5+xlxv7VivvO0KKfs= +k8s.io/mount-utils v0.31.3 h1:CANy3prUYvvDCc2X7ZKgpjpDhAidx4gjGh/WwDrCPq8= +k8s.io/mount-utils v0.31.3/go.mod h1:HV/VYBUGqYUj4vt82YltzpWvgv8FPg0G9ItyInT3NPU= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 h1:jGnCPejIetjiy2gqaJ5V0NLwTpF4wbQ6cZIItJCSHno= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +libvirt.org/go/libvirt v1.10009.0 h1:Lf3jktPJwrOF/lIb6fZN/TNUPhNVyS70wAk8lI2dGj8= +libvirt.org/go/libvirt v1.10009.0/go.mod h1:1WiFE8EjZfq+FCVog+rvr1yatKbKZ9FaFMZgEqxEJqQ= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= -sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU= -sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY= -sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= -sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= -sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ= -sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o= -sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA= -sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY= -sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= -sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= +sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= +sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= +sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= +sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= +sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= diff --git a/go.work b/go.work index c137fb60c..0cf42a018 100644 --- a/go.work +++ b/go.work @@ -1,6 +1,6 @@ -go 1.24.2 +go 1.23.2 -toolchain go1.24.2 +toolchain go1.23.2 use ( . diff --git a/hack/bazel-deps-mirror/internal/mirror/mirror_test.go b/hack/bazel-deps-mirror/internal/mirror/mirror_test.go index d6cb7b91d..541c1fa52 100644 --- a/hack/bazel-deps-mirror/internal/mirror/mirror_test.go +++ b/hack/bazel-deps-mirror/internal/mirror/mirror_test.go @@ -137,7 +137,7 @@ func TestMirror(t *testing.T) { unauthenticated: tc.unauthenticated, log: logger.NewTest(t), } - err := m.Mirror(t.Context(), tc.hash, []string{tc.upstreamURL}) + err := m.Mirror(context.Background(), tc.hash, []string{tc.upstreamURL}) if tc.wantErr { assert.Error(t, err) } else { @@ -180,7 +180,7 @@ func TestLearn(t *testing.T) { }, log: logger.NewTest(t), } - gotHash, err := m.Learn(t.Context(), []string{"https://example.com/foo"}) + gotHash, err := m.Learn(context.Background(), []string{"https://example.com/foo"}) if tc.wantErr { assert.Error(err) return @@ -274,7 +274,7 @@ func TestCheck(t *testing.T) { }, log: logger.NewTest(t), } - err := m.Check(t.Context(), tc.hash) + err := m.Check(context.Background(), tc.hash) if tc.wantErr { assert.Error(t, err) } else { diff --git a/hack/cli-k8s-compatibility/main.go b/hack/cli-k8s-compatibility/main.go index af5e6ca97..5361fcdf4 100644 --- a/hack/cli-k8s-compatibility/main.go +++ b/hack/cli-k8s-compatibility/main.go @@ -45,7 +45,7 @@ func main() { } cliInfo := versionsapi.CLIInfo{ - Ref: versionsapi.CanonicalizeRef(*refFlag), + Ref: *refFlag, Stream: *streamFlag, Version: *versionFlag, Kubernetes: []string{}, diff --git a/hack/qemu-metadata-api/server/server_test.go b/hack/qemu-metadata-api/server/server_test.go index 376af51fc..363cb3ed2 100644 --- a/hack/qemu-metadata-api/server/server_test.go +++ b/hack/qemu-metadata-api/server/server_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package server import ( + "context" "encoding/json" "io" "net/http" @@ -126,7 +127,7 @@ func TestListSelf(t *testing.T) { server := New(logger.NewTest(t), "test", "initSecretHash", tc.stubLeaseGetter) - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "http://192.0.0.1/self", nil) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://192.0.0.1/self", nil) require.NoError(err) req.RemoteAddr = tc.remoteAddr @@ -186,7 +187,7 @@ func TestListPeers(t *testing.T) { server := New(logger.NewTest(t), "test", "initSecretHash", tc.stubNetworkGetter) - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "http://192.0.0.1/peers", nil) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://192.0.0.1/peers", nil) require.NoError(err) req.RemoteAddr = tc.remoteAddr @@ -242,7 +243,7 @@ func TestInitSecretHash(t *testing.T) { server := New(logger.NewTest(t), "test", tc.wantHash, defaultConnect) - req, err := http.NewRequestWithContext(t.Context(), tc.method, "http://192.0.0.1/initsecrethash", nil) + req, err := http.NewRequestWithContext(context.Background(), tc.method, "http://192.0.0.1/initsecrethash", nil) require.NoError(err) w := httptest.NewRecorder() diff --git a/hack/tools/go.mod b/hack/tools/go.mod index b74c40781..5674da6b2 100644 --- a/hack/tools/go.mod +++ b/hack/tools/go.mod @@ -1,13 +1,13 @@ module github.com/edgelesssys/constellation/v2/hack/tools -go 1.24.2 +go 1.23.2 require ( github.com/google/go-licenses v1.6.0 - github.com/google/keep-sorted v0.6.1 - github.com/katexochen/sh/v3 v3.11.0 - golang.org/x/tools v0.33.0 - golang.org/x/vuln v1.1.4 + github.com/google/keep-sorted v0.5.1 + github.com/katexochen/sh/v3 v3.10.0 + golang.org/x/tools v0.27.0 + golang.org/x/vuln v1.1.3 ) require ( @@ -26,7 +26,7 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/otiai10/copy v1.6.0 // indirect - github.com/rogpeppe/go-internal v1.14.1 // indirect + github.com/rogpeppe/go-internal v1.13.1 // indirect github.com/rs/zerolog v1.31.0 // indirect github.com/sergi/go-diff v1.3.1 // indirect github.com/spf13/cobra v1.8.0 // indirect @@ -35,14 +35,14 @@ require ( github.com/stretchr/testify v1.8.4 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.38.0 // indirect - golang.org/x/mod v0.24.0 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/sync v0.14.0 // indirect - golang.org/x/sys v0.33.0 // indirect + golang.org/x/crypto v0.29.0 // indirect + golang.org/x/mod v0.22.0 // indirect + golang.org/x/net v0.31.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/sys v0.27.0 // indirect golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.25.0 // indirect + golang.org/x/term v0.26.0 // indirect + golang.org/x/text v0.20.0 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect gopkg.in/src-d/go-git.v4 v4.13.1 // indirect diff --git a/hack/tools/go.sum b/hack/tools/go.sum index c76480175..ca41d9dc5 100644 --- a/hack/tools/go.sum +++ b/hack/tools/go.sum @@ -174,14 +174,14 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= -github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-licenses v1.6.0 h1:MM+VCXf0slYkpWO0mECvdYDVCxZXIQNal5wqUIXEZ/A= github.com/google/go-licenses v1.6.0/go.mod h1:Z8jgz2isEhdenOqd/00pq7I4y4k1xVVQJv415otjclo= github.com/google/go-replayers/httpreplay v1.1.1 h1:H91sIMlt1NZzN7R+/ASswyouLJfW0WLW7fhyUFvDEkY= github.com/google/go-replayers/httpreplay v1.1.1/go.mod h1:gN9GeLIs7l6NUoVaSSnv2RiqK1NiwAmD0MrKeC9IIks= -github.com/google/keep-sorted v0.6.1 h1:LNEdDKYxoXOrn4ZXC+FdUfJCVbUjhb2QPIBs5XISXCI= -github.com/google/keep-sorted v0.6.1/go.mod h1:JYy9vljs7P8b3QdPOQkywA+4u36FUHwsNITZIpJyPkE= +github.com/google/keep-sorted v0.5.1 h1:rmIIsosfRa/5cG5nddWRC2Bc3mzZpOEozc9I8Zlnq4I= +github.com/google/keep-sorted v0.5.1/go.mod h1:JYy9vljs7P8b3QdPOQkywA+4u36FUHwsNITZIpJyPkE= github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148 h1:TJsAqW6zLRMDTyGmc9TPosfn9OyVlHs8Hrn3pY6ONSY= github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148/go.mod h1:rq9F0RSpNKlrefnf6ZYMHKUnEJBCNzf6AcCXMYBeYvE= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= @@ -235,8 +235,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/katexochen/sh/v3 v3.11.0 h1:L71eTHDOVv7CKiCJVDm28EmIdIT/s8dXzKgddW9Uxok= -github.com/katexochen/sh/v3 v3.11.0/go.mod h1:Z6jje5FhaLunbZtZlnYi6qcaqMO+rdh8m0IJ2jWTbew= +github.com/katexochen/sh/v3 v3.10.0 h1:Ego1a6oSmdt9WypgalMnbZNmL9CVSxwiX12CFZM981I= +github.com/katexochen/sh/v3 v3.10.0/go.mod h1:edcqgocfPrMX4vdCLGZQgc4T+2Cr6zNN+Adg/w8PLxw= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= @@ -276,8 +276,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= -github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A= github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= @@ -341,8 +341,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -380,8 +380,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -428,8 +428,8 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -466,8 +466,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -538,16 +538,16 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0= golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -559,8 +559,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -619,10 +619,10 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= -golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= -golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= -golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I= -golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= +golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw= +golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/image/BUILD.bazel b/image/BUILD.bazel index 772801b0c..681c6f385 100644 --- a/image/BUILD.bazel +++ b/image/BUILD.bazel @@ -1,12 +1,16 @@ load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file") load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix") +load("@rules_pkg//pkg:mappings.bzl", "pkg_files", "strip_prefix") + +filegroup( + name = "sysroot_tree", + srcs = glob(["sysroot-tree/**"]), +) pkg_files( name = "sysroot", - srcs = glob(["sysroot-tree/**"]), - attributes = pkg_attributes(mode = "0555"), - strip_prefix = strip_prefix.from_pkg("sysroot-tree"), + srcs = [":sysroot_tree"], + strip_prefix = strip_prefix.from_pkg() + "sysroot-tree", visibility = ["//visibility:public"], ) diff --git a/image/README.md b/image/README.md index c0d8c1975..4316f6cfc 100644 --- a/image/README.md +++ b/image/README.md @@ -60,15 +60,3 @@ After building a Kernel rpm, we upload it to our CDN and use it in our image bui - `bazel build //image/system:IMAGE_NAME_HERE` (replace with an actual image name) - Let CI build new images and run e2e tests - Upgrade kernel spec under [edgelesssys/constellation-kernel](https://github.com/edgelesssys/constellation-kernel) to use new releasever - -## Adding new packages to the image - -- Find the package (i.e. it's _package name_) on [Koji](https://koji.fedoraproject.org/koji/) -- Add the package to the corresponding section in `./base/mkosi.conf` - - If the package is required to be present in the initrd, add it to `./initrd/mkosi.conf` -- Add the package to `./mirror/packages.txt` -- Update the package mirror: - ```sh - bazel run //image/mirror:update_packages - ``` -- Build new images (e.g. via CI) and run e2e tests diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel index 9e613d4fd..2928787f1 100644 --- a/image/base/BUILD.bazel +++ b/image/base/BUILD.bazel @@ -1,6 +1,5 @@ load("@aspect_bazel_lib//lib:copy_to_directory.bzl", "copy_to_directory") load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix") load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image") copy_to_directory( @@ -34,7 +33,9 @@ copy_to_directory( "mkosi.finalize", "mkosi.postinst", "mkosi.prepare", - ], + ] + glob([ + "mkosi.skeleton/**", + ]), outs = [ kernel_variant, kernel_variant + ".tar", @@ -45,7 +46,6 @@ copy_to_directory( kernel_variant + "-rpmdb.sqlite-wal", ], extra_trees = [ - ":skeleton", "//image:sysroot_tar", "//image:cryptsetup_closure", ], @@ -86,15 +86,3 @@ pkg_tar( tags = ["manual"], visibility = ["//visibility:public"], ) - -pkg_files( - name = "skeleton_files", - srcs = glob(["mkosi.skeleton/**"]), - attributes = pkg_attributes(mode = "0555"), - strip_prefix = strip_prefix.from_pkg("mkosi.skeleton"), -) - -pkg_tar( - name = "skeleton", - srcs = [":skeleton_files"], -) diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf index 9201a05ff..5deab82c8 100644 --- a/image/base/mkosi.conf +++ b/image/base/mkosi.conf @@ -41,7 +41,6 @@ Packages=containerd # Network Packages=iproute dbus - openssh-server systemd-networkd systemd-resolved diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset index 493434d54..dcabbedd9 100644 --- a/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset +++ b/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset @@ -10,4 +10,3 @@ enable measurements.service enable export_constellation_debug.service enable systemd-timesyncd enable udev-trigger.service -enable create-host-ssh-key.service diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service deleted file mode 100644 index 28a0862e7..000000000 --- a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Create a host SSH key -Before=network-pre.target - -[Service] -Type=oneshot -ExecStart=/bin/bash -c "mkdir -p /run/ssh; ssh-keygen -t ecdsa -q -N '' -f /run/ssh/ssh_host_ecdsa_key" - -[Install] -WantedBy=network-pre.target diff --git a/image/initrd/BUILD.bazel b/image/initrd/BUILD.bazel index a959018ec..6301d6cb5 100644 --- a/image/initrd/BUILD.bazel +++ b/image/initrd/BUILD.bazel @@ -1,18 +1,17 @@ -load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix") load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image") mkosi_image( name = "initrd", srcs = [ "mkosi.postinst", - ], + ] + glob([ + "mkosi.skeleton/**", + ]), outs = [ "image", "image.cpio.zst", ], extra_trees = [ - ":skeleton", "//image:sysroot_tar", "//image:cryptsetup_closure", "//disk-mapper/cmd:disk-mapper-package.tar", @@ -25,15 +24,3 @@ mkosi_image( ], visibility = ["//visibility:public"], ) - -pkg_files( - name = "skeleton_files", - srcs = glob(["mkosi.skeleton/**"]), - attributes = pkg_attributes(mode = "0555"), - strip_prefix = strip_prefix.from_pkg("mkosi.skeleton"), -) - -pkg_tar( - name = "skeleton", - srcs = [":skeleton_files"], -) diff --git a/image/mirror/BUILD.bazel b/image/mirror/BUILD.bazel index 014001e9d..56b425add 100644 --- a/image/mirror/BUILD.bazel +++ b/image/mirror/BUILD.bazel @@ -1,5 +1,3 @@ -load("@rules_shell//shell:sh_binary.bzl", "sh_binary") - sh_binary( name = "update_packages", srcs = ["update_packages.sh"], diff --git a/image/mirror/SHA256SUMS b/image/mirror/SHA256SUMS index 796826902..ac3f22b4b 100644 --- a/image/mirror/SHA256SUMS +++ b/image/mirror/SHA256SUMS @@ -1,8 +1,8 @@ 37abef83e8927b4b48f69fcbdcc249d349c6029cc669401676d01f0ea326999e WALinuxAgent-udev-2.10.0.8-2.fc40.noarch.rpm -03b5889fecc19101fe5c5eb6105bded5705e16a7af957f92b6cc6a7a96e829a8 aardvark-dns-1.14.0-1.fc40.x86_64.rpm +eeca1e4f380330d602278b8069c03e0a712f9d7c1c9533c5869c66e5f5fce4a0 aardvark-dns-1.12.2-2.fc40.x86_64.rpm ac860c52abbc65af5835d1bd97400c531a5635d39bc1d68e36a1fe54863385ea alternatives-1.27-1.fc40.x86_64.rpm -b28e7d90ed3aeb6ca10ecb235b70534665011af35bd3677fb836b1e3cfa602a7 audit-libs-4.0.3-1.fc40.i686.rpm -accc1c623cc5345f983990416ad0f8d6028d63bc9f00bcb808688b2a3bb7caf9 audit-libs-4.0.3-1.fc40.x86_64.rpm +6d0cfcd0e97421b42af58a824c7e99a6cbcdd0e81980b4ea9e0d4051ef723db3 audit-libs-4.0.2-1.fc40.i686.rpm +f4ed40457780c13bebf84c1cf8981550da7e0e728e80250aed179eda8915bc7f audit-libs-4.0.2-1.fc40.x86_64.rpm e9fd8dd4c9068501c169edb684de7f6e38657548e9d4d1b838a4d6316e9f17cc authselect-1.5.0-6.fc40.x86_64.rpm db18a583ebde21d8b0b67f0306e25908b273bef9c532469ac0b7ab92578438f4 authselect-libs-1.5.0-6.fc40.x86_64.rpm 6404b1028262aeaf3e083f08959969abea1301f7f5e8610492cf900b3d13d5db basesystem-11-20.fc40.noarch.rpm @@ -10,24 +10,24 @@ db18a583ebde21d8b0b67f0306e25908b273bef9c532469ac0b7ab92578438f4 authselect-lib 208ddebcd5edbff3dca54020a8a180f5410ea9b2d82c733e106992a729b4b84e bzip2-libs-1.0.8-18.fc40.i686.rpm 68a43532d10187888788625d0b6c2224ba95804280eddf2636e5ef700607e7d0 bzip2-libs-1.0.8-18.fc40.x86_64.rpm 1afcf80d5e7b22ee512ec9f24b4f2b148888ef95af3486cf48f2204c3406b12d ca-certificates-2024.2.69_v8.0.401-1.0.fc40.noarch.rpm -a9af8b72483b4ad6489e6d2492161120809453373edaf24722cffb394bd1cd15 catatonit-0.2.1-1.fc40.x86_64.rpm +99d4976979c8b9d18c9d2d686de77882dc6a4e72ebfe358fb9a37a83f0ecdc90 catatonit-0.1.7-22.fc40.x86_64.rpm 588a2ab4dd93d58ca8b8d2c2d0b5e2c52007548c3fdd06f5ca1ab415ee236d86 composefs-1.0.6-1.fc40.x86_64.rpm 5935816e8d377d0385e5287ca12e4d3b43e3c3cdc9cc4deafa653a6dba78611a composefs-libs-1.0.6-1.fc40.x86_64.rpm db246f6445469b5a71e965a081685471768393cf04181e7250ce0ddcb8a9c3d4 conmon-2.1.12-2.fc40.x86_64.rpm adf4b75cdd9fae9d2d37fb71d9f0bf625a6705c0f0a7784569ab21463fe22152 conntrack-tools-1.4.7-7.fc40.x86_64.rpm -b84841f98b3c14d68da5a4021f10973eb5fa6566e63f4933e40a0c91aa134ce4 container-selinux-2.236.0-1.fc40.noarch.rpm +621302b0ea9cdd73d5eea4d30935cb415143df1649cd8e92424e967ea98fc34d container-selinux-2.234.2-1.fc40.noarch.rpm bbe29e0c7b4ca076d50b4ac3954eb383459230d96b13f353ee71ebd5de33b6d1 containerd-1.6.23-5.fc40.x86_64.rpm -46f035201c84f65f6b9fd549adbe1c4aeb5f5972e69bf6537c05e7cc20587a4a containernetworking-plugins-1.5.1-2.fc40.x86_64.rpm -8c6676fd3d9cb966e68da46dc8bc3a81ea6f2ccb697f75a284a9c9b868489789 containers-common-0.62.2-1.fc40.noarch.rpm -70956b80c95cd582f6d5410c555a1f7468b13c1f022bb25856a6a1a59f4279e3 containers-common-extra-0.62.2-1.fc40.noarch.rpm +0705251ea64b1558098016b2120f202c5aba77470093cb8f89ce6adb2a0b46b6 containernetworking-plugins-1.5.1-1.fc40.x86_64.rpm +3e35525e9224d3427f10343c98036b251fac34bf67c9007335561d846736d0d5 containers-common-0.61.0-1.fc40.noarch.rpm +b0740195d12d356e5637b83ece8650fc3f764f37e734678a07cb637fb14faf7d containers-common-extra-0.61.0-1.fc40.noarch.rpm 299d3e7e1cbc110d9ae8a47f6ca95142c3e3783cb1464bfbd6bc550c414b97ec coreutils-single-9.4-9.fc40.x86_64.rpm d941a78ffb6e2e0b4c24d0097d0351ced8796edde90208b4bddee459bce0a949 cpio-2.15-1.fc40.x86_64.rpm faa23cb6a7a612c0a6e874c788c5add967c5e193bd38c2e6093b82b38a162f81 cracklib-2.9.11-5.fc40.i686.rpm ea1f43ef9a4b02a9c66726ee386f090145696fb93dff80d593ac82126f8037ec cracklib-2.9.11-5.fc40.x86_64.rpm fe24641e69545c428890a4b094f015c03f65a6c30c3db7bb0de7672bab66bfd6 cracklib-dicts-2.9.11-5.fc40.x86_64.rpm -cb6318cb928c70696f1fc3a79469c0343905b4b69c5d9789e9932b10b4584357 criu-4.1-2.fc40.x86_64.rpm -05a1dbc9f2e3585df8f9930327a7e6f7f59b396359db92787086e1fdb73634b2 criu-libs-4.1-2.fc40.x86_64.rpm -0a8ee60884b6739bc0fffed6c47a94eae524e73cbd9c942420f6ffdfcd39086b crun-1.20-2.fc40.x86_64.rpm +f3f3e5f6a1c1bee67c0c6598a48143c36827f90a095897d649580a174468cdbc criu-4.0-1.fc40.x86_64.rpm +bbdb6014e2bd87db1bb2d4795a57cbb08bfdb03777c2b9730a3f45f7977fc4c9 criu-libs-4.0-1.fc40.x86_64.rpm +d388aa1a184a3ed04c68a39f81a9dcc39088b1f279d49d3631db608da6611937 crun-1.18.2-1.fc40.x86_64.rpm d7a62ff0193375607d28d8fe7eedf3ff5b6ddac154e1474d79787b9f32ae298d crypto-policies-20241011-1.git5930b9a.fc40.noarch.rpm 0f1d436f879fa30f18adca576a1f91bb1a8d1ac42cff5f35c1d15e6dffc506fa crypto-policies-scripts-20241011-1.git5930b9a.fc40.noarch.rpm 26aadc06a9f98c58ca6250d811e749ee5fa76059b37445ec28b50ee73d548174 cryptsetup-2.7.5-1.fc40.x86_64.rpm @@ -50,15 +50,15 @@ ac4f1b2eaf5d452512e7b6172c93880c2b501946b71a228adc02d50bb3fb56e0 e2fsprogs-1.47 2e2bf662f060ddd75195e9d3d5f08cdd5d9cc857df3a9bcc45608337ba314a25 ec2-utils-1.2-48.amzn2.noarch.rpm e6231ec4268b3efa928250eb4106311e0f33396422245b938bfed4ba2d79c573 efitools-1.9.2-9.fc38.x86_64.rpm 6ac676d78c2df896f9794a8dffb75ea69c58d202c68f4bcf084f0d264154a666 efivar-libs-39-2.fc40.x86_64.rpm -75a77fa962df4aabee266a1a48aeb4bf3a164dba31a597af23ab33c693a1c068 elfutils-debuginfod-client-0.192-9.fc40.i686.rpm -4b4b9b5c7e4ceaf65cb473089f87eef07cbdb7254425f60219c5b6412ea7da94 elfutils-debuginfod-client-0.192-9.fc40.x86_64.rpm -633b68d0b697c585727d07f4a3c5e4ba536841a8717eaadc552fc10e61d3b86a elfutils-default-yama-scope-0.192-9.fc40.noarch.rpm -fde3769dc677f0a76ce96058c3032f6553809f4809509842b9523a13e90913e2 elfutils-libelf-0.192-9.fc40.i686.rpm -f7778242b3242fab35a5e0c4f0919ca9823a47c7b296f274ff312cc2c49ba6e7 elfutils-libelf-0.192-9.fc40.x86_64.rpm -a322c6f44f82bc21558f3bb7afc694dbdc28a41340280d3a2c5da2656a339d2f elfutils-libs-0.192-9.fc40.i686.rpm -184235133a6873a42b72d2d88657f12dd4b4b603fd5058fbd02daa0a7308f69c elfutils-libs-0.192-9.fc40.x86_64.rpm -a09546cd7e26c630765f4acb93942a2c70524107a50e20761eb0898b8a80b6cb ethtool-6.14-2.fc40.x86_64.rpm -136ed00bff4d44ab7bd6d0926c4b80c2f5ee9160dc4f698be988ca3d37303b4d expat-2.7.1-1.fc40.x86_64.rpm +d4b391ee444de66794804962e441ccdba74e75630a2abbcc9a14b7fd2f7cb535 elfutils-debuginfod-client-0.192-6.fc40.i686.rpm +60befd76c16ce28b1f065fac31e88cdb74d5219421587fcdde2b46abace803c0 elfutils-debuginfod-client-0.192-6.fc40.x86_64.rpm +467cc1d14f1e6ca0a3b893c087ba5ecee2ec44c33b7455b6ad9cc9b2aa1f2f54 elfutils-default-yama-scope-0.192-6.fc40.noarch.rpm +5c4abd06417a9bed0a93adf00ef7a9195101069445fe7f2873408b3d4010a760 elfutils-libelf-0.192-6.fc40.i686.rpm +98d770d563c5898abd6847e728dd793f6ee985904020084c62c7568463614428 elfutils-libelf-0.192-6.fc40.x86_64.rpm +61f3912d147750749d3b4b5031d0f2ca95fa21615a36bd55ea4b4b9be0493e02 elfutils-libs-0.192-6.fc40.i686.rpm +f215ebf2e586330f93c52b228c98912a0b42db9ceeff830b611817401a84252a elfutils-libs-0.192-6.fc40.x86_64.rpm +95cf8ee199b2e1b3471f920ebad57d3d8178f5e68d37ee35a8a94727473ec8d3 ethtool-6.11-1.fc40.x86_64.rpm +3a5ba168021a01107d6dd4dc7cffe8bb5553c64f236c436979b9fddfdc4cb59d expat-2.6.3-1.fc40.x86_64.rpm 849feb04544096f9bbe16bc78c2198708fe658bdafa08575c911e538a7d31c18 fedora-gpg-keys-40-2.noarch.rpm 8f0a56982aa10b607bd3b8009e91bac1a7d9b7ba40eb4435ff9bd9efe7e5e76e fedora-release-40-40.noarch.rpm dde6f4b5d4415ce20df40cf1cb9ff3015aa5b1896c5b5625e49aa686cdce1d1d fedora-release-common-40-40.noarch.rpm @@ -80,25 +80,25 @@ c4cc69bf3a2655b9ee9ac23492d377bac57811c5b4f81fbf43537520ee33c7af gawk-all-langp 40337d9167737abe23af9c6b586b883f33cc82028d69b29c1d68b524201d9248 gettext-envsubst-0.22.5-4.fc40.x86_64.rpm 554a68e692ccdd0cf71ea67a4c550bac910685465f17eee503732d48ccda9c90 gettext-libs-0.22.5-4.fc40.x86_64.rpm 046971e9f5f0c88737854e1c9e02cce8f5854633575984b235cf3f8b11ec7b91 gettext-runtime-0.22.5-4.fc40.x86_64.rpm -6afaddcff936e900b9d3ab379ddac5c8dd0aa323924b973bf2fa9fc819dc3638 glib2-2.80.5-1.fc40.x86_64.rpm -ee01787bf89f4f3b1ee7dc269844bae2fc672b1af4ac5e241e570391fbeeab3b glibc-2.39-38.fc40.i686.rpm -b64c709529bedb9d3e62c892fe79b67f186c499d54d1e7985713ddb5fded7a59 glibc-2.39-38.fc40.x86_64.rpm -5cdec5bdfe58752fca36279d5cd25e08a6b37a086020f2573937304a5b770dc6 glibc-common-2.39-38.fc40.x86_64.rpm -e8ab57f139980b93c17a9598a40cac5a81be37216526be8115235a57ce5a9df7 glibc-gconv-extra-2.39-38.fc40.i686.rpm -4deff99dffc791e504d9e1d9b5c19f3a053a14291d2168ffd33fdcd24180323b glibc-gconv-extra-2.39-38.fc40.x86_64.rpm -8556a19ce4e3a9977f2d1cdb2f1885eef6401140609264e2c50a8161874d22ac glibc-minimal-langpack-2.39-38.fc40.x86_64.rpm +0a32c6874ce180375c2c0b1e2f0c8fed38131a598e5c4ba3866cf3aee1f3f5fc glib2-2.80.3-1.fc40.x86_64.rpm +a2d94eb4028fad9789f0d5561b4c4a7a03020013af2a79be7aea3fb0390b8caf glibc-2.39-22.fc40.i686.rpm +726a1d707dfcf20d1f4c94f76bdba38d166eb574ecc2d83ec438bdc161f3ec27 glibc-2.39-22.fc40.x86_64.rpm +0b502c1140a1f6461dbd63d3daefedded6c705769476cec5e69466aab7693ea6 glibc-common-2.39-22.fc40.x86_64.rpm +c09983bc2c7fbc23e7e622739532b554357103d99161d458c4f0c5eabce5d8c5 glibc-gconv-extra-2.39-22.fc40.i686.rpm +c185634bd4f161c35292daa028823a607c78f1e71727b6c506d640771ddd88aa glibc-gconv-extra-2.39-22.fc40.x86_64.rpm +e99290c1fa76536f0bb0024dbe14527a6d5efcf00436493f705a75c6f76d3df3 glibc-minimal-langpack-2.39-22.fc40.x86_64.rpm b054d6a9ee3477e935686b327aa47379bd1909eac4ce06c4c45dff1a201ecb49 gmp-6.2.1-8.fc40.x86_64.rpm 0a8b1b3fb625e4d1864ad6726f583e2db5db7f10d9f3564b5916ca7fed1b71cb gnupg2-2.4.4-1.fc40.x86_64.rpm 4425dbd35ab65f25b092d12ac56c4b565371a1c52ac882c8896dbeae7d52bbb1 gnupg2-smime-2.4.4-1.fc40.x86_64.rpm -74f185a772b22db0d41b69d63d1fa4a78840bc32359ce47729dbd54d297ffa77 gnutls-3.8.9-1.fc40.x86_64.rpm -9a463e49371c05bce6713fd4956ff3784db265485260e6151d3eba444ad41f42 gnutls-dane-3.8.9-1.fc40.x86_64.rpm +4289ccbb44e4a764ef6f58593a56f2598c6821feebac52be6fa04c771eebf029 gnutls-3.8.6-1.fc40.x86_64.rpm +0e5c3c13d4c34d83453667a8011eab1859d0db5ff7409fba0dce3fbd68604226 gnutls-dane-3.8.6-1.fc40.x86_64.rpm f8510eeec17b9258de9a68ce15af21f3ea135b5e767f3bc9047f851d81dbac6e google-compute-engine-guest-configs-udev-20240830.00-1.fc40.noarch.rpm 94e443590221fb17e0330f076ebac32baab17b8d9c22566db372899ae750ca64 gpgme-1.23.2-3.fc40.x86_64.rpm 6d54af0fc5ae216eb97720415acda4245ebc6c021420a2892b58620b5b25ca38 gpm-libs-1.20.7-46.fc40.x86_64.rpm 8e2310f6cde324576e537749cf1d4fee8028edfc0c8df3070f147ee162b423ce grep-3.11-7.fc40.x86_64.rpm -46bc4d8d62eeb1fa3275898d44a30643260f4dda2d3d2a3992f879e4c7df26c7 grub2-common-2.12-16.fc40.noarch.rpm -c508cb9605baa6a0751feda2d23e9a65a4d11538d6d108c295562eac65c63ab1 grub2-tools-2.12-16.fc40.x86_64.rpm -0c6bb04c6e81d368793c03bab2ec736c3ea63aaea9dbb64d4a94b12b35320bdb grub2-tools-minimal-2.12-16.fc40.x86_64.rpm +cfdba55bf65221d4cb6574e18586340f813ee948fb90f94088ab730a8cbd4400 grub2-common-2.06-123.fc40.noarch.rpm +a265c8c4acac4c2a3c5f63f98df89e689b87f6f6bcceac1c83882d9cdab90eab grub2-tools-2.06-123.fc40.x86_64.rpm +3ff26313487d9656195f2e121eb57ea6411deab71b0ec3ae57f11785ba86f330 grub2-tools-minimal-2.06-123.fc40.x86_64.rpm 6a146fa9b154e67eb67eeb258df37814a863997c87171fdc2bd771e5a46b1cc4 grubby-8.40-75.fc40.x86_64.rpm 6dcc2f8885135fc873c8ab94a6c7df05883060c5b25287956bebb3aa15a84e71 gzip-1.13-1.fc40.x86_64.rpm 7ea61bdaada7c1ab5b8567e054a73e2cb3ca6019e3db887049998fed7eea8514 iproute-6.7.0-2.fc40.x86_64.rpm @@ -119,8 +119,8 @@ c8e382e9de90e6946dd9bc2f706d6c307ea4ebba3eca91a283f1bb72b5b3ac9c kbd-2.6.4-3.fc 42994ac67877595861b55adafd75ab3ce02d397e2ccddac8fb40ec0fecb4436b kmod-libs-31-5.fc40.i686.rpm 53dd95341767a2ea40b68e4621a231883bd5b69426f0920ce1f1ca94e18765cb kmod-libs-31-5.fc40.x86_64.rpm 9a03b21936528f6d08700757cb460c48e9557a71efaaa5e93b01b3f7614320f3 kpartx-0.9.7-7.fc40.x86_64.rpm -cd3402d654af18c421c0ae866ef668094cff5c032bb3f769606261eca8dcf8fa krb5-libs-1.21.3-3.fc40.i686.rpm -878a5a48835ecfec5fa04c7c7a1f24bdae7bd8e9aeca7b3f9dd97f6a23b9b41e krb5-libs-1.21.3-3.fc40.x86_64.rpm +821a2a47fa5ff1f9450f82118c812bc105f8afd5eb6a8e00523665c2a14a651d krb5-libs-1.21.3-2.fc40.i686.rpm +2db3a289d5a710b5f8ebbd603228d67ee59281622f086e3530efe8f2545057d6 krb5-libs-1.21.3-2.fc40.x86_64.rpm 6f2f0a522f2f10f273a77a60fdb7e066c14059d0a3676c9f723162daa7110b42 libacl-2.3.2-1.fc40.i686.rpm b753174804f57c3c6bae7afeb6145005498f18ae5d1aa0d340f9df5b8d71312f libacl-2.3.2-1.fc40.x86_64.rpm 74d72760c1982830358d676794ee3972ab05550fe7235ae9756a40de8266091f libarchive-3.7.2-7.fc40.x86_64.rpm @@ -147,7 +147,7 @@ c890a19d2c4a3da836bae1db40b778fe0339cd0d26bddfbe584aaccb1a0f1485 libcom_err-1.4 e3dc770fc4c48bec2da9ac948bcd43e053608d0397ad0a57056409a7d427289d libcurl-minimal-8.6.0-10.fc40.x86_64.rpm 700d56839e1bc16c08f71c505a7e62f655e4c18f4bf71bf2f36f3854f829e6f5 libeconf-0.6.2-2.fc40.i686.rpm 2ef764049e121ee2a9fa5d0296e6e2dd0abc7541040b8e49d67960bd9bde74e4 libeconf-0.6.2-2.fc40.x86_64.rpm -7a91572e9639617937c13cd103ac5571075f37fa533d796be108aa8a4937432d libedit-3.1-54.20250104cvs.fc40.x86_64.rpm +b003de79beac86385d212fce137417439e8ec7cb863115d560e02834c84efd1e libedit-3.1-53.20240808cvs.fc40.x86_64.rpm c4adcee5dd9e22ea50d6c318ac4936a8df708121741958ce5aa8f038c46c61a9 libevent-2.1.12-12.fc40.x86_64.rpm a1ba3045c99ef1b266383f0801731a68f9e0cb069a6c808267ad33b759381907 libfdisk-2.40-0.9.rc1.fc40.i686.rpm 17f02ca51b90580887d739f52b995034e0929fc6bcd92be308554a2f5337bbe4 libfdisk-2.40-0.9.rc1.fc40.x86_64.rpm @@ -160,8 +160,8 @@ cd073c42cb4dfcd224e9b4619883f2c7923ab0b083d7c90b01e3052c89f6b814 libgcc-14.2.1- 10c4c12c6539ffea68974cd9b57013d471ac35fe3bef4833c0a22f6b29fbf489 libgcrypt-1.10.3-3.fc40.x86_64.rpm 03d5f4d139dec2e7c94714b1b9f59d37236dbda9f09271bdda99c71251f15f0e libgomp-14.2.1-3.fc40.x86_64.rpm 8d0a9840e06e72ccf756fa5a79c49f572dc827b0c75ea5a1f923235150d27ae2 libgpg-error-1.49-1.fc40.x86_64.rpm -4fdafe5a28dc18a892713cc2071a46cbcb6561c9c62e10f20f04b0e562187228 libidn2-2.3.8-1.fc40.i686.rpm -63a08c0cf18474582a3e62367b5b4275d079e883e40f4cf32cab7afc316ec2dc libidn2-2.3.8-1.fc40.x86_64.rpm +677a67726c759c94faa94475185e46d028f171c9215390ac601ccd914188afb2 libidn2-2.3.7-1.fc40.i686.rpm +2fd2038b4a94eeede34e46ed0e035e619f77d0e412c70cf4e9bb836957e8f31b libidn2-2.3.7-1.fc40.x86_64.rpm 98b0d9d25bd93c7061ce50480e214944a02d7de725e1d31f4461604380ffb74a libkcapi-1.5.0-4.fc40.x86_64.rpm 84977f5f157172dc7642a3f6602692bb6323b4b106c69f7081882e6c6a81a346 libkcapi-hasher-1.5.0-4.fc40.x86_64.rpm 906bb224af7b2e1ea64c258c6978a610b899b0af5be572ce1c09e36ec58b8a79 libkcapi-hmaccalc-1.5.0-4.fc40.x86_64.rpm @@ -189,7 +189,7 @@ bb9ceaba0d3283777777524e8c99b8eaa2155e9000d8e3ef5d0ece336f8c1392 libpsl-0.21.5- 210e797a265da7111c1a59eca95f9e301ad05c5c8772aed54af9363e5684950b libpwquality-1.4.5-9.fc40.x86_64.rpm 571fad7baa286ca36a2b2cdb171d22142ba82b99663ec0408b5db99514773956 libseccomp-2.5.5-1.fc40.i686.rpm 91668f5d08a663948c7d888d7cdef3248285c5d9fbe369ae031d7ca31c6e398c libseccomp-2.5.5-1.fc40.x86_64.rpm -e4d4e12303eeee24bd19b7c1010abf5a275577f5c6aa59ccbd15887e0f5f09ee libsecret-0.21.7-2.fc40.x86_64.rpm +280edce0c5cda3a725edaca0db10a16d1c4b24b849a8ddfeac066ddb84057e6e libsecret-0.21.4-2.fc40.x86_64.rpm 69161fabb22dd4c5c8aeab0b6465dafe06117ce5173aaf4dce425a10cb11c434 libselinux-3.7-5.fc40.i686.rpm 2070bdf786c926400739254f08568ccf564ce613ddacacb36b6a9a499345aa5e libselinux-3.7-5.fc40.x86_64.rpm aca271d814ee3be14c09963985011c201315a186d3e3b634af8d59cd5eb01208 libselinux-utils-3.7-5.fc40.x86_64.rpm @@ -202,13 +202,13 @@ e9c3e9e3458af7a2f9b5cd6bc45020bb7f2c6cfbd0429b0b1853928bd3e02004 libsmartcols-2 45d032fb4d59ee0f6a921dd1f0addfcdd38fc46917243fdd6248194ffddb9067 libsodium-1.0.20-1.fc40.x86_64.rpm c8bbfa2762cc601f8a97d8d5a39a658f0e91ba477ebebd798b30f7fc8ffdd457 libss-1.47.0-5.fc40.x86_64.rpm 89e7282e0a94d641871dfed423ba2ce6f8b088eaf9aabdea1805708bcafa6a01 libstdc++-14.2.1-3.fc40.x86_64.rpm -3d6ff1e90b4b19de401ab45df9c5bb6e171c34a5b415a7e10e3282332a4cda95 libtasn1-4.20.0-1.fc40.x86_64.rpm +d92173d6fbfb7e2af3b35a8554229e247666e15dc5b36cba43b7bbfc4144b781 libtasn1-4.19.0-6.fc40.x86_64.rpm 9ca680998686ee852fa8e1667cd6e7c436bfd5fe7da898bd314d808303d447f8 libtextstyle-0.22.5-4.fc40.x86_64.rpm -189e8f25a80a67db1722cb42f2800235df3eadd9cb93d3bcd13853bf09122d5f libtirpc-1.3.6-1.rc3.fc40.x86_64.rpm +a660c40fc2af9578a7cf283bd18df6ae00d68f25b7d102f4e4f49a3805f6c575 libtirpc-1.3.6-1.fc40.x86_64.rpm e5d150d23f95e4a23288b84145af442607a88bf457c0e04b325b1d1e8e708c2b libtool-ltdl-2.4.7-10.fc40.x86_64.rpm e541a1c8397dccf159b3602eb6bbb381ba21c544db337a3b3bfc49ccc2ef5c21 libunistring-1.1-7.fc40.i686.rpm 58719c2f205b23598e31b72144ab55215947ad8fca96af46a641288692c159d2 libunistring-1.1-7.fc40.x86_64.rpm -0fa1b7d1f6f5bcd1c2f2785e6571a7c3e63662efd50ba32fd1996dac9dbb4de9 libusb1-1.0.28-2.fc40.x86_64.rpm +bc60959e98e5f690bc3df03bfa8afee2d0cf28e794c4e3c52f19769885771321 libusb1-1.0.27-4.fc40.x86_64.rpm 896d671852ed3f28e8c778dca361c5b5c57a89855df11755e6be1d088f64d43a libutempter-1.2.1-13.fc40.i686.rpm 0093a8d3f490fbbbc71b01e0c8f9b083040dbf7513be31a91a0769d846198c1b libutempter-1.2.1-13.fc40.x86_64.rpm 5aaa12bba361ae29b2a6b35c4b21da935423bc2ad763eaa8267008c7a533cb3c libuuid-2.40-0.9.rc1.fc40.i686.rpm @@ -217,14 +217,14 @@ e541a1c8397dccf159b3602eb6bbb381ba21c544db337a3b3bfc49ccc2ef5c21 libunistring-1 b6db3e72ae6575127216145c1f65414ea94acd9db26d08c5081cb5d786101c1f libuuid-2.40.2-1.fc40.x86_64.rpm bea578631618692ba5e302beadfdf6d5894e23e5bddaea4b4fca2f377dd1aaac libverto-0.3.2-8.fc40.i686.rpm fadf7dd93c5eee57ba78e0628bf041dbd2ea037ace52f0a5cbac55b363234d27 libverto-0.3.2-8.fc40.x86_64.rpm -c87a32fd07fd5be227320177ddf61b89c9f14f06d0895e9ecb9a9977b8f6495b libxcrypt-4.4.38-7.fc40.i686.rpm -27f89188ec9f4b1e1e96275f7d2760c342b4cf0a28e7cbccd893d98418d1d060 libxcrypt-4.4.38-7.fc40.x86_64.rpm +a0036606133ba74df47cba7f5349a024bcb6367150a5450ac414508c67d852a9 libxcrypt-4.4.36-10.fc40.i686.rpm +0d93dd9ea48dcfe8f9ecdfc3ec8ac736635334e23fc1cf8ba04e562e0637de17 libxcrypt-4.4.36-10.fc40.x86_64.rpm a17f9a8894a00ee97a42219b3b21d64bfb850d74059d89ae299210bc477e8967 libxkbcommon-1.6.0-2.fc40.i686.rpm 1f1d0c1e1132016735acc6fc3390102b35f9eb257244547c7b61c32a9c2314cc libxkbcommon-1.6.0-2.fc40.x86_64.rpm -12fa7bdef4a5d95b78a38152a0c90b42c0cfc1a1b7c80fa25f4ccdb7c13cf849 libxml2-2.12.10-1.fc40.i686.rpm -a8ee5e5e972ac86d383bf2798db45f41a22b23d76a0fdef698ddd92076589ff5 libxml2-2.12.10-1.fc40.x86_64.rpm -9007aa6bc776262992172e3f24ea2528cd4f65fb82f2c2d01e27f53f79c5c6f7 libzstd-1.5.7-1.fc40.i686.rpm -ec5650e3822d102bfe6bbebc7468a711128ef695f4bd06748ce242b8378d8b7b libzstd-1.5.7-1.fc40.x86_64.rpm +302104acbc7b094958be4f764c14f738462fdb381fc38aac63e0e7eaedaa82a7 libxml2-2.12.8-1.fc40.i686.rpm +ed8d18570524445954dae5aff6239d9cc987cf8b3313fcd48c42f1b79b8eb247 libxml2-2.12.8-1.fc40.x86_64.rpm +cd866911efd52e3a70655df3da9d71ad2f4a326463aeaa381493a7547e14871d libzstd-1.5.6-1.fc40.i686.rpm +bed3075b9ff919eded25cb45e9e03b8a7c63bcc8e893ec28c999aecaa68c51d3 libzstd-1.5.6-1.fc40.x86_64.rpm 81409455da42a5ffdcf5b8cc711632ce037fec25d5ae00cbfda5010c9db04157 lua-libs-5.4.6-5.fc40.x86_64.rpm 2d1da8faf26c647a7299f840cfa199f20415ceb99a4f694ac3cd07f645f02cf5 lz4-libs-1.9.4-6.fc40.i686.rpm f5f022440c4340b5e7fb1c1dbc382e6b0fd57030b3ff056940f2bb3d254408ec lz4-libs-1.9.4-6.fc40.x86_64.rpm @@ -233,31 +233,29 @@ f5f022440c4340b5e7fb1c1dbc382e6b0fd57030b3ff056940f2bb3d254408ec lz4-libs-1.9.4 03fbefea8c8d8465cf1caf66870fb935292ee18b4ca341853b5576ca9c7801eb mokutil-0.7.1-1.fc40.x86_64.rpm 0a3a3fc2471d2d64cbc85f4b23c93620df6eeee814851a2b69fc5ddf75406b56 mpdecimal-2.5.1-9.fc40.x86_64.rpm bc873693a8b8423d7f82e329abe207c9160a4c746fea9a32ef2a6ae8c912f227 mpfr-4.2.1-4.fc40.x86_64.rpm -8a7312e49b3ddec619dee7d1067b72f9105f34d9ff988be0e8b8a76091a8b8fa mtools-4.0.48-1.fc40.x86_64.rpm +9dda076af2bb08f06df9f73ce682b8e417deb7bfb900581d519eeda247a442e9 mtools-4.0.46-1.fc40.x86_64.rpm 7dfae7d898dfc40f3fe1fc66104cf31e434e866fec4d4944b55952d7f2f16657 nano-7.2-7.fc40.x86_64.rpm b404c27af03bb1e43fb0dc472d5a1fa152e0563fa2e4eefa29199c47578a829b nano-default-editor-7.2-7.fc40.noarch.rpm 8a93376ce7423bd1a649a13f4b5105f270b4603f5cf3b3e230bdbda7f25dd788 ncurses-base-6.4-12.20240127.fc40.noarch.rpm 39bba59320e6276a3b7b07bc94d319511bdd7d32ba098fd49723f4d542794d41 ncurses-libs-6.4-12.20240127.fc40.i686.rpm a18edf32e89aefd453998d5d0ec3aa1ea193dac43f80b99db195abd7e8cf1a04 ncurses-libs-6.4-12.20240127.fc40.x86_64.rpm -60d1e0058d38ab2ea6b08f59341e7db34c8bec37a387ad5c0565bbc38d5170fd netavark-1.14.1-1.fc40.x86_64.rpm +f1e77a65e098b105ce6a47e386de84937217ed72a0c47f2568ae11da0ea7d75d netavark-1.12.2-1.fc40.x86_64.rpm 16172412cfd45453292e18f84fc57e42a3ce92aca72b47ef7e15b44554049cfe nettle-3.9.1-6.fc40.x86_64.rpm 188ce5004e6ed764b4a619b64a4a0f36f1cc4fa919fe0a300599ff1171844144 nftables-1.0.9-3.fc40.x86_64.rpm 784e0fbc9ccb7087c10f4c41edbed13904f94244ff658f308614abe48cdf0d42 npth-1.7-1.fc40.x86_64.rpm f814bc09b50daaab468715088ec056373dbc209a5075306e4ce76f5c55eb2b42 nvme-cli-2.8-1.fc40.x86_64.rpm -a0eecb082db491d57bfab6047b2611a10150d47a8f50fd05f98ad2f01b0dee54 openldap-2.6.9-1.fc40.x86_64.rpm -49e3e1c7d82ab28b1ab79bb2655a95cadeae2295f5543db8a07d74e090bcb90d openssh-9.6p1-2.fc40.x86_64.rpm -369b4d6e159a53afe9d2803d927f0523ceeae0822353aa8f0d81d0e3211b0788 openssh-server-9.6p1-2.fc40.x86_64.rpm -bffa85f8feadf0bf5f7a8cea9ff9f5e49266959df6ae4d61cf929054c09ec2f8 openssl-libs-3.2.4-1.fc40.i686.rpm -a1b67803e7afb5e16d977e49b8e63c50537bbaa6b261ab10348d55a54b1562dd openssl-libs-3.2.4-1.fc40.x86_64.rpm +b09089231ec94ee1b2dc26e34d8d7f19586d411bc40df7d0e495e559ac2d871a openldap-2.6.7-1.fc40.x86_64.rpm +5df04d37e492e5f107cc21e547240f9f98b0b7613320467bc0b08f6aa1b0fb88 openssl-libs-3.2.2-3.fc40.i686.rpm +e9fca52d76eb6277b9fec3238226faafc0938806318fad1143a527fdd28a16cf openssl-libs-3.2.2-3.fc40.x86_64.rpm 9f0336deb6f1b1524ec48d837622e7e2291995369b0356d7ad1e1d427f3b659a os-prober-1.81-6.fc40.x86_64.rpm 70fba929aab38a9d69a457cef1b01962161a1df2b78dc5a4e86ff4b994b51079 p11-kit-0.25.5-1.fc40.x86_64.rpm c728dbd90872b7597a8ace70a70555bff576231bb6dbde14b75626d601706af8 p11-kit-trust-0.25.5-1.fc40.x86_64.rpm -b3b261e448a25c6550f050ca1813509dd6edbb10f22c02a535548332435b6bc4 pam-1.6.1-5.fc40.x86_64.rpm -753d7b5a6531eec7689414dc1a4ce76ba4d327b8ad0363a9298ee67b565c1d95 pam-libs-1.6.1-5.fc40.i686.rpm -6ca8efd0b2a26cc51917c1c81260d919ef7760f0e0770dc872a78b1b829299cd pam-libs-1.6.1-5.fc40.x86_64.rpm +374bd91b0fb10dd09d543a1aab6328d3801bd9a0bdfbfbf0b594ce79ab3423ce pam-1.6.1-4.fc40.x86_64.rpm +b6251990de342b9f4de8ab7360de435751c0b3e524ea6e1ad78a294d7d541483 pam-libs-1.6.1-4.fc40.i686.rpm +227f1d93b7125b5a71def58146ddaa0853bd489da6707f0564482e290e77930c pam-libs-1.6.1-4.fc40.x86_64.rpm 9bbce784622e02af0371ced8e9a7d26adba7eabd66ecfcb8bbe2d24cf616e3c1 parted-3.6-4.fc40.x86_64.rpm -fa10fa559403d57df8c8dabd9cfd765f020216ca03d2116c861aa7cf7a97b27a passt-0^20250415.g2340bbf-1.fc40.x86_64.rpm -b8892365092573b21fc84ebd084b20f6f62e848ac19720ea8a9e0c2fd64176c4 passt-selinux-0^20250415.g2340bbf-1.fc40.noarch.rpm +02c01edaee6fe2af5174562387d530b73ee40e39dbe108ab4553de82228f6621 passt-0^20241030.gee7d0b6-1.fc40.x86_64.rpm +7909af3b8d248c344693b4f7893172d465fde6d1fb8d719f1179f8c971cb786b passt-selinux-0^20241030.gee7d0b6-1.fc40.noarch.rpm a0fb808d6b7ff8cd9cfdc1a60f213851cecdcace334d6e5aa1e0e54b81d79a25 pcre2-10.44-1.fc40.i686.rpm 73e50df09266fcffda9c24a3738f579dd365c2c187c294da054ef9915edc3851 pcre2-10.44-1.fc40.x86_64.rpm dbec699e88d42fc6fb1df0a8c0b9023941ed1b1b7625694253a612eaf9f2691d pcre2-syntax-10.44-1.fc40.noarch.rpm @@ -267,8 +265,8 @@ f796a31cad58f4ebea8787020868581d9a721297ee0ef6a7c63a7f8444f60c17 pcsc-lite-libs 5443db8875acc0c1c436dbe1ed62b776543e049b8d9c7e33198379d367814093 pigz-2.8-4.fc40.x86_64.rpm cb7c5036f1d25c696de23a6670cb64caec9945116fb0c9a93555414746ecf253 pinentry-1.3.0-2.fc40.x86_64.rpm bbb4abafa9f7664e21350b56d49af2c928288e6d4dd68c304c4ab5d45b2c8ad7 pkcs11-provider-0.3-2.fc40.x86_64.rpm -ecdf5f33e98a3c94426efc2176d382899d08d632e05dafc2e7fd18549337ef75 podman-5.4.2-1.fc40.x86_64.rpm -f6291fc1fd3ececcd23c9e693ae0d309d66d57cc2de5d3d389235604804c1c2a policycoreutils-3.7-7.fc40.x86_64.rpm +f2401414fa396e3b86471c311008383bcf51755aa30697c72147892a50de8894 podman-5.3.1-1.fc40.x86_64.rpm +8a0ee0be826338862ecd65d04032b43122cda333ba6bb6891b2ae6aed5208832 policycoreutils-3.7-3.fc40.x86_64.rpm 30a4f9d3631aaa1280c93ce4305847a9773973aa312e1802d1cd676cb2421689 polkit-124-2.fc40.x86_64.rpm f47bc65177a8b160916c00df9c84442afa1dd353880b3c0503d5a0b052d4956c polkit-libs-124-2.fc40.x86_64.rpm b7decdd8a6fcb175fea2bb39bb1dbecad1ba820c365bab5a273a7b3982e55157 polkit-pkla-compat-0.1-28.fc40.x86_64.rpm @@ -276,31 +274,31 @@ c03ba1c46e0e2dda36e654941f307aaa0d6574ee5143d6fec6e9af2bdf3252a2 popt-1.19-6.fc 8a414572157d7e450eddcdc909521e09373289cc7a48ebc15f7b0c9922c17262 procps-ng-4.0.4-3.fc40.x86_64.rpm af85755cda79959a19161ebc26a45e507003298bd97b472b9ab0d512afa5e46a protobuf-c-1.5.0-3.fc40.x86_64.rpm 45ff2e9814aa059f323b23710c73309d41d36306667a3004f5fbb86b0cab4484 psmisc-23.6-6.fc40.x86_64.rpm -c000cbb0a7df2c0c61559ab3f3732eacd163b171673298f4ec043cb6d223f364 publicsuffix-list-dafsa-20250116-1.fc40.noarch.rpm +cca50802d4f75306bc37126feb92db79fed44dcdabf76c1556853334995b9d3b publicsuffix-list-dafsa-20240107-3.fc40.noarch.rpm 7c703b431508f44c5184b5c1df052ed0f49b7439d68aa3597a9a57a5b26bd648 python-pip-wheel-23.3.2-2.fc40.noarch.rpm -bc9b15b36777510ccc9ddc3da363a3100990a235e998f3a50743cdfa50e92f5e python-unversioned-command-3.12.10-2.fc40.noarch.rpm -b0eced6eca5856ed3ddd031e8010e91975149cecf4b337fd3a8c82759a2344c9 python3-3.12.10-2.fc40.x86_64.rpm -c59ab2ff672f5e2d1be59dd22ebbe3fc86c88aca95247b1f84c9bf3d5b6c7026 python3-libs-3.12.10-2.fc40.x86_64.rpm -b593f10e736995a0a898d37a1e595ad04bf162e7f0e7c9994e3032a9d9bc8799 qemu-user-static-8.2.9-1.fc40.x86_64.rpm -72b6185e59a7b359df273e9fe27dc014c0856341abcd1c907c7810a77cc6980e qemu-user-static-aarch64-8.2.9-1.fc40.x86_64.rpm -7eace5bc3e601266452b8356207604012542a8cd019b576e6d2ab9306c6a8e4c qemu-user-static-alpha-8.2.9-1.fc40.x86_64.rpm -6baadf76d6111fabe0c40d9ef8956396ffd23175dadceff940356e1d447c9f0b qemu-user-static-arm-8.2.9-1.fc40.x86_64.rpm -284850c3af8faa4b7ae51b5d2c1c597e783945a20b950b7bc0a925d02538ced3 qemu-user-static-cris-8.2.9-1.fc40.x86_64.rpm -8b5d75d2839682691d130409ebf7142f3fafdb970348f3b5336876d38d4ab0b7 qemu-user-static-hexagon-8.2.9-1.fc40.x86_64.rpm -fef5e7fef2df6f85092383de73373e5d9c9eb241232281bb94c068564c7306de qemu-user-static-hppa-8.2.9-1.fc40.x86_64.rpm -742c694b0e8cbe8bafe2b0602bb38f17c31b80c04f7eb6ee7f104e97d60a1e48 qemu-user-static-loongarch64-8.2.9-1.fc40.x86_64.rpm -872255f64d77ccc3a5388ace420e1434c504e79e31442f58a1516ff752697641 qemu-user-static-m68k-8.2.9-1.fc40.x86_64.rpm -314453265e4fe55fd7b02e01d17c14c4f68ff23bf652ca251915d65ff9006cc4 qemu-user-static-microblaze-8.2.9-1.fc40.x86_64.rpm -decbbd27625256fe9930c908eaf18e6c852f15e47913b7ca071bea091737d5c8 qemu-user-static-mips-8.2.9-1.fc40.x86_64.rpm -f7d088b6b21089c66c24317de994bc65c5ed0f7be484518e72aefe0f74aaf959 qemu-user-static-nios2-8.2.9-1.fc40.x86_64.rpm -58129a9a88a231446ec2fba60c378438d0020e3c7d72186f40d65d06be12eb93 qemu-user-static-or1k-8.2.9-1.fc40.x86_64.rpm -e1c1dc5e5b1d39b52b57c2ebfbbbaa4ece91d986ee8065547bcfb2f6b4707b92 qemu-user-static-ppc-8.2.9-1.fc40.x86_64.rpm -8863c1d75d185ed71bcba9496d353467d064669a3825ab5fda7b4f964bd1a76f qemu-user-static-riscv-8.2.9-1.fc40.x86_64.rpm -d8e5cbc0354aef6bca8600aeeb5f64b4833bb3f90466e64c37695fd7822c5f4b qemu-user-static-s390x-8.2.9-1.fc40.x86_64.rpm -71663f59440aae47599d857f89fb2149952ec4f1bb1afbd83f7d6ea00ccc393f qemu-user-static-sh4-8.2.9-1.fc40.x86_64.rpm -bfef80139dc556e1834b424a346a69fbdc2c706e0158402d8ea6c42e04123bb3 qemu-user-static-sparc-8.2.9-1.fc40.x86_64.rpm -9a0f90c77539963e1657148b3fda7b91285abfbfba52893735b36971df338b6c qemu-user-static-x86-8.2.9-1.fc40.x86_64.rpm -ccf7dd55fc0101233b3384077b544b8fcf658b3febd0e062a687a7537dd9618c qemu-user-static-xtensa-8.2.9-1.fc40.x86_64.rpm +bcac955e69958e064669ed6e0a394bd9dd2c76e63f558a205ced18a9755012ab python-unversioned-command-3.12.7-1.fc40.noarch.rpm +6d8342314daafde5c5ec4ec2935e74edb9bea107dc8cd72642e322444f264c7d python3-3.12.7-1.fc40.x86_64.rpm +839d6dd1d8ac9b55f14b504eca5ac5e66b8330341608f7c9132cb29816116ecb python3-libs-3.12.7-1.fc40.x86_64.rpm +b406d07cf1eeac69446b2ac98da03a007d7becded2d27fc0dafb83a81de5f708 qemu-user-static-8.2.8-1.fc40.x86_64.rpm +3626a5964fd4640046d86d6a1519c63fec6108a766130745393b7132744c640a qemu-user-static-aarch64-8.2.8-1.fc40.x86_64.rpm +40cb646b14309ec33db43e68436b40b790a22740bd15c3837c5dbe6fe9ae218f qemu-user-static-alpha-8.2.8-1.fc40.x86_64.rpm +023e34e9d3b7d78a9c689a0c2d181be00437a3baeff9a0d2bc675f580093306b qemu-user-static-arm-8.2.8-1.fc40.x86_64.rpm +6d11781749da9f75554137063fa26a349887f8eca7a8cbe00c0723ea181a3feb qemu-user-static-cris-8.2.8-1.fc40.x86_64.rpm +850606227a7a7ecd6d507d2ebeef8bf1e26d324385e4dfe7abe7bd490249caa9 qemu-user-static-hexagon-8.2.8-1.fc40.x86_64.rpm +ceefcc4775d9af7c09c5f287615cee466bf826b77d601201a31ef2554b44d4e4 qemu-user-static-hppa-8.2.8-1.fc40.x86_64.rpm +588471c327509035b27d30949513feaa4ada0d1e1a32ee7f7abff598b8aa2821 qemu-user-static-loongarch64-8.2.8-1.fc40.x86_64.rpm +59b567426e86b0e09a21a5030e6e6dd94cea8cf241c61fade47bc18f5faa1eaf qemu-user-static-m68k-8.2.8-1.fc40.x86_64.rpm +59f1087535ef91ad95e76107fe4239d59542832b8e22c6e43ba9f3fe47d138d1 qemu-user-static-microblaze-8.2.8-1.fc40.x86_64.rpm +03a8264b957d3f37f976f1196dbd97f8adbe891f958090475a615cf871107ac9 qemu-user-static-mips-8.2.8-1.fc40.x86_64.rpm +52d96f0f549e0a0f8928cb3e4d774b3827a8008658eafbea38729f9da3f07f4f qemu-user-static-nios2-8.2.8-1.fc40.x86_64.rpm +7bf21f0df8c3f33b7b2c07692cb29d438549b3d508cd826f6d188e720796a656 qemu-user-static-or1k-8.2.8-1.fc40.x86_64.rpm +33c4b842c85431f142152208047f16c6146f9c4e2eff9888ab0b03133e2051cb qemu-user-static-ppc-8.2.8-1.fc40.x86_64.rpm +3825550e5282568d8faa59cae6d0952460b1c3092ed2b840adb0b4b21e32ae9f qemu-user-static-riscv-8.2.8-1.fc40.x86_64.rpm +b7eab37c189f8cbd42319a5400d81bc90ddb2af8e7d3872e2022918df52f59ae qemu-user-static-s390x-8.2.8-1.fc40.x86_64.rpm +be6e3bca2adc321a1c5c8cb82a05e78a49efc682e83fc564ddb8f8153ed35a48 qemu-user-static-sh4-8.2.8-1.fc40.x86_64.rpm +b46f72d356969cb61dc4f896bf8994bb1c757ec07de34df2929a541c5a46f421 qemu-user-static-sparc-8.2.8-1.fc40.x86_64.rpm +df2448a3cb41a5942f634ae04a8ff830f5250f5ed88a406d48d872bd10a8e0f1 qemu-user-static-x86-8.2.8-1.fc40.x86_64.rpm +c24272c85d0708d2828f763c8e699c1ea8585cbb19398938552267737c33b9ed qemu-user-static-xtensa-8.2.8-1.fc40.x86_64.rpm 8d50fba416f81e4091b144748fff22665ee88699fdc4a372b905d999d05fd3e8 qrencode-libs-4.1.1-7.fc40.i686.rpm 93781052576cc40a2c203bbc1bf865189a11b2c82436e614da9811baedc082fc qrencode-libs-4.1.1-7.fc40.x86_64.rpm 3527582fddcb54892228658b3929ffbb89766941a9794e726216e0800ac05721 readline-8.2-8.fc40.i686.rpm @@ -309,52 +307,52 @@ dacd59edbe4744fd9f6823d672e01eff89f871e88537554f16c0a275a17d04e9 readline-8.2-8 c48c149f4aebfe44d649eea6f7a8eaa229dc8db71ff70b66c7403aa9bd072820 rpm-libs-4.19.1.1-1.fc40.x86_64.rpm 7bebda41ea91faf8cf8911a403c051eb59d444e60f8091d14d10987b713f39ff rpm-plugin-audit-4.19.1.1-1.fc40.x86_64.rpm d400a4e4440bea56566fb1e9582d86d1ac2e07745d37fa6e71f43a8fea05217c rpm-plugin-selinux-4.19.1.1-1.fc40.x86_64.rpm -ce3b3148bb617e132c2ae9a28cc9f1990f806bc45722489f4c09f4d90821b6cd rpm-sequoia-1.7.0-5.fc40.x86_64.rpm -216aedc28a4144469041eade68f57149e2a7ab91c5f4f46eba18b6fc6effcb73 runc-1.3.0-1.fc40.x86_64.rpm +9015e31297a54b708071d347b7877d885a2a97c3b18a89fa31f1481b6406eb06 rpm-sequoia-1.7.0-1.fc40.x86_64.rpm +d87be787717e442016af16c2e58d10f6cadf533cfb2a6e817e7cecf7bedfc1d8 runc-1.2.2-1.fc40.x86_64.rpm 5dbd069183076ed8048c839c31f713c0f6080fb9ebfdda92ac550030688e811b sbsigntools-0.9.5-6.fc40.x86_64.rpm 6a21b2c132a54fd6d9acb846d0a96289ab739b745cdc4c2b31bdbf6b2434a1a7 sed-4.9-1.fc40.x86_64.rpm -4ea87bc61621f2465a6db2bf14144acd37230132fc84a2d3af485067646e37e1 selinux-policy-40.30-1.fc40.noarch.rpm -428f1d37fc81965af5962d65b7232b6425db2ff3b3778475756e690acb04a51d selinux-policy-targeted-40.30-1.fc40.noarch.rpm +b4e188db51c7ec2d5f0cba79783eb2df7c14a92c2c6e55a9eb490d28d17d123d selinux-policy-40.29-2.fc40.noarch.rpm +05fb13cf2c4d20425e8aa8d2035a8e10e33ca1a28db2ce209db44d755d380eaf selinux-policy-targeted-40.29-2.fc40.noarch.rpm 89862f646cd64e81497f01a8b69ab30ac8968c47afef92a2c333608fdb90ccc1 setup-2.14.5-2.fc40.noarch.rpm cfde0d25ecac7e689ee083b330b78df51d346c2b7557c83a189d5df95c4e2c8d shadow-utils-4.15.1-4.fc40.x86_64.rpm 6e9b6b6196f1782419e447ac806c762d002c6930fe39b18999d9b32c24a0ecfc shadow-utils-subid-4.15.1-4.fc40.x86_64.rpm 67eede27af5b4773eb2f7ac794df694be030310d40bce462864c05b8f65c87c3 socat-1.8.0.0-2.fc40.x86_64.rpm -9fe46c08d942a5eaa66d997368f372557a81383fe9831ddeb801bccdde64f28b sqlite-libs-3.45.1-3.fc40.x86_64.rpm -08c40fb895e75add08d2c239d7bd24a0633ffaafed430f7ad5b464d1eea2a8b6 systemd-255.18-1.fc40.i686.rpm -51cd1eaa48613b981940d81ae76ea610c28265104e289a434a845ebf9e8f85a4 systemd-255.18-1.fc40.x86_64.rpm -d3c0e2fcfce8b412667f58d63f927076b01f51e0f36f5a7d4b4038efbebc95a0 systemd-boot-unsigned-255.18-1.fc40.x86_64.rpm -1fa7a7e4fcfa4f78c9bb0b5f95e100d3c9f36841368189339449612e7edb2a3c systemd-libs-255.18-1.fc40.i686.rpm -aceabc4c1848f8154afba961b3dfac1c95ec6c72cdf9238ceca384b699af3cef systemd-libs-255.18-1.fc40.x86_64.rpm -c8f5b5c50202965f86dc9139de3082a972e2a0222a1a426ce76a30d47cba5f32 systemd-networkd-255.18-1.fc40.x86_64.rpm -746e0db539b7c9a8bba425957304ca311878b198a2f6d63e60c42c266688c1dc systemd-pam-255.18-1.fc40.i686.rpm -71e42c637702d75b5a66058cb087c4ef7d0475da635ccfd0f40f71372d0e7de7 systemd-pam-255.18-1.fc40.x86_64.rpm -07082ff756a9db4851f996eb03e75f2d499a26bd42211a984788af5a1eeed300 systemd-resolved-255.18-1.fc40.x86_64.rpm -5dc7bdcbb590edf79d8ae90bf99a94d535b055816864ffdb2546acafc97d2736 systemd-udev-255.18-1.fc40.x86_64.rpm +a1e23ae521e93ab19d3df77889a6a418c3432025e4880cfd893e40f7165876a7 sqlite-libs-3.45.1-2.fc40.x86_64.rpm +cf80eb17778b4be0c8d31d2ed6478aaf1135da4e283c034573b4e79c3c5c350f systemd-255.14-1.fc40.i686.rpm +bb602e98503df8b961e7ae391805eed444baf44162b8408f6b86b9447e936e3c systemd-255.14-1.fc40.x86_64.rpm +5e5055ac6c18707f58c07dc25033dfc16a3bc0dfb50820165d169a93a6d89e15 systemd-boot-unsigned-255.14-1.fc40.x86_64.rpm +c5e5f2e6789aeb6945e56a31c010e62242dda7a0e8394ac8b4c20c8e5cbdba9f systemd-libs-255.14-1.fc40.i686.rpm +38aca012b5b875240bda5b67e60d698cdd826c4afa0e2fc584452d2c2b68a951 systemd-libs-255.14-1.fc40.x86_64.rpm +191f7622473d6899998c024c7630ff55daa3a04b0b12a0ce82204d8279095fce systemd-networkd-255.14-1.fc40.x86_64.rpm +c651dfc9bc27fc10814bb8d6f06f08df67641fe9a979e10635f968f3e7c07b5d systemd-pam-255.14-1.fc40.i686.rpm +225af60cab0699bac889f02b26e4be38b080266e79f7c9ac89ce4dc93a8545d2 systemd-pam-255.14-1.fc40.x86_64.rpm +59c9c90d52653cab601677b6e867bc73804a5121bd22dc5b8a0c350f23a097e5 systemd-resolved-255.14-1.fc40.x86_64.rpm +62f74c06c1a2fb04dcfa6722b5b91e4eeb31f12da5e529eedaeae881a77c8ce2 systemd-udev-255.14-1.fc40.x86_64.rpm 65819c502727dc293a71a74b9a5f6b0ba781f12a99c5d5535085f168e5eac56e tar-1.35-3.fc40.x86_64.rpm 0478e12152cc3432a31dfca5ddbc80966800af437c6d7c0b26be307d5e1272e7 tpm2-tools-5.7-1.fc40.x86_64.rpm c3be8a6d0ea23b1d0bf466b19857b97f7ffde811ad7adec0599161059d84cc74 tpm2-tss-4.1.3-1.fc40.x86_64.rpm 5df98756883badf7743cdd75f5689b62606bff0b74494b20241cb9d78335c251 tpm2-tss-fapi-4.1.3-1.fc40.x86_64.rpm -d35ca6852dfea66d10046dd8b38a77e89443ce2006bc31782abfead826dba029 tzdata-2025b-1.fc40.noarch.rpm -e1d443f7dcaec55eedc34bb66dd798ba9901dba69a169cff46f6c45671a3b3fa unbound-anchor-1.21.1-11.fc40.x86_64.rpm -8eb278cecd9f28fa4131dc402a31c74c427626aae53b2231bb452e745a9e9346 unbound-libs-1.21.1-11.fc40.x86_64.rpm +0bd358e7dfb2bd730b62c7375c8d8f8d9e2470f085ca8dc4ec626dc0332d5687 tzdata-2024a-5.fc40.noarch.rpm +9fc3b3f602c81bdb5e1daa4a7f9a254d35481bd1186ac0b01fbb0c3243440ca8 unbound-anchor-1.21.1-3.fc40.x86_64.rpm +1432f6a67a9400d10b09b5eee96c6fbf89b8bef99cc7e1abc6d885cf69a61fb2 unbound-libs-1.21.1-3.fc40.x86_64.rpm 36ffa617a0dfe523424a28290241a81cd51f7d82e776e58131f16d092d49797b util-linux-2.40-0.9.rc1.fc40.i686.rpm 945aa536bc30050abc1870cef167cb944cf78d6628923476db43201a0054574b util-linux-2.40.2-1.fc40.x86_64.rpm 7ec1b5df780c5a30f8e901179480125a6ea87f1f7bad3b69da7f4b351b88c3dd util-linux-core-2.40-0.9.rc1.fc40.x86_64.rpm b1aa4e816c01c08c18924865640f214f717cdfc66837e53a24b8edfb80a86f9d util-linux-core-2.40.2-1.fc40.x86_64.rpm -673532a506dff0ca46cd4bb5fbf772d2039e4c11e648eafa221f207139ebb798 vim-common-9.1.1275-1.fc40.x86_64.rpm -d32e2c404e54d75fb7c7c4cd3dece12123418f1798a964047fe5ca70221db002 vim-data-9.1.1275-1.fc40.noarch.rpm -968283f6290df2cbf2dd699411b1cca450769b30f28b8b8a9a9f4a4916d5ae4f vim-enhanced-9.1.1275-1.fc40.x86_64.rpm -80194d554770c211bd7c3fa368b3fbb94f7021504d4c87ddae4544a6eb183342 vim-filesystem-9.1.1275-1.fc40.noarch.rpm -69fd53fe41a8811e904b5429b1934a413d88978ec54d5c9e64370be32cbfc2ef wget2-2.2.0-2.fc40.x86_64.rpm -a00cc0a87c60ffbf5495a9796ac7074e6a47e0bebbb8c137d902014cd7ff5a30 wget2-libs-2.2.0-2.fc40.x86_64.rpm -09822d8d386dc81619639415a211b34592b0c5d43f7be288691cc4d933a0542c wget2-wget-2.2.0-2.fc40.x86_64.rpm +50879411e244c6531e09376ef87c9f081d1988a88e462404a24835d515211a9a vim-common-9.1.866-1.fc40.x86_64.rpm +3f39232a1cd7fffbdfbb1cd0b64f5107f33c83f3ed335180655f30763c292988 vim-data-9.1.866-1.fc40.noarch.rpm +c99d7857daa246ccd36db2ddedd6a723097d9e3d090464d6fcd3476f572ffee7 vim-enhanced-9.1.866-1.fc40.x86_64.rpm +ec8ea126510e9ba2950bd1f72d78dee97dbbc440d15bf1e5542a9029443d53d6 vim-filesystem-9.1.866-1.fc40.noarch.rpm +c5682a1b02bb02578e9997ae221a7f6c6db711084129824e207fe1febdc55b9d wget2-2.1.0-11.fc40.x86_64.rpm +38aaee4829df7e1a4719991c4fc6d65a1265b6a556b182ecac3145c287c320f4 wget2-libs-2.1.0-11.fc40.x86_64.rpm +a12b44ee7cc5a0e916bcf72e80c4d618abb7406254578e947f3ba9dd0d445d25 wget2-wget-2.1.0-11.fc40.x86_64.rpm cf0306ceed1c6b3be39060d85f16b1953b464d3a625488b170d3b7aadf600645 which-2.21-41.fc40.x86_64.rpm 4ede95a2fa3bc0ae617c8bf3a375b800163d58733b4829b15d9f038505d79fee whois-nls-5.5.20-3.fc40.noarch.rpm e2195010e857f56b19246f8b821f9391922880b7691b3728a413f540edc890a6 xkeyboard-config-2.41-1.fc40.noarch.rpm -69b64249d3c26a5efbd0ffa5802aa08033822c2d4378a4f44261618de6d38e4d xxd-9.1.1275-1.fc40.x86_64.rpm -9a0f6eb8d2784d7e3ee062c5deb3b9af41e7e6c6d115b6da8420bde453e41744 xz-5.8.1-2.fc40.x86_64.rpm -c6d64a788bfbbedc6eeab2347274864cade272c4ad69d77cb30d8b602e25e7f0 xz-libs-5.8.1-2.fc40.i686.rpm -cbad4c25b1acbf152273c2fae29e42ddffa03414938a7c755b5afa5f2ba45a26 xz-libs-5.8.1-2.fc40.x86_64.rpm +627c89d516a12ab0686eabecfab5f8e952f431a1aedc445aa43a2721c3740f8b xxd-9.1.866-1.fc40.x86_64.rpm +ee599a1c4d7ee635e54ec137af4dded83f433b9c8a5976f75ecdcd000b5246e3 xz-5.4.6-3.fc40.x86_64.rpm +b92ef78d8ab424c22130e457d0ef691d8197bff61c3b8852205d1b02baba3819 xz-libs-5.4.6-3.fc40.i686.rpm +b6ee44b3d7e494b0364f26b7d0b169a8092180af787423cd5e8a47dc0f738a66 xz-libs-5.4.6-3.fc40.x86_64.rpm 9e263e0a9b656178519de20733f3e0950fef494aa056daaa2004b522ba50b952 yajl-2.1.0-23.fc40.x86_64.rpm ffab1c8720480b498f65d0d480825ccd890e4f797c3850712879eb04a4739690 zlib-ng-compat-2.1.7-2.fc40.i686.rpm e50b69054de16d757f5667e3acf2e7439302c91a9c418243467f288dfb79f6ea zlib-ng-compat-2.1.7-2.fc40.x86_64.rpm diff --git a/image/mirror/packages.txt b/image/mirror/packages.txt index 9d6240a2e..fd79a427a 100644 --- a/image/mirror/packages.txt +++ b/image/mirror/packages.txt @@ -19,7 +19,6 @@ mokutil nano nano-default-editor nvme-cli -openssh-server passt-selinux passwd podman diff --git a/image/sysroot-tree/etc/ssh/sshd_config b/image/sysroot-tree/etc/ssh/sshd_config deleted file mode 100644 index dec4fd51d..000000000 --- a/image/sysroot-tree/etc/ssh/sshd_config +++ /dev/null @@ -1,4 +0,0 @@ -HostKey /run/ssh/ssh_host_ecdsa_key -TrustedUserCAKeys /run/ssh/ssh_ca.pub -PasswordAuthentication no -ChallengeResponseAuthentication no diff --git a/internal/api/attestationconfigapi/fetcher_test.go b/internal/api/attestationconfigapi/fetcher_test.go index 21802aea6..b3d737f54 100644 --- a/internal/api/attestationconfigapi/fetcher_test.go +++ b/internal/api/attestationconfigapi/fetcher_test.go @@ -7,6 +7,7 @@ package attestationconfigapi import ( "bytes" + "context" "encoding/json" "errors" "fmt" @@ -102,7 +103,7 @@ func TestFetchLatestSEVSNPVersion(t *testing.T) { }, } fetcher := newFetcherWithClientAndVerifier(client, stubVerifier{}, constants.CDNRepositoryURL) - res, err := fetcher.FetchLatestVersion(t.Context(), tc.attestation) + res, err := fetcher.FetchLatestVersion(context.Background(), tc.attestation) assert := assert.New(t) if tc.wantErr { assert.Error(err) diff --git a/internal/api/versionsapi/cli/add.go b/internal/api/versionsapi/cli/add.go index c28505c79..f1a6fc4fd 100644 --- a/internal/api/versionsapi/cli/add.go +++ b/internal/api/versionsapi/cli/add.go @@ -16,6 +16,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/api/versionsapi" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/spf13/cobra" + "golang.org/x/mod/semver" ) func newAddCmd() *cobra.Command { @@ -52,8 +53,19 @@ func runAdd(cmd *cobra.Command, _ []string) (retErr error) { return err } log := logger.NewTextLogger(flags.logLevel) - log.Debug("Using flags", "dryRun", flags.dryRun, "kind", flags.version.Kind(), "latest", flags.latest, "ref", flags.version.Ref(), - "stream", flags.version.Stream(), "version", flags.version.Version()) + log.Debug("Using flags", "dryRun", flags.dryRun, "kind", flags.kind, "latest", flags.latest, "ref", flags.ref, + "release", flags.release, "stream", flags.stream, "version", flags.version) + + log.Debug("Validating flags") + if err := flags.validate(log); err != nil { + return err + } + + log.Debug("Creating version struct") + ver, err := versionsapi.NewVersion(flags.ref, flags.stream, flags.version, flags.kind) + if err != nil { + return fmt.Errorf("creating version: %w", err) + } log.Debug("Creating versions API client") client, clientClose, err := versionsapi.NewClient(cmd.Context(), flags.region, flags.bucket, flags.distributionID, flags.dryRun, log) @@ -68,27 +80,27 @@ func runAdd(cmd *cobra.Command, _ []string) (retErr error) { }() log.Info("Adding version") - if err := ensureVersion(cmd.Context(), client, flags.version, versionsapi.GranularityMajor, log); err != nil { + if err := ensureVersion(cmd.Context(), client, flags.kind, ver, versionsapi.GranularityMajor, log); err != nil { return err } - if err := ensureVersion(cmd.Context(), client, flags.version, versionsapi.GranularityMinor, log); err != nil { + if err := ensureVersion(cmd.Context(), client, flags.kind, ver, versionsapi.GranularityMinor, log); err != nil { return err } if flags.latest { - if err := updateLatest(cmd.Context(), client, flags.version, log); err != nil { + if err := updateLatest(cmd.Context(), client, flags.kind, ver, log); err != nil { return fmt.Errorf("setting latest version: %w", err) } } - log.Info(fmt.Sprintf("List major->minor URL: %s", flags.version.ListURL(versionsapi.GranularityMajor))) - log.Info(fmt.Sprintf("List minor->patch URL: %s", flags.version.ListURL(versionsapi.GranularityMinor))) + log.Info(fmt.Sprintf("List major->minor URL: %s", ver.ListURL(versionsapi.GranularityMajor))) + log.Info(fmt.Sprintf("List minor->patch URL: %s", ver.ListURL(versionsapi.GranularityMinor))) return nil } -func ensureVersion(ctx context.Context, client *versionsapi.Client, ver versionsapi.Version, gran versionsapi.Granularity, +func ensureVersion(ctx context.Context, client *versionsapi.Client, kind versionsapi.VersionKind, ver versionsapi.Version, gran versionsapi.Granularity, log *slog.Logger, ) error { verListReq := versionsapi.List{ @@ -96,7 +108,7 @@ func ensureVersion(ctx context.Context, client *versionsapi.Client, ver versions Stream: ver.Stream(), Granularity: gran, Base: ver.WithGranularity(gran), - Kind: ver.Kind(), + Kind: kind, } verList, err := client.FetchVersionList(ctx, verListReq) var notFoundErr *apiclient.NotFoundError @@ -128,11 +140,11 @@ func ensureVersion(ctx context.Context, client *versionsapi.Client, ver versions return nil } -func updateLatest(ctx context.Context, client *versionsapi.Client, ver versionsapi.Version, log *slog.Logger) error { +func updateLatest(ctx context.Context, client *versionsapi.Client, kind versionsapi.VersionKind, ver versionsapi.Version, log *slog.Logger) error { latest := versionsapi.Latest{ Ref: ver.Ref(), Stream: ver.Stream(), - Kind: ver.Kind(), + Kind: kind, } latest, err := client.FetchVersionLatest(ctx, latest) var notFoundErr *apiclient.NotFoundError @@ -152,7 +164,7 @@ func updateLatest(ctx context.Context, client *versionsapi.Client, ver versionsa Ref: ver.Ref(), Stream: ver.Stream(), Version: ver.Version(), - Kind: ver.Kind(), + Kind: kind, } if err := client.UpdateVersionLatest(ctx, latest); err != nil { return fmt.Errorf("updating latest version: %w", err) @@ -162,20 +174,60 @@ func updateLatest(ctx context.Context, client *versionsapi.Client, ver versionsa } type addFlags struct { - version versionsapi.Version + version string + stream string + ref string + release bool latest bool dryRun bool region string bucket string distributionID string + kind versionsapi.VersionKind logLevel slog.Level } +func (f *addFlags) validate(log *slog.Logger) error { + if !semver.IsValid(f.version) { + return fmt.Errorf("version %q is not a valid semantic version", f.version) + } + if semver.Canonical(f.version) != f.version { + return fmt.Errorf("version %q is not a canonical semantic version", f.version) + } + + if f.ref == "" && !f.release { + return fmt.Errorf("either --ref or --release must be set") + } + + if f.kind == versionsapi.VersionKindUnknown { + return fmt.Errorf("unknown version kind %q", f.kind) + } + + if f.release { + log.Debug(fmt.Sprintf("Setting ref to %q, as release flag is set", versionsapi.ReleaseRef)) + f.ref = versionsapi.ReleaseRef + } else { + log.Debug("Setting latest to true, as release flag is not set") + f.latest = true // always set latest for non-release versions + } + + if err := versionsapi.ValidateRef(f.ref); err != nil { + return fmt.Errorf("invalid ref %w", err) + } + + if err := versionsapi.ValidateStream(f.ref, f.stream); err != nil { + return fmt.Errorf("invalid stream %w", err) + } + + return nil +} + func parseAddFlags(cmd *cobra.Command) (addFlags, error) { ref, err := cmd.Flags().GetString("ref") if err != nil { return addFlags{}, err } + ref = versionsapi.CanonicalizeRef(ref) stream, err := cmd.Flags().GetString("stream") if err != nil { return addFlags{}, err @@ -222,24 +274,17 @@ func parseAddFlags(cmd *cobra.Command) (addFlags, error) { return addFlags{}, err } - if release { - ref = versionsapi.ReleaseRef - } else { - latest = true // always set latest for non-release versions - } - - ver, err := versionsapi.NewVersion(ref, stream, version, kind) - if err != nil { - return addFlags{}, fmt.Errorf("creating version: %w", err) - } - return addFlags{ - version: ver, + version: version, + stream: stream, + ref: versionsapi.CanonicalizeRef(ref), + release: release, latest: latest, dryRun: dryRun, region: region, bucket: bucket, distributionID: distributionID, logLevel: logLevel, + kind: kind, }, nil } diff --git a/internal/api/versionsapi/fetcher_test.go b/internal/api/versionsapi/fetcher_test.go index bf200795d..ff00ebdb6 100644 --- a/internal/api/versionsapi/fetcher_test.go +++ b/internal/api/versionsapi/fetcher_test.go @@ -8,6 +8,7 @@ package versionsapi import ( "bytes" + "context" "encoding/json" "io" "net/http" @@ -191,7 +192,7 @@ func TestFetchVersionList(t *testing.T) { fetcher := Fetcher{client, constants.CDNRepositoryURL} - list, err := fetcher.FetchVersionList(t.Context(), tc.list) + list, err := fetcher.FetchVersionList(context.Background(), tc.list) if tc.wantErr { assert.Error(err) diff --git a/internal/api/versionsapi/version.go b/internal/api/versionsapi/version.go index 180c27e5f..12d1e8100 100644 --- a/internal/api/versionsapi/version.go +++ b/internal/api/versionsapi/version.go @@ -41,7 +41,7 @@ type Version struct { // NewVersion creates a new Version object and validates it. func NewVersion(ref, stream, version string, kind VersionKind) (Version, error) { ver := Version{ - ref: CanonicalizeRef(ref), + ref: ref, stream: stream, version: version, kind: kind, @@ -62,7 +62,7 @@ func NewVersionFromShortPath(shortPath string, kind VersionKind) (Version, error } ver := Version{ - ref: ref, // Canonicalized by parseShortPath. + ref: ref, stream: stream, version: version, kind: kind, @@ -331,7 +331,7 @@ func CanonicalizeRef(ref string) string { canRef := notAZ09Regexp.ReplaceAllString(ref, "-") if canRef == ReleaseRef { - return "" // No ref should be canonicalized to the release ref. + return "" // No ref should be cannonicalized to the release ref. } return canRef @@ -401,7 +401,7 @@ func MeasurementURL(version Version) (measurementURL, signatureURL *url.URL, err } var ( - shortPathRegex = regexp.MustCompile(`^ref/([^/]+)/stream/([a-zA-Z0-9-]+)/([a-zA-Z0-9.-]+)$`) + shortPathRegex = regexp.MustCompile(`^ref/([a-zA-Z0-9-]+)/stream/([a-zA-Z0-9-]+)/([a-zA-Z0-9.-]+)$`) shortPathReleaseRegex = regexp.MustCompile(`^stream/([a-zA-Z0-9-]+)/([a-zA-Z0-9.-]+)$`) ) @@ -422,7 +422,6 @@ func parseShortPath(shortPath string) (ref, stream, version string, err error) { if shortPathRegex.MatchString(shortPath) { matches := shortPathRegex.FindStringSubmatch(shortPath) ref := matches[1] - ref = CanonicalizeRef(ref) if err := ValidateRef(ref); err != nil { return "", "", "", err } diff --git a/internal/api/versionsapi/version_test.go b/internal/api/versionsapi/version_test.go index 66e48d2b9..25f0f8ce0 100644 --- a/internal/api/versionsapi/version_test.go +++ b/internal/api/versionsapi/version_test.go @@ -16,111 +16,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/constants" ) -func TestNewVersion(t *testing.T) { - testCases := map[string]struct { - ref string - stream string - version string - kind VersionKind - wantVer Version - wantErr bool - }{ - "stable release image": { - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "release debug image": { - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "stable release cli": { - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindCLI, - wantVer: Version{ - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindCLI, - }, - }, - "release debug cli": { - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindCLI, - wantVer: Version{ - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindCLI, - }, - }, - "unknown kind": { - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindUnknown, - wantErr: true, - }, - "non-release ref as input": { - ref: "working-branch", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "working-branch", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "non-canonical ref as input": { - ref: "testing-1.23", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "testing-1-23", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - - ver, err := NewVersion(tc.ref, tc.stream, tc.version, tc.kind) - if tc.wantErr { - assert.Error(err) - return - } - assert.NoError(err) - assert.Equal(tc.wantVer, ver) - }) - } -} - func TestNewVersionFromShortPath(t *testing.T) { testCases := map[string]struct { path string @@ -183,26 +78,6 @@ func TestNewVersionFromShortPath(t *testing.T) { kind: VersionKindCLI, wantErr: true, }, - "non-release ref as input": { - path: "ref/working-branch/stream/debug/v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "working-branch", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "non-canonical ref as input": { - path: "ref/testing-1.23/stream/debug/v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "testing-1-23", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, } for name, tc := range testCases { diff --git a/internal/atls/atls_test.go b/internal/atls/atls_test.go index a28a8d714..db315b3a1 100644 --- a/internal/atls/atls_test.go +++ b/internal/atls/atls_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package atls import ( + "context" "encoding/asn1" "errors" "io" @@ -161,7 +162,7 @@ func TestTLSConfig(t *testing.T) { server.StartTLS() defer server.Close() - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, server.URL, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, http.NoBody) require.NoError(err) resp, err := client.Do(req) if tc.wantErr { @@ -220,7 +221,7 @@ func TestClientConnectionConcurrency(t *testing.T) { var reqs []*http.Request for _, url := range urls { - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) reqs = append(reqs, req) } @@ -294,7 +295,7 @@ func TestServerConnectionConcurrency(t *testing.T) { var reqs []*http.Request for _, url := range urls { - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) reqs = append(reqs, req) } diff --git a/internal/attestation/aws/nitrotpm/issuer_test.go b/internal/attestation/aws/nitrotpm/issuer_test.go index 0477dd4e5..59b5b7e47 100644 --- a/internal/attestation/aws/nitrotpm/issuer_test.go +++ b/internal/attestation/aws/nitrotpm/issuer_test.go @@ -100,7 +100,7 @@ func TestGetInstanceInfo(t *testing.T) { instanceInfoFunc := getInstanceInfo(&tc.client) assert.NotNil(instanceInfoFunc) - info, err := instanceInfoFunc(t.Context(), tpm, nil) + info, err := instanceInfoFunc(context.Background(), tpm, nil) if tc.wantErr { assert.Error(err) assert.Nil(info) diff --git a/internal/attestation/aws/nitrotpm/validator_test.go b/internal/attestation/aws/nitrotpm/validator_test.go index e53d14210..0e6d086cd 100644 --- a/internal/attestation/aws/nitrotpm/validator_test.go +++ b/internal/attestation/aws/nitrotpm/validator_test.go @@ -42,7 +42,7 @@ func TestGeTrustedKey(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) out, err := getTrustedKey( - t.Context(), + context.Background(), vtpm.AttestationDocument{ Attestation: &attest.Attestation{ AkPub: tc.akPub, diff --git a/internal/attestation/aws/snp/testdata/report.txt b/internal/attestation/aws/snp/testdata/report.txt index e413ca309..a5ed00a9b 100644 --- a/internal/attestation/aws/snp/testdata/report.txt +++ b/internal/attestation/aws/snp/testdata/report.txt @@ -1 +1 @@ -AwAAAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAAAAAAAY3CcAAAAAAAAABAAAAAAAAACHq3yvUQ4bNSDcPM62TuRBKOEJdvsNP8XidGmdiq9QYVSvTB3goCa0n9+GHprHVVFVGzU00cYTaaOwj1uu0NsvWlzbrY9UDOSrygEg+uyG9i73EopKxxGt001Gi1lXyCqi8k6PER2tw2ibeHuI7QcVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARowRHpiQyfxJKbRS+DVfQGWxQvKf1S21qaW2zACl7rf//////////////////////////////////////////BAAAAAAAGNkZAQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAGNsdNwEAHTcBAAQAAAAAABjbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATEij8MQ3cc95xvjozFQCY/3yYhrUJa6qN5kOaH0eHbuMzQ0iOgY3m6riTBYsQlksAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt0MH84001UcDpwNKn6LJSVfidlQxQ2nAM6WGsDjMvA4Z8WcYJeQhgpcDL7YJ+dbpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= +AgAAAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAADAAAAAAAW1QMAAAAAAAAABAAAAAAAAAADJjVhPI4zH6KeCWNxkQ/mofaTg92gLJRhQApwtm2Ho9pd2GMAJSK+Q6/DTywjOYm9bkAeNR0Q18yADW9d/PAZ8amfwHRwvrA7EzD0SJUgr48CiBh/+2YccfNcqwm+oZzZYtTy0J9aFsPDi32mvtJEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKGpDGe5jVOEMlqVJrJXkLPExDcn4NNEkTnWyr1bpRyf//////////////////////////////////////////AwAAAAAAFdEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAFdMUNwEAEjcBAAMAAAAAABXTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdtzdhdRVgTlqcv/jK6JowumHvC2VvXiZ9Zpf150hAG4Y4Zc/ypAlPoORo0uIcxPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMdpGsLZn99jRGCI3eaEGkcNMvDnJVcVSviZtDTMpNjydn/F1cE2AKOFqCZQ4HnZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= diff --git a/internal/attestation/aws/snp/testdata/testdata.go b/internal/attestation/aws/snp/testdata/testdata.go index a07df982d..61d14f154 100644 --- a/internal/attestation/aws/snp/testdata/testdata.go +++ b/internal/attestation/aws/snp/testdata/testdata.go @@ -15,7 +15,7 @@ import _ "embed" var SNPReport string // AKDigest holds the AK digest embedded in SNPReport.REPORT_DATA. -const AKDigest = "87ab7caf510e1b3520dc3cceb64ee44128e10976fb0d3fc5e274699d8aaf506154af4c1de0a026b49fdf861e9ac75551551b3534d1c61369a3b08f5baed0db2f" +const AKDigest = "032635613c8e331fa29e096371910fe6a1f69383dda02c9461400a70b66d87a3da5dd863002522be43afc34f2c233989bd6e401e351d10d7cc800d6f5dfcf019" // VLEK for SNPReport. // diff --git a/internal/attestation/aws/snp/testdata/vlek.pem b/internal/attestation/aws/snp/testdata/vlek.pem index 3f8be0331..96a1db26d 100644 --- a/internal/attestation/aws/snp/testdata/vlek.pem +++ b/internal/attestation/aws/snp/testdata/vlek.pem @@ -1,30 +1,30 @@ -----BEGIN CERTIFICATE----- -MIIFIzCCAtegAwIBAgIBADBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAgUA -oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATAwgYAxFDASBgNVBAsM -C0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEgQ2xhcmEx -CzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZpY2VzMRcw -FQYDVQQDDA5TRVYtVkxFSy1NaWxhbjAeFw0yNDEyMTAyMjMwMTZaFw0yNTEyMTAy -MjMwMTZaMHoxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIG -A1UEBwwLU2FudGEgQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNl -ZCBNaWNybyBEZXZpY2VzMREwDwYDVQQDDAhTRVYtVkxFSzB2MBAGByqGSM49AgEG -BSuBBAAiA2IABJRw6hwLZt7KX95uPePz/3Gt/z9mm/32f0JpE2twW8w6DQ1xOPnW -YRLJeMSZNpaYW/NRpNf0vfy5IDQt44didvu+37x2aqyaneFiBh5jTxSg/2dCZ+bi -4eZw/p0Us7bubqOB8jCB7zAQBgkrBgEEAZx4AQEEAwIBADAUBgkrBgEEAZx4AQIE -BxYFTWlsYW4wEQYKKwYBBAGceAEDAQQDAgEEMBEGCisGAQQBnHgBAwIEAwIBADAR -BgorBgEEAZx4AQMEBAMCAQAwEQYKKwYBBAGceAEDBQQDAgEAMBEGCisGAQQBnHgB -AwYEAwIBADARBgorBgEEAZx4AQMHBAMCAQAwEQYKKwYBBAGceAEDAwQDAgEYMBIG -CisGAQQBnHgBAwgEBAICANkwLAYJKwYBBAGceAEFBB8WHUNOPWNjLWV1LXdlc3Qt -MS5hbWF6b25hd3MuY29tMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAICBQCh -HDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMAOCAgEAar1tA7vYelxK -uj+r7APOEPcAAoF7RWZs6ixDlXHuFVj2rfxqmxt8nqjedEKBfUGPCEsbAV+Z/bj9 -GqN+q5Bn1yk6RL/VqxTxTVhpa0G33R87UjE+S+42k6ENgddbl4hxws5g83Sn9All -/XjNPHmciWjmix4PJs5tZv+YaJ15BSBkJfrTRo+rX3UDKeqUHNoX+Cx6D7ECF/6k -ToFlHBEBqHKa2EzhNMK2UXm/vm0ATSaNHuDEGBvzbXflPmHZi1RZqQ7q9VMenFDx -JwAgnUrltcuLjKMID7c2yj+Emk/CBEEFoAJRfSoSvMdhqrNaRlbEqEnQ95C/XNPn -Mqtk5Ao/UVV5fRXYSt5oGKTBGhqTwv+Xqyei+/IgpcJyGPFbHVX9UPteP4RnSLiq -uJ3oRIvyEw+u6bkMNBBAjh4C+Jp2BVrLs1aC0h9fjfVEofWTb/NioJRigKTNfbao -sTy6tX8qoUSxtp/bIqK1jg1Y7eIDIMCgqnm0N+hJT7CnkwyCBUkOHmsExzQcthmg -y0J1J7bTA507rY5ZglNSRLCXqAfORVxIBwTaOXrJV2lMLScTUdnhFrVPFUAl7uCj -rKta1iGye+fieoYncdHLIVyIJGsTC+AbhPIAR2Zh847Sxw1SVOobTPc0wUIoKrOU -xR32EkufsNGLb8TiEsgpa2ulbw8xi6U= +MIIFLTCCAtygAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATCBgDEUMBIG +A1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYDVQQHDAtTYW50YSBD +bGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2VkIE1pY3JvIERldmlj +ZXMxFzAVBgNVBAMMDlNFVi1WTEVLLU1pbGFuMB4XDTI0MDUwNTIxNDUyNloXDTI1 +MDUwNTIxNDUyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVT +MRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFk +dmFuY2VkIE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WTEVLMHYwEAYHKoZI +zj0CAQYFK4EEACIDYgAEHCsA6v0QwdgijkHV1KnV+1wMqjVaITbdleQV40cnL6ZT +Pq3IsXeFGI9tq2a2EoDksTTqeo5a1ZDq2BiNA2cue0PlZhHkv2MK1cNPMDGAOddc +k7VNaqrRLUo84kn6tRXpo4HyMIHvMBAGCSsGAQQBnHgBAQQDAgEAMBQGCSsGAQQB +nHgBAgQHFgVNaWxhbjARBgorBgEEAZx4AQMBBAMCAQMwEQYKKwYBBAGceAEDAgQD +AgEAMBEGCisGAQQBnHgBAwQEAwIBADARBgorBgEEAZx4AQMFBAMCAQAwEQYKKwYB +BAGceAEDBgQDAgEAMBEGCisGAQQBnHgBAwcEAwIBADARBgorBgEEAZx4AQMDBAMC +ARUwEgYKKwYBBAGceAEDCAQEAgIA0TAsBgkrBgEEAZx4AQUEHxYdQ049Y2MtZXUt +d2VzdC0xLmFtYXpvbmF3cy5jb20wRgYJKoZIhvcNAQEKMDmgDzANBglghkgBZQME +AgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIDAgEwowMCAQEDggIB +ACeJ78s9Nrdz+WtvsNAecT7+ztE8jpxLZdgacsPtf3xU/JfcQHhVUuy/Lp5rIQ7B +h1HalTrmuY7goRO1kTp/lobXyntWkit0d5nR6iNjzp/uHr8+qEym2WbYX1Jesang +BQX06XxXTmEphrHElTrp8BovYIsPejdY2nNUYV6fhrdTXEh+qLDGQmwjK12FG+hu +4AS+rev2V7H9uE1XKXsM4TTqvI1hT3E2ocN4KjfUBi7yL/BF97kXfdqZH48pPD4y +i7TbZ7S89UikrAv0ZtgGyXY8yR094YVjfbnUvyYTyh4fgV8a8Mxsb4yhPoOOxkUI +8tNBhM4LkTPkR/4+Y2Dg6maglZJ5Hb2WWWNkd0CZchZC80T7HIgHztINMnHULiYi +sNRtKeUAqUNtwy0d2YehX+v9HzueTfKtvxIy2oBfT1LCykvTQTibE3aCvFMkEiw8 +4CunpWfPAoZEzzJUTxLQ6PkdE4MVRTTuuOAVHTrtkIUOB6tlkgMzijqAdwzTDdIj +NGQxTm0Vd2h+zvZl2HnSCi6PMoZml5RwZHiZXKRC90bPn0Vk1XlYW1wMEFHTWQqo +tFH44eWyGIoTwSqcqATR/HklCoUP0wMe2sSsMemJMPwAXWW4fZxmee72OR4p6c+w +TGzR0J5WFdJ0g2Ix+NobBydNaJnQz4H5Y+/gZFUCRrWh -----END CERTIFICATE----- diff --git a/internal/attestation/aws/snp/validator_test.go b/internal/attestation/aws/snp/validator_test.go index 8abc98f44..84804a886 100644 --- a/internal/attestation/aws/snp/validator_test.go +++ b/internal/attestation/aws/snp/validator_test.go @@ -8,6 +8,7 @@ package snp import ( "bytes" + "context" "crypto" "crypto/x509" "encoding/base64" @@ -66,7 +67,7 @@ func TestGetTrustedKey(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) out, err := validator().getTrustedKey( - t.Context(), + context.Background(), vtpm.AttestationDocument{ Attestation: &attest.Attestation{ AkPub: tc.akPub, diff --git a/internal/attestation/azure/snp/issuer_test.go b/internal/attestation/azure/snp/issuer_test.go index 52147a9c0..224937be2 100644 --- a/internal/attestation/azure/snp/issuer_test.go +++ b/internal/attestation/azure/snp/issuer_test.go @@ -82,7 +82,7 @@ func TestGetSNPAttestation(t *testing.T) { data := []byte("data") - attestationJSON, err := issuer.getInstanceInfo(t.Context(), nil, data) + attestationJSON, err := issuer.getInstanceInfo(context.Background(), nil, data) if tc.wantErr { assert.Error(err) return diff --git a/internal/attestation/azure/snp/validator_test.go b/internal/attestation/azure/snp/validator_test.go index 59510d444..95f9678b5 100644 --- a/internal/attestation/azure/snp/validator_test.go +++ b/internal/attestation/azure/snp/validator_test.go @@ -182,7 +182,7 @@ func TestCheckIDKeyDigest(t *testing.T) { report := reportWithIDKeyDigest(tc.idKeyDigest) validator := newTestValidator(cfg, tc.validateMaaTokenErr) - err := validator.checkIDKeyDigest(t.Context(), report, "", nil) + err := validator.checkIDKeyDigest(context.Background(), report, "", nil) if tc.wantErr { require.Error(err) } else { @@ -650,7 +650,7 @@ func TestTrustedKeyFromSNP(t *testing.T) { attestationValidator: tc.validator, } - key, err := validator.getTrustedKey(t.Context(), attDoc, nil) + key, err := validator.getTrustedKey(context.Background(), attDoc, nil) if tc.wantErr { assert.Error(err) if tc.assertion != nil { diff --git a/internal/attestation/azure/tdx/issuer_test.go b/internal/attestation/azure/tdx/issuer_test.go index ed2eec9f4..e57e63aa0 100644 --- a/internal/attestation/azure/tdx/issuer_test.go +++ b/internal/attestation/azure/tdx/issuer_test.go @@ -8,6 +8,7 @@ package tdx import ( "bytes" + "context" "encoding/binary" "encoding/json" "io" @@ -134,7 +135,7 @@ func TestIMDSGetQuote(t *testing.T) { client: tc.client, } - _, err := quoteGetter.getQuote(t.Context(), []byte("test")) + _, err := quoteGetter.getQuote(context.Background(), []byte("test")) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go b/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go index af50566b7..a3bef9ed9 100644 --- a/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go +++ b/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go @@ -8,6 +8,7 @@ package trustedlaunch import ( "bytes" + "context" "crypto/rand" "crypto/rsa" "crypto/x509" @@ -191,7 +192,7 @@ func TestGetAttestationCert(t *testing.T) { issuer := NewIssuer(logger.NewTest(t)) issuer.hClient = newTestClient(tc.crlServer) - certs, err := issuer.getAttestationCert(t.Context(), tpm, nil) + certs, err := issuer.getAttestationCert(context.Background(), tpm, nil) if tc.wantIssueErr { assert.Error(err) return @@ -212,7 +213,7 @@ func TestGetAttestationCert(t *testing.T) { roots.AddCert(cert) validator.roots = roots - key, err := validator.verifyAttestationKey(t.Context(), attDoc, nil) + key, err := validator.verifyAttestationKey(context.Background(), attDoc, nil) if tc.wantValidateErr { assert.Error(err) return diff --git a/internal/attestation/gcp/es/issuer_test.go b/internal/attestation/gcp/es/issuer_test.go index 09cdc1cca..d8d0075de 100644 --- a/internal/attestation/gcp/es/issuer_test.go +++ b/internal/attestation/gcp/es/issuer_test.go @@ -67,7 +67,7 @@ func TestGetGCEInstanceInfo(t *testing.T) { require := require.New(t) var tpm io.ReadWriteCloser - out, err := gcp.GCEInstanceInfo(tc.client)(t.Context(), tpm, nil) + out, err := gcp.GCEInstanceInfo(tc.client)(context.Background(), tpm, nil) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/attestation/gcp/es/validator_test.go b/internal/attestation/gcp/es/validator_test.go index 46efaf13f..3fa35da7e 100644 --- a/internal/attestation/gcp/es/validator_test.go +++ b/internal/attestation/gcp/es/validator_test.go @@ -153,7 +153,7 @@ Y+t5OxL3kL15VzY1Ob0d5cMCAwEAAQ== getTrustedKey, err := gcp.TrustedKeyGetter(variant.GCPSEVES{}, tc.getClient) require.NoError(t, err) - out, err := getTrustedKey(t.Context(), attDoc, nil) + out, err := getTrustedKey(context.Background(), attDoc, nil) if tc.wantErr { assert.Error(err) diff --git a/internal/attestation/measurements/fetchmeasurements_test.go b/internal/attestation/measurements/fetchmeasurements_test.go index ec445962c..d79a77a41 100644 --- a/internal/attestation/measurements/fetchmeasurements_test.go +++ b/internal/attestation/measurements/fetchmeasurements_test.go @@ -141,7 +141,7 @@ func TestFetchMeasurements(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) sut := NewVerifyFetcher(tc.cosign, tc.rekor, client) - m, err := sut.FetchAndVerifyMeasurements(t.Context(), "v999.999.999", cloudprovider.GCP, variant.GCPSEVES{}, tc.noVerify) + m, err := sut.FetchAndVerifyMeasurements(context.Background(), "v999.999.999", cloudprovider.GCP, variant.GCPSEVES{}, tc.noVerify) if tc.wantErr { assert.Error(err) if tc.asRekorErr { diff --git a/internal/attestation/measurements/measurements_enterprise.go b/internal/attestation/measurements/measurements_enterprise.go index 6d17aec12..c5cd8575b 100644 --- a/internal/attestation/measurements/measurements_enterprise.go +++ b/internal/attestation/measurements/measurements_enterprise.go @@ -19,14 +19,14 @@ package measurements // revive:disable:var-naming var ( - aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x03, 0x2e, 0x81, 0x8c, 0x29, 0x9d, 0x5c, 0x7a, 0xd9, 0x8d, 0x59, 0xad, 0x7a, 0x08, 0x74, 0x43, 0x71, 0x8e, 0x49, 0xc8, 0x54, 0x0e, 0xc2, 0xd0, 0x1f, 0x5f, 0x2a, 0x88, 0xbf, 0x0d, 0xc8, 0x37}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x00, 0xc2, 0xfd, 0xd0, 0x2e, 0x80, 0x5d, 0x16, 0xef, 0x7d, 0xfc, 0xea, 0x78, 0x94, 0xea, 0xe5, 0x8e, 0xd8, 0x47, 0x75, 0x2c, 0x78, 0xc5, 0x20, 0xf2, 0x5b, 0x52, 0x2b, 0x93, 0xc4, 0x7f, 0xaf}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xda, 0x0a, 0x3e, 0x1d, 0x78, 0x14, 0x56, 0xba, 0xfa, 0xe9, 0xfe, 0x7b, 0xab, 0x39, 0x1b, 0x2e, 0x4d, 0xf4, 0x36, 0xe7, 0x80, 0x28, 0xd3, 0x24, 0x60, 0x55, 0xc6, 0xb4, 0x0f, 0xf4, 0x9f, 0x76}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - aws_AWSSEVSNP = M{0: {Expected: []byte{0xd6, 0xdf, 0x85, 0x53, 0x58, 0xf5, 0xb1, 0x0f, 0x06, 0xf0, 0xfa, 0xb3, 0xf4, 0x08, 0xad, 0x26, 0xcd, 0x16, 0x5a, 0x29, 0x49, 0xba, 0xd6, 0x9e, 0x2c, 0xc7, 0x56, 0x92, 0x52, 0x9e, 0x66, 0x2a}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x28, 0x16, 0xc9, 0x29, 0x57, 0x4a, 0x37, 0xb9, 0xac, 0x3d, 0x16, 0x43, 0x6b, 0xf4, 0x76, 0xd3, 0x66, 0xe3, 0x37, 0x80, 0x94, 0x9f, 0x7e, 0xa0, 0x00, 0x36, 0x1e, 0xde, 0x80, 0x81, 0x41, 0x21}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x04, 0x79, 0x14, 0xce, 0xb9, 0xa4, 0x5f, 0xbd, 0xbf, 0xc6, 0xef, 0x91, 0x79, 0xd9, 0x56, 0x4d, 0xc7, 0x10, 0x3e, 0xc8, 0x73, 0x80, 0x53, 0xa0, 0x02, 0x13, 0x68, 0xba, 0x6d, 0x00, 0x36, 0x8f}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x07, 0xc5, 0xf3, 0x92, 0x70, 0x5f, 0xa1, 0xf3, 0xc7, 0x32, 0x56, 0x1c, 0xf3, 0x4d, 0xf4, 0x2b, 0xbd, 0x14, 0x00, 0xf7, 0x76, 0xdb, 0xb7, 0x4c, 0xaf, 0x80, 0x16, 0xf8, 0x05, 0x02, 0xb0, 0x97}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x9e, 0xda, 0xa7, 0x9c, 0xf6, 0xa4, 0x48, 0xcd, 0x51, 0x76, 0x82, 0xcd, 0xe1, 0x7a, 0xcd, 0x8a, 0x85, 0xe6, 0x23, 0xd4, 0xed, 0x0f, 0xee, 0x19, 0x5c, 0xc9, 0x51, 0x1d, 0x22, 0xff, 0xf5, 0xf4}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xe9, 0x48, 0xb0, 0xdc, 0xf1, 0x62, 0x0c, 0xe8, 0x07, 0x6e, 0x71, 0x7c, 0x34, 0x59, 0x2c, 0xb9, 0x5e, 0x2a, 0x44, 0xf2, 0xcf, 0xbe, 0x00, 0xbe, 0x0f, 0xaa, 0x53, 0xc3, 0x09, 0x96, 0x14, 0x62}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x16, 0x10, 0x54, 0x9e, 0x02, 0x35, 0x91, 0x4a, 0x25, 0x28, 0x16, 0xd2, 0x22, 0x80, 0x05, 0xc2, 0x0c, 0x2c, 0x82, 0xca, 0xae, 0xdb, 0x67, 0x5d, 0x21, 0x39, 0x46, 0x57, 0xee, 0xf0, 0x96, 0xc1}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x92, 0x79, 0x6b, 0x60, 0xb4, 0x8e, 0x9b, 0xcf, 0xbd, 0x7d, 0xc9, 0x16, 0x12, 0xb6, 0x5b, 0x9c, 0xd2, 0x0b, 0xe0, 0xf3, 0x55, 0xad, 0x8e, 0x4e, 0xdc, 0x42, 0x40, 0x3d, 0xaf, 0x22, 0x4e, 0x1e}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x26, 0x5e, 0xbb, 0x0e, 0x5e, 0x90, 0x3f, 0x76, 0x0b, 0x93, 0xa1, 0x8e, 0x00, 0x79, 0x4d, 0xee, 0x1e, 0x8a, 0xbb, 0xdf, 0x99, 0xa2, 0x38, 0x50, 0x42, 0xa0, 0x18, 0x11, 0xfc, 0x3b, 0x3b, 0x7e}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xf9, 0x41, 0xa5, 0xaa, 0x12, 0xba, 0xfa, 0xf0, 0xe4, 0x96, 0xe6, 0x19, 0x20, 0x2e, 0xd3, 0x10, 0x15, 0x08, 0xcf, 0x42, 0x05, 0xe9, 0xc2, 0xff, 0x70, 0x46, 0x21, 0x7b, 0x01, 0x2f, 0x81, 0xed}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x43, 0xb6, 0xdb, 0x79, 0x3d, 0xb5, 0x57, 0x9e, 0x94, 0xe7, 0xc6, 0x87, 0x64, 0x7f, 0x65, 0xf6, 0x75, 0x04, 0x21, 0x2c, 0x49, 0x12, 0x9d, 0x1f, 0xb2, 0x17, 0x81, 0x9d, 0x00, 0x14, 0x41, 0x2f}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb2, 0x5e, 0x20, 0xb7, 0x03, 0xdf, 0x40, 0x70, 0x5a, 0xcb, 0x96, 0x80, 0x90, 0x42, 0x2d, 0x5a, 0xb7, 0x2c, 0x21, 0x67, 0x16, 0x63, 0xa6, 0x0a, 0x99, 0x56, 0xb0, 0x7f, 0x62, 0x37, 0x00, 0x96}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x6f, 0x38, 0x6d, 0xcd, 0xb9, 0x26, 0x82, 0x82, 0xbe, 0x59, 0x8a, 0x09, 0x7b, 0xb2, 0xeb, 0x64, 0xfc, 0xf6, 0x9b, 0xcd, 0x6c, 0x3e, 0x1d, 0x42, 0x52, 0xd2, 0xb8, 0xaa, 0x17, 0x77, 0x65, 0x16}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSSEVSNP = M{0: {Expected: []byte{0xd6, 0xdf, 0x85, 0x53, 0x58, 0xf5, 0xb1, 0x0f, 0x06, 0xf0, 0xfa, 0xb3, 0xf4, 0x08, 0xad, 0x26, 0xcd, 0x16, 0x5a, 0x29, 0x49, 0xba, 0xd6, 0x9e, 0x2c, 0xc7, 0x56, 0x92, 0x52, 0x9e, 0x66, 0x2a}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x0e, 0xe6, 0x59, 0x44, 0xc6, 0x86, 0x71, 0xc1, 0x51, 0x19, 0xf6, 0x54, 0xc2, 0x1a, 0xfa, 0xd2, 0xd0, 0x71, 0xcd, 0xde, 0x5a, 0x3c, 0x39, 0x5c, 0xce, 0xa7, 0x24, 0xf3, 0x6c, 0xc4, 0x68, 0x4a}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x8a, 0xb8, 0x86, 0xf4, 0x16, 0x80, 0xc1, 0x34, 0x96, 0x5b, 0x25, 0xbc, 0x48, 0xb3, 0x0c, 0x58, 0x64, 0x1a, 0x96, 0xab, 0x29, 0xf1, 0x00, 0xef, 0x89, 0x2a, 0x1a, 0x13, 0xca, 0x4c, 0xda, 0x24}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x28, 0x3d, 0x92, 0xa3, 0x77, 0x42, 0xf8, 0x3c, 0x4b, 0xa2, 0xda, 0xad, 0xdf, 0x5e, 0xf9, 0x1f, 0x9c, 0x9e, 0x29, 0x3b, 0xd4, 0x4b, 0x14, 0x1f, 0xab, 0x68, 0x83, 0xe3, 0x05, 0x65, 0x3a, 0x57}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xb0, 0x68, 0xed, 0x70, 0x71, 0x65, 0xb3, 0x8f, 0x99, 0x8e, 0xdb, 0xec, 0x60, 0xc9, 0x6b, 0x94, 0x47, 0x94, 0x04, 0x19, 0x4d, 0xf5, 0x03, 0xee, 0xcf, 0x8d, 0x80, 0x69, 0xe5, 0x81, 0x80, 0xee}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x30, 0xe5, 0x78, 0x5f, 0xd9, 0x93, 0xd0, 0x57, 0x9c, 0x05, 0x57, 0x14, 0xf4, 0xa1, 0xf9, 0xed, 0x36, 0x56, 0xfb, 0xbb, 0x21, 0x2e, 0x47, 0x40, 0x70, 0xed, 0x2f, 0xd9, 0x61, 0xb6, 0x02, 0x36}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xe2, 0x58, 0xa4, 0xa5, 0x71, 0x07, 0xee, 0x35, 0x40, 0x6b, 0x4b, 0x01, 0x51, 0xb0, 0xdc, 0x63, 0x9f, 0x73, 0x1e, 0x52, 0x37, 0xb8, 0x93, 0x8b, 0x83, 0x25, 0x63, 0x58, 0xe7, 0xd4, 0xd5, 0x4b}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xc5, 0xd9, 0xad, 0x81, 0x3f, 0x92, 0xd3, 0xc6, 0x49, 0x12, 0x47, 0x13, 0x88, 0x40, 0xf1, 0x5f, 0x28, 0xd8, 0x12, 0x34, 0xc9, 0xc2, 0x12, 0x7c, 0xd0, 0x95, 0x32, 0x10, 0xf3, 0x8d, 0x16, 0x95}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xf1, 0x22, 0xd0, 0x9a, 0xe9, 0xd9, 0x54, 0x60, 0x15, 0x40, 0xb7, 0x38, 0xda, 0xc2, 0xdc, 0x6e, 0x53, 0xc5, 0xa7, 0x4a, 0xdc, 0x13, 0x87, 0xe4, 0x95, 0x96, 0x58, 0x10, 0x6a, 0x27, 0xe7, 0x4c}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x16, 0x06, 0xaa, 0xdb, 0xfd, 0x18, 0x7c, 0xa8, 0xb5, 0xcd, 0xd7, 0x2a, 0x17, 0x66, 0xea, 0x55, 0x1f, 0xfd, 0x1c, 0x80, 0x49, 0xd9, 0x32, 0xc9, 0x94, 0x78, 0xa4, 0x76, 0x13, 0x8c, 0x32, 0xf1}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} azure_AzureTrustedLaunch M - gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x7f, 0x6d, 0x7c, 0xee, 0x61, 0xc7, 0x03, 0x15, 0x27, 0xe4, 0x3c, 0x82, 0xe5, 0x8b, 0x11, 0x39, 0x2c, 0xce, 0x2a, 0x25, 0xb4, 0xd6, 0x2b, 0xee, 0xcd, 0x5c, 0x65, 0x9a, 0xf3, 0x2a, 0x19, 0x2e}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x55, 0xcd, 0xd3, 0xb8, 0xa4, 0xf4, 0x77, 0x5b, 0x49, 0x98, 0x5b, 0x75, 0x38, 0xa9, 0x98, 0x37, 0x84, 0x3c, 0x96, 0x21, 0x91, 0x74, 0xbf, 0x30, 0x63, 0x1f, 0xd8, 0x08, 0x28, 0x3b, 0x54, 0x19}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x56, 0x5f, 0xd2, 0x44, 0xe7, 0xa2, 0xe9, 0xd1, 0xa6, 0xd7, 0x1d, 0x8a, 0x48, 0x4a, 0x55, 0xa3, 0x2c, 0x28, 0x24, 0x96, 0x11, 0xa1, 0x73, 0x2a, 0x30, 0x7c, 0x71, 0x1a, 0x42, 0xa0, 0xaa, 0x70}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - gcp_GCPSEVSNP = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x1c, 0xf4, 0x82, 0xf1, 0xce, 0x4b, 0xc3, 0x39, 0x9e, 0x11, 0x3f, 0x12, 0x4e, 0xed, 0xcb, 0xa5, 0x1a, 0xb7, 0x3d, 0xb3, 0xa5, 0x0d, 0xc0, 0xa3, 0x96, 0x33, 0x78, 0x2a, 0x1a, 0x31, 0xfa, 0x45}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x4d, 0xdd, 0x52, 0x0e, 0xac, 0x6c, 0xb6, 0xa5, 0xe7, 0xa0, 0x78, 0xef, 0x5c, 0x66, 0x1a, 0x38, 0x3f, 0x79, 0xaf, 0xfb, 0x5c, 0xba, 0xf9, 0x1f, 0x68, 0x82, 0x9c, 0x7d, 0x21, 0x8d, 0xd4, 0xb8}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xcf, 0x13, 0x9a, 0x83, 0xc1, 0x1f, 0x97, 0xb3, 0x3a, 0x82, 0x74, 0xca, 0x94, 0xc1, 0x71, 0x03, 0xd1, 0xf8, 0xba, 0x49, 0xd3, 0x95, 0x57, 0x38, 0x21, 0x38, 0x95, 0x5c, 0x54, 0x31, 0x85, 0xa0}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - openstack_QEMUVTPM = M{4: {Expected: []byte{0x6f, 0x30, 0x36, 0x8f, 0x4f, 0x40, 0xfb, 0xf5, 0x8a, 0x7f, 0x06, 0x7e, 0xdb, 0x4f, 0xec, 0x13, 0xbb, 0x4d, 0xba, 0x20, 0x14, 0xe5, 0x14, 0x81, 0x34, 0xc9, 0xaf, 0x98, 0xdf, 0xf3, 0xbf, 0x58}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb7, 0xf2, 0x81, 0x20, 0xaf, 0xee, 0x38, 0x2d, 0x0b, 0x95, 0x25, 0xb9, 0x6d, 0xbb, 0x0a, 0x83, 0xc8, 0xdf, 0x87, 0x35, 0x79, 0xd3, 0xa5, 0x5d, 0xc7, 0x6b, 0xed, 0x5c, 0x3d, 0x83, 0xa5, 0x6f}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xaa, 0xfe, 0xca, 0x42, 0x04, 0x1e, 0x6b, 0xee, 0xa0, 0xb3, 0x7e, 0xa6, 0x51, 0xd7, 0x02, 0xaf, 0x98, 0xb0, 0xdf, 0x90, 0xf6, 0xf5, 0x43, 0x63, 0x91, 0x8b, 0x89, 0xb6, 0xc5, 0x40, 0x94, 0x31}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x2b, 0x4d, 0x39, 0xd2, 0x79, 0x27, 0xe8, 0xff, 0x7a, 0x3e, 0x96, 0x70, 0x4a, 0xc3, 0x47, 0x26, 0xeb, 0x39, 0x7d, 0x2e, 0xbb, 0xae, 0xf6, 0x7d, 0xab, 0x3e, 0x2d, 0x05, 0x20, 0xf9, 0x02, 0xa1}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb8, 0xf3, 0xd9, 0x17, 0xe7, 0x91, 0x90, 0x76, 0xae, 0x7a, 0xce, 0x48, 0x4f, 0xaf, 0xdd, 0x9f, 0xd3, 0x78, 0x60, 0x93, 0x5f, 0x72, 0xec, 0x57, 0x90, 0xa0, 0x2b, 0x1d, 0x5c, 0xc3, 0xc5, 0x0f}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xec, 0x9a, 0xab, 0xe9, 0xd9, 0xd8, 0xd9, 0xd6, 0x63, 0x9d, 0x78, 0x20, 0x16, 0x92, 0xe2, 0xf4, 0xcb, 0xec, 0xf6, 0xfc, 0x0e, 0xe2, 0x80, 0xe8, 0xf7, 0x7a, 0x03, 0xb3, 0x6c, 0x5e, 0x3e, 0x3b}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVSNP = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x12, 0x98, 0x00, 0x8f, 0xa6, 0x82, 0x7e, 0x80, 0x7b, 0x10, 0xe7, 0xcd, 0xbb, 0x8c, 0x97, 0x93, 0xc1, 0xa9, 0x8b, 0x50, 0x99, 0x1a, 0x7c, 0x24, 0xdf, 0x0a, 0xa7, 0x8c, 0xe3, 0xed, 0xd5, 0xfe}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x18, 0x1f, 0xdb, 0x21, 0xad, 0xba, 0x89, 0x6c, 0xbf, 0x52, 0x68, 0x26, 0x67, 0x1a, 0xd4, 0xb6, 0x05, 0x8b, 0x70, 0x42, 0xab, 0x26, 0x63, 0x49, 0xfd, 0x5d, 0x9f, 0xbe, 0xea, 0xa4, 0x12, 0x03}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xb9, 0xa0, 0x6c, 0x3f, 0x1b, 0x95, 0xc5, 0x5e, 0x38, 0x80, 0xb0, 0x12, 0x41, 0x88, 0x66, 0x43, 0x9c, 0xa2, 0xc0, 0x65, 0x29, 0x9c, 0x93, 0x14, 0xfe, 0x49, 0x3b, 0x0f, 0xff, 0xdd, 0xcc, 0xec}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + openstack_QEMUVTPM = M{4: {Expected: []byte{0xc3, 0xb3, 0x01, 0x07, 0x71, 0x61, 0x37, 0x66, 0x56, 0xa1, 0xce, 0x51, 0x93, 0x14, 0xd9, 0x59, 0xbf, 0x7a, 0xc3, 0xd0, 0x9f, 0xd8, 0x34, 0xb7, 0x7a, 0x0b, 0x48, 0xc1, 0xc2, 0xa1, 0x6e, 0x83}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x13, 0x34, 0x8c, 0x05, 0x86, 0xea, 0xa6, 0x22, 0xcf, 0x06, 0xf6, 0x50, 0x75, 0xea, 0x85, 0xba, 0x3d, 0x95, 0xe8, 0xcf, 0x43, 0x77, 0x63, 0xec, 0x44, 0x3e, 0xb9, 0xea, 0x22, 0x48, 0x6a, 0xcd}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xd9, 0x3b, 0x0b, 0x33, 0x44, 0x05, 0x9e, 0x42, 0x82, 0xf0, 0xdf, 0xe5, 0x77, 0x60, 0x01, 0x67, 0x9e, 0xfe, 0x49, 0xe4, 0x7a, 0xd0, 0x4b, 0xb8, 0xc7, 0x4d, 0xc1, 0x5c, 0xad, 0x23, 0x80, 0x09}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} qemu_QEMUTDX M - qemu_QEMUVTPM = M{4: {Expected: []byte{0xbe, 0x04, 0x30, 0xfe, 0x6d, 0x26, 0x75, 0xe2, 0x7b, 0xce, 0xef, 0xda, 0xb1, 0xe7, 0xea, 0xee, 0x6f, 0x3f, 0xce, 0x1a, 0xfa, 0x8d, 0x27, 0x24, 0xff, 0xda, 0x0a, 0xc9, 0x64, 0x89, 0x61, 0xfe}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb9, 0x3c, 0xcc, 0x07, 0xcd, 0x38, 0x26, 0x55, 0x4c, 0xf7, 0x48, 0xb5, 0xa9, 0x7b, 0x07, 0xf0, 0x4f, 0x78, 0x7d, 0x1b, 0x02, 0x00, 0x80, 0xe3, 0x67, 0x07, 0x04, 0x36, 0xf4, 0x43, 0x6a, 0xdd}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x2b, 0x3c, 0xc1, 0xe3, 0x03, 0x0a, 0x74, 0x95, 0x15, 0x49, 0xc5, 0x5d, 0x5b, 0x97, 0xe1, 0xe9, 0x2e, 0xa2, 0x83, 0xbf, 0xd1, 0x8a, 0xd4, 0xd8, 0x75, 0xee, 0x15, 0xbe, 0xb0, 0x5e, 0xc6, 0x58}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + qemu_QEMUVTPM = M{4: {Expected: []byte{0xbd, 0xcc, 0xb5, 0x34, 0x12, 0xbf, 0xbf, 0x08, 0x7f, 0xb1, 0xe6, 0xe8, 0x23, 0x42, 0xa4, 0xc0, 0x1a, 0xe4, 0xc6, 0x0d, 0x97, 0x44, 0x0b, 0xb7, 0xba, 0x03, 0x02, 0x84, 0xf3, 0xea, 0x0a, 0xad}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xd1, 0xf1, 0x0f, 0x36, 0x4a, 0xc9, 0x50, 0xa6, 0xb4, 0x22, 0x5e, 0xcf, 0x87, 0xd2, 0x12, 0xdd, 0xaa, 0x3d, 0xff, 0xc0, 0x59, 0xfb, 0xc3, 0xf5, 0x7a, 0xe7, 0xfb, 0x8e, 0x74, 0xf2, 0x6a, 0x2f}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xa5, 0x8e, 0x1a, 0xe6, 0x7d, 0x24, 0x42, 0xd3, 0xc9, 0xeb, 0xef, 0x0c, 0x86, 0x21, 0xc3, 0x05, 0x9b, 0xae, 0x83, 0x77, 0x6f, 0x4e, 0xd8, 0xc8, 0x4d, 0x66, 0x11, 0xf7, 0x61, 0x48, 0x6a, 0x3d}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} ) diff --git a/internal/attestation/measurements/measurements_test.go b/internal/attestation/measurements/measurements_test.go index f1b6ea58f..73cee7479 100644 --- a/internal/attestation/measurements/measurements_test.go +++ b/internal/attestation/measurements/measurements_test.go @@ -8,6 +8,7 @@ package measurements import ( "bytes" + "context" "encoding/json" "io" "net/http" @@ -457,7 +458,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) { require.NoError(err) hash, err := m.fetchAndVerify( - t.Context(), client, verifier, + context.Background(), client, verifier, measurementsURL, signatureURL, tc.imageVersion, tc.csp, diff --git a/internal/attestation/vtpm/attestation_test.go b/internal/attestation/vtpm/attestation_test.go index 703531a21..311b9ebad 100644 --- a/internal/attestation/vtpm/attestation_test.go +++ b/internal/attestation/vtpm/attestation_test.go @@ -90,7 +90,7 @@ func TestValidate(t *testing.T) { nonce := []byte{1, 2, 3, 4} challenge := []byte("Constellation") - ctx := t.Context() + ctx := context.Background() attDocRaw, err := issuer.Issue(ctx, challenge, nonce) require.NoError(err) @@ -347,7 +347,7 @@ func TestFailIssuer(t *testing.T) { tc.issuer.log = logger.NewTest(t) - _, err := tc.issuer.Issue(t.Context(), tc.userData, tc.nonce) + _, err := tc.issuer.Issue(context.Background(), tc.userData, tc.nonce) assert.Error(err) }) } diff --git a/internal/cloud/aws/aws_test.go b/internal/cloud/aws/aws_test.go index ed08070b1..e1b05ee88 100644 --- a/internal/cloud/aws/aws_test.go +++ b/internal/cloud/aws/aws_test.go @@ -185,7 +185,7 @@ func TestSelf(t *testing.T) { ec2: tc.ec2API, } - self, err := m.Self(t.Context()) + self, err := m.Self(context.Background()) if tc.wantErr { assert.Error(err) return @@ -431,7 +431,7 @@ func TestList(t *testing.T) { ec2: tc.ec2, } - list, err := m.List(t.Context()) + list, err := m.List(context.Background()) if tc.wantErr { assert.Error(err) return @@ -694,7 +694,7 @@ func TestGetLoadBalancerEndpoint(t *testing.T) { ec2: successfulEC2, } - gotHost, gotPort, err := m.GetLoadBalancerEndpoint(t.Context()) + gotHost, gotPort, err := m.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) return diff --git a/internal/cloud/azure/BUILD.bazel b/internal/cloud/azure/BUILD.bazel index 29f4750d7..e91e22cb3 100644 --- a/internal/cloud/azure/BUILD.bazel +++ b/internal/cloud/azure/BUILD.bazel @@ -25,9 +25,11 @@ go_library( ] + select({ "@io_bazel_rules_go//go/platform:android": [ "@io_k8s_kubernetes//pkg/util/iptables", + "@io_k8s_utils//exec", ], "@io_bazel_rules_go//go/platform:linux": [ "@io_k8s_kubernetes//pkg/util/iptables", + "@io_k8s_utils//exec", ], "//conditions:default": [], }), diff --git a/internal/cloud/azure/azure_test.go b/internal/cloud/azure/azure_test.go index c62a01d20..2b1daaab7 100644 --- a/internal/cloud/azure/azure_test.go +++ b/internal/cloud/azure/azure_test.go @@ -150,7 +150,7 @@ func TestGetInstance(t *testing.T) { scaleSetsVMAPI: tc.scaleSetsVMAPI, netIfacAPI: tc.networkInterfacesAPI, } - instance, err := metadata.getInstance(t.Context(), tc.providerID) + instance, err := metadata.getInstance(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -186,7 +186,7 @@ func TestUID(t *testing.T) { cloud := &Cloud{ imds: tc.imdsAPI, } - uid, err := cloud.UID(t.Context()) + uid, err := cloud.UID(context.Background()) if tc.wantErr { assert.Error(err) return @@ -222,7 +222,7 @@ func TestInitSecretHash(t *testing.T) { cloud := &Cloud{ imds: tc.imdsAPI, } - initSecretHash, err := cloud.InitSecretHash(t.Context()) + initSecretHash, err := cloud.InitSecretHash(context.Background()) if tc.wantErr { assert.Error(err) return @@ -410,7 +410,7 @@ func TestList(t *testing.T) { scaleSetsAPI: tc.scaleSetsAPI, scaleSetsVMAPI: tc.scaleSetsVMAPI, } - instances, err := azureMetadata.List(t.Context()) + instances, err := azureMetadata.List(context.Background()) if tc.wantErr { assert.Error(err) @@ -473,7 +473,7 @@ func TestGetNetworkSecurityGroupName(t *testing.T) { metadata := Cloud{ secGroupAPI: tc.securityGroupsAPI, } - name, err := metadata.getNetworkSecurityGroupName(t.Context(), "resource-group", "uid") + name, err := metadata.getNetworkSecurityGroupName(context.Background(), "resource-group", "uid") if tc.wantErr { assert.Error(err) return @@ -547,7 +547,7 @@ func TestGetSubnetworkCIDR(t *testing.T) { imds: tc.imdsAPI, virtNetAPI: tc.virtualNetworksAPI, } - subnetworkCIDR, err := metadata.getSubnetworkCIDR(t.Context()) + subnetworkCIDR, err := metadata.getSubnetworkCIDR(context.Background()) if tc.wantErr { assert.Error(err) return @@ -708,7 +708,7 @@ func TestGetLoadBalancerEndpoint(t *testing.T) { loadBalancerAPI: tc.loadBalancerAPI, pubIPAPI: tc.publicIPAddressesAPI, } - gotHost, gotPort, err := metadata.GetLoadBalancerEndpoint(t.Context()) + gotHost, gotPort, err := metadata.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) return diff --git a/internal/cloud/azure/imds_test.go b/internal/cloud/azure/imds_test.go index 903d890c0..242a052e7 100644 --- a/internal/cloud/azure/imds_test.go +++ b/internal/cloud/azure/imds_test.go @@ -214,7 +214,7 @@ func TestIMDSClient(t *testing.T) { } iClient := IMDSClient{client: &hClient} - ctx := t.Context() + ctx := context.Background() id, err := iClient.providerID(ctx) if tc.wantProviderIDErr { diff --git a/internal/cloud/azure/iptables_linux.go b/internal/cloud/azure/iptables_linux.go index d5a5f88b4..24ada6de0 100644 --- a/internal/cloud/azure/iptables_linux.go +++ b/internal/cloud/azure/iptables_linux.go @@ -15,6 +15,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/role" "k8s.io/kubernetes/pkg/util/iptables" + "k8s.io/utils/exec" ) // PrepareControlPlaneNode sets up iptables for the control plane node only @@ -53,7 +54,7 @@ func (c *Cloud) PrepareControlPlaneNode(ctx context.Context, log *slog.Logger) e } log.Info(fmt.Sprintf("Setting up iptables for control plane node with load balancer IP %s", loadbalancerIP)) - iptablesExec := iptables.New(iptables.ProtocolIPv4) + iptablesExec := iptables.New(exec.New(), iptables.ProtocolIPv4) const chainName = "azure-lb-nat" if _, err := iptablesExec.EnsureChain(iptables.TableNAT, chainName); err != nil { diff --git a/internal/cloud/gcp/gcp_test.go b/internal/cloud/gcp/gcp_test.go index 4e6cf982c..fa2179163 100644 --- a/internal/cloud/gcp/gcp_test.go +++ b/internal/cloud/gcp/gcp_test.go @@ -172,7 +172,7 @@ func TestGetInstance(t *testing.T) { instanceAPI: &tc.instanceAPI, subnetAPI: &tc.subnetAPI, } - instance, err := cloud.getInstance(t.Context(), tc.projectID, tc.zone, tc.instanceName) + instance, err := cloud.getInstance(context.Background(), tc.projectID, tc.zone, tc.instanceName) if tc.wantErr { assert.Error(err) @@ -474,7 +474,7 @@ func TestGetLoadbalancerEndpoint(t *testing.T) { regionalForwardingRulesAPI: &tc.regionalForwardingRulesAPI, } - gotHost, gotPort, err := cloud.GetLoadBalancerEndpoint(t.Context()) + gotHost, gotPort, err := cloud.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) return @@ -810,7 +810,7 @@ func TestList(t *testing.T) { zoneAPI: &tc.zoneAPI, } - instances, err := cloud.List(t.Context()) + instances, err := cloud.List(context.Background()) if tc.wantErr { assert.Error(err) return @@ -915,7 +915,7 @@ func TestZones(t *testing.T) { assert.Empty(cloud.zoneCache) - gotZones, err := cloud.zones(t.Context(), "someProject", "someregion-west3") + gotZones, err := cloud.zones(context.Background(), "someProject", "someregion-west3") if tc.wantErr { assert.Error(err) return @@ -1066,7 +1066,7 @@ func TestUID(t *testing.T) { instanceAPI: &tc.instanceAPI, } - uid, err := cloud.UID(t.Context()) + uid, err := cloud.UID(context.Background()) if tc.wantErr { assert.Error(err) return @@ -1170,7 +1170,7 @@ func TestInitSecretHash(t *testing.T) { instanceAPI: &tc.instanceAPI, } - initSecretHash, err := cloud.InitSecretHash(t.Context()) + initSecretHash, err := cloud.InitSecretHash(context.Background()) if tc.wantErr { assert.Error(err) return diff --git a/internal/cloud/openstack/imds_test.go b/internal/cloud/openstack/imds_test.go index 18e857726..ce45dbd3d 100644 --- a/internal/cloud/openstack/imds_test.go +++ b/internal/cloud/openstack/imds_test.go @@ -176,7 +176,7 @@ func TestProviderID(t *testing.T) { cacheTime: tc.cacheTime, } - result, err := tu.method(imds, t.Context()) + result, err := tu.method(imds, context.Background()) if tc.wantErr { assert.Error(err) @@ -264,7 +264,7 @@ func TestRole(t *testing.T) { cacheTime: tc.cacheTime, } - result, err := imds.role(t.Context()) + result, err := imds.role(context.Background()) if tc.wantErr { assert.Error(err) @@ -336,7 +336,7 @@ func TestVPCIP(t *testing.T) { vpcIPCacheTime: tc.cacheTime, } - result, err := imds.vpcIP(t.Context()) + result, err := imds.vpcIP(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/internal/cloud/openstack/openstack_test.go b/internal/cloud/openstack/openstack_test.go index fbf8328f4..33835b243 100644 --- a/internal/cloud/openstack/openstack_test.go +++ b/internal/cloud/openstack/openstack_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package openstack import ( + "context" "errors" "fmt" "testing" @@ -87,7 +88,7 @@ func TestSelf(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, err := c.Self(t.Context()) + got, err := c.Self(context.Background()) if tc.wantErr { assert.Error(err) @@ -383,7 +384,7 @@ func TestList(t *testing.T) { c := &MetadataClient{imds: tc.imds, api: tc.api} - got, err := c.List(t.Context()) + got, err := c.List(context.Background()) if tc.wantErr { assert.Error(err) @@ -417,7 +418,7 @@ func TestUID(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, err := c.UID(t.Context()) + got, err := c.UID(context.Background()) if tc.wantErr { assert.Error(err) @@ -451,7 +452,7 @@ func TestInitSecretHash(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, err := c.InitSecretHash(t.Context()) + got, err := c.InitSecretHash(context.Background()) if tc.wantErr { assert.Error(err) @@ -485,7 +486,7 @@ func TestGetLoadBalancerEndpoint(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, _, err := c.GetLoadBalancerEndpoint(t.Context()) + got, _, err := c.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/internal/config/config.go b/internal/config/config.go index 860a86809..5aefb05b3 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -188,9 +188,6 @@ type GCPConfig struct { // Path of service account key file. For required service account roles, see https://docs.edgeless.systems/constellation/getting-started/install#authorization ServiceAccountKeyPath string `yaml:"serviceAccountKeyPath" validate:"required"` // description: | - // GCP service account mail address. This is being attached to the VMs for authorization. - IAMServiceAccountVM string `yaml:"IAMServiceAccountVM"` - // description: | // Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"` // description: | @@ -352,7 +349,6 @@ func Default() *Config { Region: "", Zone: "", ServiceAccountKeyPath: "", - IAMServiceAccountVM: "", DeployCSIDriver: toPtr(true), UseMarketplaceImage: toPtr(false), }, diff --git a/internal/config/config_doc.go b/internal/config/config_doc.go index b87db6b86..d26af1643 100644 --- a/internal/config/config_doc.go +++ b/internal/config/config_doc.go @@ -241,7 +241,7 @@ func init() { FieldName: "gcp", }, } - GCPConfigDoc.Fields = make([]encoder.Doc, 7) + GCPConfigDoc.Fields = make([]encoder.Doc, 6) GCPConfigDoc.Fields[0].Name = "project" GCPConfigDoc.Fields[0].Type = "string" GCPConfigDoc.Fields[0].Note = "" @@ -262,21 +262,16 @@ func init() { GCPConfigDoc.Fields[3].Note = "" GCPConfigDoc.Fields[3].Description = "Path of service account key file. For required service account roles, see https://docs.edgeless.systems/constellation/getting-started/install#authorization" GCPConfigDoc.Fields[3].Comments[encoder.LineComment] = "Path of service account key file. For required service account roles, see https://docs.edgeless.systems/constellation/getting-started/install#authorization" - GCPConfigDoc.Fields[4].Name = "IAMServiceAccountVM" - GCPConfigDoc.Fields[4].Type = "string" + GCPConfigDoc.Fields[4].Name = "deployCSIDriver" + GCPConfigDoc.Fields[4].Type = "bool" GCPConfigDoc.Fields[4].Note = "" - GCPConfigDoc.Fields[4].Description = "GCP service account mail address. This is being attached to the VMs for authorization." - GCPConfigDoc.Fields[4].Comments[encoder.LineComment] = "GCP service account mail address. This is being attached to the VMs for authorization." - GCPConfigDoc.Fields[5].Name = "deployCSIDriver" + GCPConfigDoc.Fields[4].Description = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" + GCPConfigDoc.Fields[4].Comments[encoder.LineComment] = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" + GCPConfigDoc.Fields[5].Name = "useMarketplaceImage" GCPConfigDoc.Fields[5].Type = "bool" GCPConfigDoc.Fields[5].Note = "" - GCPConfigDoc.Fields[5].Description = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" - GCPConfigDoc.Fields[5].Comments[encoder.LineComment] = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" - GCPConfigDoc.Fields[6].Name = "useMarketplaceImage" - GCPConfigDoc.Fields[6].Type = "bool" - GCPConfigDoc.Fields[6].Note = "" - GCPConfigDoc.Fields[6].Description = "Use the specified GCP Marketplace image offering." - GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Use the specified GCP Marketplace image offering." + GCPConfigDoc.Fields[5].Description = "Use the specified GCP Marketplace image offering." + GCPConfigDoc.Fields[5].Comments[encoder.LineComment] = "Use the specified GCP Marketplace image offering." OpenStackConfigDoc.Type = "OpenStackConfig" OpenStackConfigDoc.Comments[encoder.LineComment] = "OpenStackConfig holds config information for OpenStack based Constellation deployments." diff --git a/internal/config/config_test.go b/internal/config/config_test.go index f7ce59377..5c60b26dc 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -464,7 +464,6 @@ func TestValidate(t *testing.T) { gcp.Project = "test-project" gcp.Zone = "test-zone" gcp.ServiceAccountKeyPath = "test-key-path" - gcp.IAMServiceAccountVM = "example@example.com" cnf.Provider = ProviderConfig{} cnf.Provider.GCP = gcp cnf.Attestation.GCPSEVSNP.Measurements = measurements.M{ diff --git a/internal/config/image_enterprise.go b/internal/config/image_enterprise.go index a3d38a611..052a3b6ed 100644 --- a/internal/config/image_enterprise.go +++ b/internal/config/image_enterprise.go @@ -10,5 +10,5 @@ package config const ( // defaultImage is the default image to use. - defaultImage = "ref/main/stream/nightly/v2.24.0-pre.0.20250522095204-01f9a30017c4" + defaultImage = "v2.20.0" ) diff --git a/internal/constants/constants.go b/internal/constants/constants.go index aecef23c8..c313b74a6 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -42,10 +42,6 @@ const ( DefaultWorkerGroupName = "worker_default" // CLIDebugLogFile is the name of the debug log file for constellation init/constellation apply. CLIDebugLogFile = "constellation-debug.log" - // SSHCAKeySuffix is the suffix used together with the DEKPrefix to derive an SSH CA key for emergency ssh access. - SSHCAKeySuffix = "ca_emergency_ssh" - // SSHCAKeyPath is the path to the emergency SSH CA key on the node. - SSHCAKeyPath = "/run/ssh/ssh_ca.pub" // // Ports. diff --git a/internal/constellation/apply_test.go b/internal/constellation/apply_test.go index 47c28295e..54e845033 100644 --- a/internal/constellation/apply_test.go +++ b/internal/constellation/apply_test.go @@ -38,7 +38,7 @@ func TestCheckLicense(t *testing.T) { require := require.New(t) a := &Applier{licenseChecker: tc.licenseChecker, log: logger.NewTest(t)} - _, err := a.CheckLicense(t.Context(), cloudprovider.Unknown, true, license.CommunityLicense) + _, err := a.CheckLicense(context.Background(), cloudprovider.Unknown, true, license.CommunityLicense) if tc.wantErr { require.Error(err) } else { diff --git a/internal/constellation/applyinit_test.go b/internal/constellation/applyinit_test.go index 27ae31561..7d16d5fe7 100644 --- a/internal/constellation/applyinit_test.go +++ b/internal/constellation/applyinit_test.go @@ -214,7 +214,7 @@ func TestInit(t *testing.T) { } clusterLogs := &bytes.Buffer{} - ctx, cancel := context.WithTimeout(t.Context(), time.Second*4) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*4) defer cancel() _, err := a.Init(ctx, nil, tc.state, clusterLogs, InitPayload{ MasterSecret: uri.MasterSecret{}, @@ -280,7 +280,7 @@ func TestAttestation(t *testing.T) { } state := &state.State{Version: state.Version1, Infrastructure: state.Infrastructure{ClusterEndpoint: "192.0.2.4"}} - ctx := t.Context() + ctx := context.Background() ctx, cancel := context.WithTimeout(ctx, 4*time.Second) defer cancel() diff --git a/internal/constellation/helm/BUILD.bazel b/internal/constellation/helm/BUILD.bazel index e82a7dfb8..928681b90 100644 --- a/internal/constellation/helm/BUILD.bazel +++ b/internal/constellation/helm/BUILD.bazel @@ -473,7 +473,6 @@ go_library( "charts/coredns/templates/deployment.yaml", "charts/coredns/templates/service.yaml", "charts/coredns/templates/serviceaccount.yaml", - "charts/aws-load-balancer-controller/templates/hpa.yaml", ], importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm", visibility = ["//:__subpackages__"], diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml index 1f1b4e9ba..363fff854 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.11.0 -appVersion: v2.11.0 +version: 1.5.4 +appVersion: v2.5.3 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/README.md b/internal/constellation/helm/charts/aws-load-balancer-controller/README.md index 180e50c08..ee4be9aad 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/README.md +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/README.md @@ -22,11 +22,7 @@ AWS Load Balancer controller manages the following AWS resources As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). ## Prerequisites -- Supported Kubernetes Versions - - Chart version v1.5.0+ requires Kubernetes 1.22+ - - Chart version v1.4.0+ requires Kubernetes 1.19+ - - Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21 - - Chart version v1.1.6 and before supports Kubernetes 1.15 +- Kubernetes >= 1.19 - IAM permissions - Helm v3 - Optional dependencies @@ -78,7 +74,7 @@ If migrating from ALB ingress controller, grant [additional IAM permissions](htt - Additional IAM permissions required, ensure you have granted the [required IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). - CRDs need to be updated as follows ```shell script -kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master" +kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" ``` - you can run helm upgrade without uninstalling the old chart completely @@ -96,11 +92,8 @@ If you are setting `serviceMonitor.enabled: true` you need to have installed the ## Installing the Chart **Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed. - **Note**: Starting chart version 1.4.1, you need to explicitly set `clusterSecretsPermissions.allowAllSecrets` to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)]. -**Note**: To ensure compatibility, we recommend installing the AWS Load Balancer controller image version with its compatible Helm chart version. Use the ```helm search repo eks/aws-load-balancer-controller --versions``` command to find the compatible versions. - Add the EKS repository to Helm: ```shell script helm repo add eks https://aws.github.io/eks-charts @@ -109,7 +102,7 @@ helm repo add eks https://aws.github.io/eks-charts Install the TargetGroupBinding CRDs: ```shell script -kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master" +kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" ``` Install the AWS Load Balancer controller, if using iamserviceaccount @@ -178,106 +171,88 @@ Chart release v1.2.0 and later enables high availability configuration by defaul The following tables lists the configurable parameters of the chart and their default values. The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options). - -| Parameter | Description | Default | -| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | -| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | -| `image.tag` | image tag | `` | -| `image.pullPolicy` | image pull policy | `IfNotPresent` | -| `clusterName` | Kubernetes cluster name | None | -| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | -| `securityContext` | Set to security context for pod | `{}` | -| `resources` | Controller pod resource requests & limits | `{}` | -| `priorityClassName` | Controller pod priority class | system-cluster-critical | -| `nodeSelector` | Node labels for controller pod assignment | `{}` | -| `tolerations` | Controller pod toleration for taints | `{}` | -| `affinity` | Affinity for pod assignment | `{}` | -| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | -| `deploymentAnnotations` | Annotations to add to deployment | `{}` | -| `podAnnotations` | Annotations to add to each pod | `{}` | -| `podLabels` | Labels to add to each pod | `{}` | -| `additionalLabels` | Labels to add to all components | `{}` | -| `rbac.create` | if `true`, create and use RBAC resources | `true` | -| `serviceAccount.annotations` | optional annotations to add to service account | None | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | -| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used | None | -| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | -| `ingressClass` | The ingress class to satisfy | alb | -| `createIngressClassResource` | Create ingressClass resource | true | -| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | -| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | -| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | -| `region` | The AWS region for the kubernetes cluster | None | -| `vpcId` | The VPC ID for the Kubernetes cluster | None | -| `awsApiEndpoints` | Custom AWS API Endpoints | None | -| `awsApiThrottle` | Custom AWS API throttle settings | None | -| `awsMaxRetries` | Maximum retries for AWS APIs | None | -| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | -| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | -| `enableShield` | Enable Shield addon for ALB | None | -| `enableWaf` | Enable WAF addon for ALB | None | -| `enableWafv2` | Enable WAF V2 addon for ALB | None | -| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | -| `logLevel` | Set the controller log level - info, debug | None | -| `metricsBindAddr` | The address the metric endpoint binds to | "" | -| `webhookConfig.disableIngressValidation` | Disables the validation of resources of kind Ingress | None | -| `webhookBindPort` | The TCP port the Webhook server binds to | None | -| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | -| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | -| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | -| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | -| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | -| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | -| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | -| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | -| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | -| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | -| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | -| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | -| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | -| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | -| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | -| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | -| `env` | Environment variables to set for aws-load-balancer-controller pod | None | -| `envFrom` | Environment variables to set for aws-load-balancer-controller pod from configMap or Secret | None | -| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | -| `hostNetwork` | If `true`, use hostNetwork | `false` | -| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | -| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | -| `extraVolumes` | Extra volumes for the pod | `[]` | -| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | -| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | -| `revisionHistoryLimit` | Number of revisions to keep | `10` | -| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | -| `updateStrategy` | Defines the update strategy for the deployment | `{}` | -| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | -| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | -| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | -| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | -| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | -| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | -| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | -| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | -| `serviceMonitor.namespace` | Namespace in which to create the service monitor | None | -| `serviceMonitor.additionalLabels` | Labels to add to the service monitor | `{}` | -| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | -| `serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `1m` | -| `serviceMonitor.relabelings` | Relabelings to apply to samples before ingestion | `1m` | -| `serviceMonitor.metricRelabelings` | Metric relabelings to apply to samples before ingestion | `1m` | -| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | -| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | -| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | -| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | -| `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` | -| `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` | -| `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` | -| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | -| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | -| `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` | -| `creator` | if set to a `value!=helm`, it will disable the addition of default helm labels | `helm` | -| `runtimeClassName` | Runtime class name for the controller pods , such as `gvisor` or `kata`. An unspecified `nil` or empty `""` RuntimeClassName is equivalent to the backwards-compatible default behavior as if the RuntimeClass feature is disabled. | "" | +| Parameter | Description | Default | +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| +| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | +| `image.tag` | image tag | `` | +| `image.pullPolicy` | image pull policy | `IfNotPresent` | +| `clusterName` | Kubernetes cluster name | None | +| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | +| `securityContext` | Set to security context for pod | `{}` | +| `resources` | Controller pod resource requests & limits | `{}` | +| `priorityClassName` | Controller pod priority class | system-cluster-critical | +| `nodeSelector` | Node labels for controller pod assignment | `{}` | +| `tolerations` | Controller pod toleration for taints | `{}` | +| `affinity` | Affinity for pod assignment | `{}` | +| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | +| `deploymentAnnotations` | Annotations to add to deployment | `{}` | +| `podAnnotations` | Annotations to add to each pod | `{}` | +| `podLabels` | Labels to add to each pod | `{}` | +| `additionalLabels` | Labels to add to all components | `{}` | +| `rbac.create` | if `true`, create and use RBAC resources | `true` | +| `serviceAccount.annotations` | optional annotations to add to service account | None | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | +| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used | None | +| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | +| `ingressClass` | The ingress class to satisfy | alb | +| `createIngressClassResource` | Create ingressClass resource | true | +| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | +| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | +| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | +| `region` | The AWS region for the kubernetes cluster | None | +| `vpcId` | The VPC ID for the Kubernetes cluster | None | +| `awsApiEndpoints` | Custom AWS API Endpoints | None | +| `awsApiThrottle` | Custom AWS API throttle settings | None | +| `awsMaxRetries` | Maximum retries for AWS APIs | None | +| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | +| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | +| `enableShield` | Enable Shield addon for ALB | None | +| `enableWaf` | Enable WAF addon for ALB | None | +| `enableWafv2` | Enable WAF V2 addon for ALB | None | +| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | +| `logLevel` | Set the controller log level - info, debug | None | +| `metricsBindAddr` | The address the metric endpoint binds to | "" | +| `webhookBindPort` | The TCP port the Webhook server binds to | None | +| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | +| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | +| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | +| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | +| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | +| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | +| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | +| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | +| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | +| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | +| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | +| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | +| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | +| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | +| `env` | Environment variables to set for aws-load-balancer-controller pod | None | +| `hostNetwork` | If `true`, use hostNetwork | `false` | +| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | +| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | +| `extraVolumes` | Extra volumes for the pod | `[]` | +| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | +| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | +| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | +| `updateStrategy` | Defines the update strategy for the deployment | `{}` | +| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | +| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | +| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | +| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | +| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | +| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | +| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | +| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | +| `serviceMonitor.additionalLabels` | Labels to add to the service account | `{}` | +| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | +| `serviceMonitor.namespace` | Namespace in which Prometheus is running | None | +| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | +| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | +| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | +| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml index b72e68789..78c226660 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml @@ -2,7 +2,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null name: ingressclassparams.elbv2.k8s.aws spec: group: elbv2.k8s.aws @@ -35,31 +36,20 @@ spec: description: IngressClassParams is the Schema for the IngressClassParams API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: IngressClassParamsSpec defines the desired state of IngressClassParams properties: - certificateArn: - description: CertificateArn specifies the ARN of the certificates - for all Ingresses that belong to IngressClass with this IngressClassParams. - items: - type: string - type: array group: description: Group defines the IngressGroup for all Ingresses that belong to IngressClass with this IngressClassParams. @@ -82,38 +72,7 @@ spec: enum: - ipv4 - dualstack - - dualstack-without-public-ipv4 type: string - listeners: - description: Listeners define a list of listeners with their protocol, - port and attributes. - items: - properties: - listenerAttributes: - description: The attributes of the listener - items: - description: Attributes defines custom attributes on resources. - properties: - key: - description: The key of the attribute. - type: string - value: - description: The value of the attribute. - type: string - required: - - key - - value - type: object - type: array - port: - description: The port of the listener - format: int32 - type: integer - protocol: - description: The protocol of the listener - type: string - type: object - type: array loadBalancerAttributes: description: LoadBalancerAttributes define the custom attributes to LoadBalancers for all Ingress that that belong to IngressClass with @@ -132,63 +91,50 @@ spec: - value type: object type: array - minimumLoadBalancerCapacity: - description: MinimumLoadBalancerCapacity define the capacity reservation - for LoadBalancers for all Ingress that belong to IngressClass with - this IngressClassParams. - properties: - capacityUnits: - description: The Capacity Units Value. - format: int32 - type: integer - required: - - capacityUnits - type: object namespaceSelector: - description: |- - NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. + description: NamespaceSelector restrict the namespaces of Ingresses + that are allowed to specify the IngressClass with this IngressClassParams. * if absent or present but empty, it selects all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -221,11 +167,10 @@ spec: items: type: string type: array - description: |- - Tags specifies subnets in the load balancer's VPC where each - tag specified in the map key contains one of the values in the corresponding - value list. - Exactly one of this or `ids` must be specified. + description: Tags specifies subnets in the load balancer's VPC + where each tag specified in the map key contains one of the + values in the corresponding value list. Exactly one of this + or `ids` must be specified. type: object type: object tags: @@ -255,7 +200,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null name: targetgroupbindings.elbv2.k8s.aws spec: group: elbv2.k8s.aws @@ -284,11 +230,6 @@ spec: name: ARN priority: 1 type: string - - description: The AWS TargetGroup's Name - jsonPath: .spec.targetGroupName - name: NAME - priority: 2 - type: string - jsonPath: .metadata.creationTimestamp name: AGE type: date @@ -298,29 +239,20 @@ spec: description: TargetGroupBinding is the Schema for the TargetGroupBinding API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding properties: - multiClusterTargetGroup: - description: MultiClusterTargetGroup Denotes if the TargetGroup is - shared among multiple clusters - type: boolean networking: description: networking provides the networking setup for ELBV2 LoadBalancer to access targets in TargetGroup. @@ -331,30 +263,28 @@ spec: items: properties: from: - description: |- - List of peers which should be able to access the targets in TargetGroup. - At least one NetworkingPeer should be specified. + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. items: description: NetworkingPeer defines the source/destination peer for networking rules. properties: ipBlock: - description: |- - IPBlock defines an IPBlock peer. - If specified, none of the other fields can be set. + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. properties: cidr: - description: |- - CIDR is the network CIDR. - Both IPV4 or IPV6 CIDR are accepted. + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. type: string required: - cidr type: object securityGroup: - description: |- - SecurityGroup defines a SecurityGroup peer. - If specified, none of the other fields can be set. + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. properties: groupID: description: GroupID is the EC2 SecurityGroupID. @@ -365,24 +295,24 @@ spec: type: object type: array ports: - description: |- - List of ports which should be made accessible on the targets in TargetGroup. - If ports is empty or unspecified, it defaults to all ports with TCP. + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. items: properties: port: anyOf: - type: integer - type: string - description: |- - The port which traffic must match. - When NodePort endpoints(instance TargetType) is used, this must be a numerical port. - When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. - if port is unspecified, it defaults to all ports. + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. x-kubernetes-int-or-string: true protocol: - description: |- - The protocol which traffic must match. + description: The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. enum: - TCP @@ -417,9 +347,6 @@ spec: description: targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup. type: string - targetGroupName: - description: targetGroupName is the Name of the TargetGroup. - type: string targetType: description: targetType is the TargetType of TargetGroup. If unspecified, it will be automatically inferred. @@ -429,6 +356,7 @@ spec: type: string required: - serviceRef + - targetGroupARN type: object status: description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding @@ -461,11 +389,6 @@ spec: name: ARN priority: 1 type: string - - description: The AWS TargetGroup's Name - jsonPath: .spec.targetGroupName - name: NAME - priority: 2 - type: string - jsonPath: .metadata.creationTimestamp name: AGE type: date @@ -475,19 +398,14 @@ spec: description: TargetGroupBinding is the Schema for the TargetGroupBinding API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -501,10 +419,6 @@ spec: - ipv4 - ipv6 type: string - multiClusterTargetGroup: - description: MultiClusterTargetGroup Denotes if the TargetGroup is - shared among multiple clusters - type: boolean networking: description: networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup. @@ -517,30 +431,28 @@ spec: of traffic that is allowed to access TargetGroup's targets. properties: from: - description: |- - List of peers which should be able to access the targets in TargetGroup. - At least one NetworkingPeer should be specified. + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. items: description: NetworkingPeer defines the source/destination peer for networking rules. properties: ipBlock: - description: |- - IPBlock defines an IPBlock peer. - If specified, none of the other fields can be set. + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. properties: cidr: - description: |- - CIDR is the network CIDR. - Both IPV4 or IPV6 CIDR are accepted. + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. type: string required: - cidr type: object securityGroup: - description: |- - SecurityGroup defines a SecurityGroup peer. - If specified, none of the other fields can be set. + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. properties: groupID: description: GroupID is the EC2 SecurityGroupID. @@ -551,9 +463,9 @@ spec: type: object type: array ports: - description: |- - List of ports which should be made accessible on the targets in TargetGroup. - If ports is empty or unspecified, it defaults to all ports with TCP. + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. items: description: NetworkingPort defines the port and protocol for networking rules. @@ -562,15 +474,15 @@ spec: anyOf: - type: integer - type: string - description: |- - The port which traffic must match. - When NodePort endpoints(instance TargetType) is used, this must be a numerical port. - When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. - if port is unspecified, it defaults to all ports. + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. x-kubernetes-int-or-string: true protocol: - description: |- - The protocol which traffic must match. + description: The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. enum: - TCP @@ -592,42 +504,41 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -651,9 +562,7 @@ spec: targetGroupARN: description: targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup. - type: string - targetGroupName: - description: targetGroupName is the Name of the TargetGroup. + minLength: 1 type: string targetType: description: targetType is the TargetType of TargetGroup. If unspecified, @@ -662,12 +571,9 @@ spec: - instance - ip type: string - vpcID: - description: VpcID is the VPC of the TargetGroup. If unspecified, - it will be automatically inferred. - type: string required: - serviceRef + - targetGroupARN type: object status: description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl index d916b99c4..660f6ee9d 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl @@ -45,14 +45,12 @@ This enables using a shorter name for the resources, for example aws-load-balanc Common labels */}} {{- define "aws-load-balancer-controller.labels" -}} -{{- if eq (default "helm" .Values.creator) "helm" -}} -app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "aws-load-balancer-controller.chart" . }} -{{- end }} {{ include "aws-load-balancer-controller.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.additionalLabels }} {{ toYaml .Values.additionalLabels }} {{- end -}} diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml index 4506d489e..e2b5225ff 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml @@ -11,7 +11,6 @@ metadata: {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} @@ -38,9 +37,6 @@ spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.runtimeClassName }} - runtimeClassName: {{ .Values.runtimeClassName }} {{- end }} serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }} volumes: @@ -62,17 +58,15 @@ spec: containers: - name: {{ .Chart.Name }} args: - - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" (tpl (default "" .Values.clusterName) .) }} + - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" .Values.clusterName }} {{- if .Values.ingressClass }} - --ingress-class={{ .Values.ingressClass }} {{- end }} - {{- $region := tpl (default "" .Values.region) . }} - {{- if $region }} + {{- if .Values.region }} - --aws-region={{ .Values.region }} {{- end }} - {{- $vpcID := tpl (default "" .Values.vpcId) . }} - {{- if $vpcID }} - - --aws-vpc-id={{ $vpcID }} + {{- if .Values.vpcId }} + - --aws-vpc-id={{ .Values.vpcId }} {{- end }} {{- if .Values.awsApiEndpoints }} - --aws-api-endpoints={{ .Values.awsApiEndpoints }} @@ -110,9 +104,6 @@ spec: {{- if .Values.targetgroupbindingMaxExponentialBackoffDelay }} - --targetgroupbinding-max-exponential-backoff-delay={{ .Values.targetgroupbindingMaxExponentialBackoffDelay }} {{- end }} - {{- if .Values.lbStabilizationMonitorInterval }} - - --lb-stabilization-monitor-interval={{ .Values.lbStabilizationMonitorInterval }} - {{- end }} {{- if .Values.logLevel }} - --log-level={{ .Values.logLevel }} {{- end }} @@ -131,12 +122,6 @@ spec: {{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }} - --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }} {{- end }} - {{- if kindIs "bool" .Values.tolerateNonExistentBackendService }} - - --tolerate-non-existent-backend-service={{ .Values.tolerateNonExistentBackendService }} - {{- end }} - {{- if kindIs "bool" .Values.tolerateNonExistentBackendAction }} - - --tolerate-non-existent-backend-action={{ .Values.tolerateNonExistentBackendAction }} - {{- end }} {{- if .Values.defaultSSLPolicy }} - --default-ssl-policy={{ .Values.defaultSSLPolicy }} {{- end }} @@ -164,42 +149,13 @@ spec: {{- if ne .Values.defaultTargetType "instance" }} - --default-target-type={{ .Values.defaultTargetType }} {{- end }} - {{- if .Values.serviceTargetENISGTags }} - - --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }} - {{- end }} - {{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }} - - --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }} - {{- end }} - {{- if .Values.loadBalancerClass }} - - --load-balancer-class={{ .Values.loadBalancerClass }} - {{- end }} - {{- if or .Values.env .Values.envSecretName }} + {{- if .Values.env }} env: - {{- if .Values.env}} {{- range $key, $value := .Values.env }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} - {{- if .Values.envSecretName }} - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ .Values.envSecretName }} - key: key_id - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.envSecretName }} - key: access_key - optional: true - {{- end }} - {{- end }} - {{- if .Values.envFrom }} - envFrom: - {{- toYaml .Values.envFrom | nindent 10 }} - {{- end }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -224,10 +180,6 @@ spec: livenessProbe: {{- toYaml . | nindent 10 }} {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 10 }} - {{- end }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/hpa.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/hpa.yaml deleted file mode 100644 index 68689ba66..000000000 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/hpa.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.Version)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "aws-load-balancer-controller.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ required "A valid .Values.autoscaling.maxReplicas value is required" .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml index 0dcc68c77..fc3bda695 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml @@ -75,9 +75,6 @@ rules: - apiGroups: [""] resources: [nodes, namespaces, endpoints] verbs: [get, list, watch] -- apiGroups: [""] - resources: [configmaps] - verbs: [get, delete, create, update] {{- if .Values.clusterSecretsPermissions.allowAllSecrets }} - apiGroups: [""] resources: [secrets] diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml index 0454558c2..c811be253 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml @@ -3,14 +3,18 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} labels: {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - {{- with .Values.serviceMonitor.additionalLabels }} + {{- with .Values.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: - jobLabel: app.kubernetes.io/instance + jobLabel: {{ .Release.Name }} namespaceSelector: matchNames: - {{ .Release.Namespace }} @@ -25,19 +29,7 @@ spec: endpoints: - port: metrics-server path: /metrics - scheme: http - {{- with .Values.serviceMonitor.interval }} + {{- with .Values.serviceMonitor.interval }} interval: {{ . }} - {{- end }} - {{- with .Values.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- with .Values.serviceMonitor.relabelings }} - relabelings: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.serviceMonitor.metricRelabelings }} - metricRelabelings: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end -}} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml index 504f08ccb..e7d557e41 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml @@ -65,7 +65,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /mutate-v1-service - failurePolicy: {{ .Values.serviceMutatorWebhookConfig.failurePolicy }} + failurePolicy: Fail name: mservice.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -75,21 +75,13 @@ webhooks: operator: NotIn values: - {{ include "aws-load-balancer-controller.name" . }} - {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions }} - {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions | nindent 4 }} - {{- end }} - - {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels }} - matchLabels: - {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels | nindent 6 }} - {{- end }} rules: - apiGroups: - "" apiVersions: - v1 operations: - {{- toYaml .Values.serviceMutatorWebhookConfig.operations | nindent 4 }} + - CREATE resources: - services sideEffects: None @@ -181,7 +173,6 @@ webhooks: resources: - targetgroupbindings sideEffects: None -{{- if not $.Values.webhookConfig.disableIngressValidation }} - clientConfig: {{ if not $.Values.enableCertManager -}} caBundle: {{ $tls.caCert }} @@ -206,7 +197,6 @@ webhooks: resources: - ingresses sideEffects: None -{{- end }} --- {{- if not $.Values.enableCertManager }} apiVersion: v1 diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml index c2f465bcd..dea199559 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml @@ -4,29 +4,15 @@ replicaCount: 2 -revisionHistoryLimit: 10 - image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.11.0 + tag: v2.5.3 pullPolicy: IfNotPresent -runtimeClassName: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -# AWS LBC only has 1 main working pod, other pods are just standby -# the purpose of enable hpa is to survive load induced failure by the calls to the aws-load-balancer-webhook-service -# since the calls from kube-apiserver are sent round-robin to all replicas, and the failure policy on those webhooks is Fail -# if the pods become overloaded and do not respond within the timeout that could block the creation of pods, targetgroupbindings or ingresses -# Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - serviceAccount: # Specifies whether a service account should be created create: true @@ -120,8 +106,8 @@ clusterName: # cluster contains configurations specific to the kubernetes cluster cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local + # Cluster DNS domain (required for requesting TLS certificates) + dnsDomain: cluster.local # The ingress class this controller will satisfy. If not specified, controller will match all # ingresses without ingress class annotation and ingresses of type alb @@ -201,10 +187,6 @@ logLevel: # The address the metric endpoint binds to. (default ":8080") metricsBindAddr: "" -webhookConfig: - # disableIngressValidation disables the validation of resources of kind Ingress, false by default - disableIngressValidation: - # The TCP port the Webhook server binds to. (default 9443) webhookBindPort: @@ -214,7 +196,7 @@ webhookTLS: cert: key: -# array of namespace selectors for the pod mutator webhook +# array of namespace selectors for the webhook webhookNamespaceSelectors: # - key: elbv2.k8s.aws/pod-readiness-gate-inject # operator: In @@ -233,10 +215,7 @@ targetgroupbindingMaxConcurrentReconciles: # Maximum duration of exponential backoff for targetGroupBinding reconcile failures targetgroupbindingMaxExponentialBackoffDelay: -# Interval at which the controller monitors the state of load balancer after creation for stabilization -lbStabilizationMonitorInterval: - -# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s) +# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) syncPeriod: # Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. @@ -248,12 +227,6 @@ disableIngressClassAnnotation: # disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default disableIngressGroupNameAnnotation: -# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist) -tolerateNonExistentBackendService: - -# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist) -tolerateNonExistentBackendAction: - # defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners defaultSSLPolicy: @@ -267,17 +240,6 @@ livenessProbe: initialDelaySeconds: 30 timeoutSeconds: 10 -# readiness probe configuration for the controller -readinessProbe: - failureThreshold: 2 - httpGet: - path: /readyz - port: 61779 - scheme: HTTP - successThreshold: 1 - initialDelaySeconds: 10 - timeoutSeconds: 10 - # Environment variables to set for aws-load-balancer-controller pod. # We strongly discourage programming access credentials in the controller environment. You should setup IRSA or # comparable solutions like kube2iam, kiam etc instead. @@ -285,15 +247,8 @@ env: # ENV_1: "" # ENV_2: "" -# Use Environment variables credentials from Secret (aws-secret) for aws-load-balancer-controller pod similarly as The EBS CSI Driver does. -# envSecretName: aws-secret - -# Use envFrom to set environment variables from a Secret or ConfigMap -# envFrom: -# - secretRef: -# name: my-secret - # Specifies if aws-load-balancer-controller should be started in hostNetwork mode. +# # This is required if using a custom CNI where the managed control plane nodes are unable to initiate # network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or # recommended if using the Amazon VPC CNI plugin. @@ -360,11 +315,6 @@ controllerConfig: # EnableIPTargetType: true # SubnetsClusterTagCheck: true # NLBHealthCheckAdvancedConfig: true - # ALBSingleSubnet: false - # LBCapacityReservation: true - -certDiscovery: - allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope # objectSelector for webhook objectSelector: @@ -379,18 +329,12 @@ objectSelector: serviceMonitor: # Specifies whether a service monitor should be created enabled: false - # Namespace to create the service monitor in - namespace: - # Labels to add to the service monitor + # Labels to add to the service account additionalLabels: {} # Prometheus scrape interval interval: 1m - # Prometheus scrape timeout - scrapeTimeout: - # Relabelings to apply to samples before ingestion - relabelings: - # Metric relabelings to apply to samples before ingestion - metricRelabelings: + # Namespace to create the service monitor in + namespace: # clusterSecretsPermissions lets you configure RBAC permissions for secret resources # Access to secrets resource is required only if you use the OIDC feature, and instead of @@ -407,30 +351,3 @@ ingressClassConfig: # enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer enableServiceMutatorWebhook: true - -# serviceMutatorWebhook contains configurations specific to the service mutator webhook -serviceMutatorWebhookConfig: - # whether or not to fail the service creation if the webhook fails - failurePolicy: Fail - # limit webhook to only mutate services matching the objectSelector - objectSelector: - matchExpressions: [] - # - key: - # operator: - # values: - # - - matchLabels: {} - # key: value - # which operations trigger the webhook - operations: - - CREATE - # - UPDATE - -# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. -serviceTargetENISGTags: - -# Specifies the class of load balancer to use for services. This affects how services are provisioned if type LoadBalancer is used (default service.k8s.aws/nlb) -loadBalancerClass: - -# creator will disable helm default labels, so you can only add yours -# creator: "me" diff --git a/internal/constellation/helm/charts/coredns/templates/configmap.yaml b/internal/constellation/helm/charts/coredns/templates/configmap.yaml index 03f06d623..58a48a318 100644 --- a/internal/constellation/helm/charts/coredns/templates/configmap.yaml +++ b/internal/constellation/helm/charts/coredns/templates/configmap.yaml @@ -16,10 +16,7 @@ data: forward . /etc/resolv.conf { max_concurrent 1000 } - cache 30 { - disable success {{ .Values.dnsDomain }} - disable denial {{ .Values.dnsDomain }} - } + cache 30 loop reload loadbalance diff --git a/internal/constellation/helm/charts/coredns/values.yaml b/internal/constellation/helm/charts/coredns/values.yaml index c740ed71c..9b3f72414 100644 --- a/internal/constellation/helm/charts/coredns/values.yaml +++ b/internal/constellation/helm/charts/coredns/values.yaml @@ -1,3 +1,3 @@ clusterIP: 10.96.0.10 dnsDomain: cluster.local -image: registry.k8s.io/coredns/coredns:v1.12.0@sha256:40384aa1f5ea6bfdc77997d243aec73da05f27aed0c5e9d65bfa98933c519d97 +image: registry.k8s.io/coredns/coredns:v1.11.3@sha256:9caabbf6238b189a65d0d6e6ac138de60d6a1c419e5a341fbbb7c78382559c6e diff --git a/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml b/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml index 220c3efc6..06a971465 100644 --- a/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml +++ b/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml @@ -5,11 +5,5 @@ metadata: name: gceconf namespace: {{ .Release.Namespace }} data: - gce.conf: | - [global] - project-id = {{.Values.GCP.projectID }} - use-metadata-server = true - node-tags = constellation-{{ .Values.GCP.uid }} - regional = true - token-url = nil # This forces use of GOOGLE_APPLICATION_CREDENTIALS. + gce.conf: "[global]\nproject-id = {{.Values.GCP.projectID }}\nuse-metadata-server = true\nnode-tags = constellation-{{ .Values.GCP.uid }}\nregional = true\n" {{- end -}} diff --git a/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml index 5eed603c5..fe6460d4a 100644 --- a/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider={{ .Values.csp }} - --key-service-endpoint=key-service.{{ .Release.Namespace }}:{{ .Values.global.keyServicePort }} - --attestation-variant={{ .Values.attestationVariant }} - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: {{ .Values.global.serviceBasePath | quote }} name: config @@ -50,9 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true ports: - containerPort: {{ .Values.joinServicePort }} name: tcp @@ -60,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml b/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml index 88e453caf..b03a97492 100644 --- a/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml +++ b/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml @@ -3,12 +3,12 @@ snapshotController: snapshotController: image: repository: registry.k8s.io/sig-storage/snapshot-controller - tag: v8.2.1@sha256:472fa35a89dadb5a715454fad576ec11aa6f2e8378fc09ae26473d139b77c437 + tag: v8.1.0@sha256:a8a6749641849a6d7e560d26647e88dbd605a75cbff1823568ab90287ea29038 imagePullPolicy: IfNotPresent snapshotWebhook: replicas: 1 webhook: image: repository: registry.k8s.io/sig-storage/snapshot-validation-webhook - tag: v8.1.1@sha256:979842f9a6c23ae1b2ddd26603c27412dfc4d3c027d9cda1cb87a67b91ae9ac8 + tag: v8.1.0@sha256:35fa940f062222dfa3257e0c74837a22c35976be899bab6103b433bab0e03a81 imagePullPolicy: IfNotPresent diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml index 9156e3e71..18dce5e37 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: autoscalingstrategies.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -21,19 +20,14 @@ spec: API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -54,8 +48,8 @@ spec: deployment. type: string enabled: - description: Enabled defines whether cluster autoscaling should be - enabled or not. + description: Enabled defines whether cluster autoscaling should be enabled + or not. type: boolean required: - deploymentName @@ -70,8 +64,7 @@ spec: enabled or not. type: boolean replicas: - description: Replicas is the number of replicas for the autoscaler - deployment. + description: Replicas is the number of replicas for the autoscaler deployment. format: int32 type: integer type: object @@ -80,3 +73,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml index 1beca7221..88fb65ae8 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: joiningnodes.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: JoiningNode is the Schema for the joiningnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -65,3 +59,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml index 4b7f7b7e0..9c46b695c 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: nodeversions.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: NodeVersion is the Schema for the nodeversions API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -66,49 +60,65 @@ spec: description: AwaitingAnnotation is a list of nodes that are waiting for the operator to annotate them. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array budget: description: Budget is the amount of extra nodes that can be created @@ -119,35 +129,43 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -162,6 +180,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -177,389 +199,516 @@ spec: description: Donors is a list of outdated nodes that donate labels to heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array heirs: description: Heirs is a list of nodes using the latest image that still need to inherit labels from donors. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array invalid: description: Invalid is a list of invalid nodes (nodes that cannot be processed by the operator due to missing information or transient faults). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array mints: description: Mints is a list of up to date nodes that will become heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array obsolete: description: Obsolete is a list of obsolete nodes (nodes that have been created by the operator but are no longer needed). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array outdated: description: Outdated is a list of nodes that are using an outdated image. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array pending: description: Pending is a list of pending nodes (joining or leaving the cluster). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array upToDate: description: UpToDate is a list of nodes that are using the latest image and labels. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array required: - - activeclusterversionupgrade - budget - conditions type: object diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml index c6cd2db6a..41b5a4cd7 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: pendingnodes.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: PendingNode is the Schema for the pendingnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -40,11 +34,10 @@ spec: description: PendingNodeSpec defines the desired state of PendingNode. properties: deadline: - description: |- - Deadline is the deadline for reaching the goal state. - Joining nodes will be terminated if the deadline is exceeded. - Leaving nodes will remain as unschedulable to prevent data loss. - If not specified, the node may remain in the pending state indefinitely. + description: Deadline is the deadline for reaching the goal state. Joining + nodes will be terminated if the deadline is exceeded. Leaving nodes + will remain as unschedulable to prevent data loss. If not specified, + the node may remain in the pending state indefinitely. format: date-time type: string goal: @@ -54,8 +47,8 @@ spec: - Leave type: string groupID: - description: ScalingGroupID is the ID of the group that this node - shall be part of. + description: ScalingGroupID is the ID of the group that this node shall + be part of. type: string nodeName: description: NodeName is the kubernetes internal name of the node. @@ -79,8 +72,7 @@ spec: - Failed type: string reachedGoal: - description: ReachedGoal is true if the node has reached the goal - state. + description: ReachedGoal is true if the node has reached the goal state. type: boolean type: object type: object @@ -88,3 +80,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml index 5eed4ebc8..0e334ae29 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: scalinggroups.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: ScalingGroup is the Schema for the scalinggroups API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -43,16 +37,16 @@ spec: description: AutoscalerGroupName is name that is expected by the autoscaler. type: string autoscaling: - description: Autoscaling specifies wether the scaling group should - automatically scale using the cluster-autoscaler. + description: Autoscaling specifies wether the scaling group should automatically + scale using the cluster-autoscaler. type: boolean groupId: - description: GroupID is the CSP specific, canonical identifier of - a scaling group. + description: GroupID is the CSP specific, canonical identifier of a + scaling group. type: string max: - description: Max is the maximum number of autoscaled nodes in the - scaling group (used by cluster-autoscaler). + description: Max is the maximum number of autoscaled nodes in the scaling + group (used by cluster-autoscaler). format: int32 type: integer min: @@ -61,11 +55,11 @@ spec: format: int32 type: integer nodeGroupName: - description: NodeGroupName is the human friendly name of the node - group as defined in the Constellation configuration. + description: NodeGroupName is the human friendly name of the node group + as defined in the Constellation configuration. type: string nodeImage: - description: NodeVersion is the name of the NodeVersion resource. + description: NodeImage is the name of the NodeImage resource. type: string role: description: Role is the role of the nodes in the scaling group. @@ -81,36 +75,44 @@ spec: description: Conditions represent the latest available observations of an object's state. items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating details + about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers of + specific condition types may define expected values and meanings + for this field, and whether the values are considered a guaranteed + API. The value should be a CamelCase string. This field may + not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -124,6 +126,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -136,8 +142,8 @@ spec: type: object type: array imageReference: - description: ImageReference is the image currently used for newly - created nodes in this scaling group. + description: ImageReference is the image currently used for newly created + nodes in this scaling group. type: string required: - conditions @@ -147,3 +153,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml index 5afe29d9b..9083df141 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml @@ -42,8 +42,6 @@ spec: value: {{ .Values.csp | quote }} - name: constellation-uid value: {{ .Values.constellationUID | quote }} - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json image: {{ .Values.controllerManager.manager.image | quote }} livenessProbe: httpGet: @@ -74,9 +72,6 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -114,10 +109,6 @@ spec: name: gceconf optional: true name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml index 0e271ff7f..45dddbdd9 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -13,7 +13,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -59,10 +58,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -75,20 +70,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -107,6 +120,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/retryaction_test.go b/internal/constellation/helm/retryaction_test.go index 7d02cd722..6a39d7cb2 100644 --- a/internal/constellation/helm/retryaction_test.go +++ b/internal/constellation/helm/retryaction_test.go @@ -64,7 +64,7 @@ func TestRetryApply(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - err := retryApply(t.Context(), tc.applier, time.Millisecond, logger.NewTest(t)) + err := retryApply(context.Background(), tc.applier, time.Millisecond, logger.NewTest(t)) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml index fa41d793b..01d9e6f57 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: GCP - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: GCP + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml index 7c65a887f..2156f82a6 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=AWS - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=aws-nitro-tpm - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,9 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true ports: - containerPort: 9090 name: tcp @@ -60,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml index 23b5ac730..d50c5492f 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: Azure - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: Azure + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml index 361089daa..05f397876 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=Azure - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=azure-sev-snp - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,9 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true ports: - containerPort: 9090 name: tcp @@ -60,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml index fa41d793b..01d9e6f57 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: GCP - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: GCP + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml b/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml index c0ed7d331..5855fb988 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml @@ -4,4 +4,4 @@ metadata: name: gceconf namespace: testNamespace data: - gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\nregional = true\ntoken-url = nil # This forces use of GOOGLE_APPLICATION_CREDENTIALS." + gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\nregional = true\n" diff --git a/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml index d50416871..0ddfa9201 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=GCP - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=gcp-sev-es - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,9 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true ports: - containerPort: 9090 name: tcp @@ -60,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml index fa41d793b..01d9e6f57 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: GCP - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: GCP + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml index 96258cbe2..0ed907f4d 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=OpenStack - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=qemu-vtpm - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,9 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true ports: - containerPort: 9090 name: tcp @@ -60,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml index edad32c8d..99e4a790d 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -50,8 +50,6 @@ spec: value: QEMU - name: constellation-uid value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json image: constellationOperatorImage livenessProbe: httpGet: @@ -88,9 +86,6 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -128,10 +123,6 @@ spec: name: gceconf optional: true name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml index b1db9147f..71ad80428 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=QEMU - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=qemu-vtpm - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,9 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true ports: - containerPort: 9090 name: tcp @@ -60,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/update-aws-load-balancer-chart.sh b/internal/constellation/helm/update-aws-load-balancer-chart.sh index 797defaa8..1c6a8519c 100755 --- a/internal/constellation/helm/update-aws-load-balancer-chart.sh +++ b/internal/constellation/helm/update-aws-load-balancer-chart.sh @@ -8,7 +8,7 @@ set -o errtrace shopt -s inherit_errexit echo "Updating AWS Load Balancer Controller Helm chart..." -branch="v0.0.190" # releases can update the AWS load-balancer-controller chart +branch="v0.0.140" # releases can update the AWS load-balancer-controller chart # Required tools if ! command -v git &> /dev/null; then echo "git could not be found" diff --git a/internal/constellation/kubecmd/BUILD.bazel b/internal/constellation/kubecmd/BUILD.bazel index aca26d0bb..71bae3c32 100644 --- a/internal/constellation/kubecmd/BUILD.bazel +++ b/internal/constellation/kubecmd/BUILD.bazel @@ -30,11 +30,8 @@ go_library( "@io_k8s_apimachinery//pkg/apis/meta/v1/unstructured", "@io_k8s_apimachinery//pkg/runtime", "@io_k8s_apimachinery//pkg/runtime/schema", - "@io_k8s_apimachinery//pkg/runtime/serializer/json", "@io_k8s_client_go//util/retry", - "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm", - "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/scheme", - "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta4", + "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3", "@io_k8s_sigs_yaml//:yaml", ], ) diff --git a/internal/constellation/kubecmd/backup_test.go b/internal/constellation/kubecmd/backup_test.go index bafa59bb5..a95c26be5 100644 --- a/internal/constellation/kubecmd/backup_test.go +++ b/internal/constellation/kubecmd/backup_test.go @@ -57,7 +57,7 @@ func TestBackupCRDs(t *testing.T) { log: stubLog{}, } - _, err = client.BackupCRDs(t.Context(), file.NewHandler(memFs), tc.upgradeID) + _, err = client.BackupCRDs(context.Background(), file.NewHandler(memFs), tc.upgradeID) if tc.wantError { assert.Error(err) return @@ -146,7 +146,7 @@ func TestBackupCRs(t *testing.T) { log: stubLog{}, } - err := client.BackupCRs(t.Context(), file.NewHandler(memFs), []apiextensionsv1.CustomResourceDefinition{tc.crd}, tc.upgradeID) + err := client.BackupCRs(context.Background(), file.NewHandler(memFs), []apiextensionsv1.CustomResourceDefinition{tc.crd}, tc.upgradeID) if tc.wantError { assert.Error(err) return diff --git a/internal/constellation/kubecmd/kubecmd.go b/internal/constellation/kubecmd/kubecmd.go index dd3c4f9da..1ebf99265 100644 --- a/internal/constellation/kubecmd/kubecmd.go +++ b/internal/constellation/kubecmd/kubecmd.go @@ -42,11 +42,9 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - k8sjson "k8s.io/apimachinery/pkg/runtime/serializer/json" "k8s.io/client-go/util/retry" - "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" - kubeadmscheme "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme" - kubeadmv1beta4 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4" + kubeadmv1beta3 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" + "sigs.k8s.io/yaml" ) // ErrInProgress signals that an upgrade is in progress inside the cluster. @@ -131,18 +129,6 @@ func (k *KubeCmd) UpgradeKubernetesVersion(ctx context.Context, kubernetesVersio ) } - // TODO(burgerdev): remove after releasing v2.19 - // Workaround for https://github.com/kubernetes/kubernetes/issues/127316: force kubelet to - // connect to the local API server. - if err := k.patchKubeadmConfig(ctx, func(cc *kubeadm.ClusterConfiguration) { - if cc.FeatureGates == nil { - cc.FeatureGates = map[string]bool{} - } - cc.FeatureGates["ControlPlaneKubeletLocalMode"] = true - }); err != nil { - return fmt.Errorf("setting FeatureGate ControlPlaneKubeletLocalMode: %w", err) - } - versionConfig, ok := versions.VersionConfigs[kubernetesVersion] if !ok { return fmt.Errorf("skipping Kubernetes upgrade: %w", compatibility.NewInvalidUpgradeError( @@ -248,32 +234,48 @@ func (k *KubeCmd) ApplyJoinConfig(ctx context.Context, newAttestConfig config.At // ExtendClusterConfigCertSANs extends the ClusterConfig stored under "kube-system/kubeadm-config" with the given SANs. // Empty strings are ignored, existing SANs are preserved. func (k *KubeCmd) ExtendClusterConfigCertSANs(ctx context.Context, alternativeNames []string) error { - if err := k.patchKubeadmConfig(ctx, func(clusterConfiguration *kubeadm.ClusterConfiguration) { - existingSANs := make(map[string]struct{}) - for _, existingSAN := range clusterConfiguration.APIServer.CertSANs { - existingSANs[existingSAN] = struct{}{} - } + clusterConfiguration, kubeadmConfig, err := k.getClusterConfiguration(ctx) + if err != nil { + return fmt.Errorf("getting ClusterConfig: %w", err) + } - var missingSANs []string - for _, san := range alternativeNames { - if san == "" { - continue // skip empty SANs - } - if _, ok := existingSANs[san]; !ok { - missingSANs = append(missingSANs, san) - existingSANs[san] = struct{}{} // make sure we don't add the same SAN twice - } - } + existingSANs := make(map[string]struct{}) + for _, existingSAN := range clusterConfiguration.APIServer.CertSANs { + existingSANs[existingSAN] = struct{}{} + } - if len(missingSANs) == 0 { - k.log.Debug("No new SANs to add to the cluster's apiserver SAN field") + var missingSANs []string + for _, san := range alternativeNames { + if san == "" { + continue // skip empty SANs } - k.log.Debug("Extending the cluster's apiserver SAN field", "certSANs", strings.Join(missingSANs, ", ")) + if _, ok := existingSANs[san]; !ok { + missingSANs = append(missingSANs, san) + existingSANs[san] = struct{}{} // make sure we don't add the same SAN twice + } + } - clusterConfiguration.APIServer.CertSANs = append(clusterConfiguration.APIServer.CertSANs, missingSANs...) - sort.Strings(clusterConfiguration.APIServer.CertSANs) + if len(missingSANs) == 0 { + k.log.Debug("No new SANs to add to the cluster's apiserver SAN field") + return nil + } + k.log.Debug("Extending the cluster's apiserver SAN field", "certSANs", strings.Join(missingSANs, ", ")) + + clusterConfiguration.APIServer.CertSANs = append(clusterConfiguration.APIServer.CertSANs, missingSANs...) + sort.Strings(clusterConfiguration.APIServer.CertSANs) + + newConfigYAML, err := yaml.Marshal(clusterConfiguration) + if err != nil { + return fmt.Errorf("marshaling ClusterConfiguration: %w", err) + } + + kubeadmConfig.Data[constants.ClusterConfigurationKey] = string(newConfigYAML) + k.log.Debug("Triggering kubeadm config update now") + if err = k.retryAction(ctx, func(ctx context.Context) error { + _, err := k.kubectl.UpdateConfigMap(ctx, kubeadmConfig) + return err }); err != nil { - return fmt.Errorf("extending ClusterConfig.CertSANs: %w", err) + return fmt.Errorf("setting new kubeadm config: %w", err) } k.log.Debug("Successfully extended the cluster's apiserver SAN field") @@ -314,6 +316,31 @@ func (k *KubeCmd) getConstellationVersion(ctx context.Context) (updatev1alpha1.N return nodeVersion, nil } +// getClusterConfiguration fetches the kubeadm-config configmap from the cluster, extracts the config +// and returns both the full configmap and the ClusterConfiguration. +func (k *KubeCmd) getClusterConfiguration(ctx context.Context) (kubeadmv1beta3.ClusterConfiguration, *corev1.ConfigMap, error) { + var existingConf *corev1.ConfigMap + if err := k.retryAction(ctx, func(ctx context.Context) error { + var err error + existingConf, err = k.kubectl.GetConfigMap(ctx, constants.ConstellationNamespace, constants.KubeadmConfigMap) + return err + }); err != nil { + return kubeadmv1beta3.ClusterConfiguration{}, nil, fmt.Errorf("retrieving current kubeadm-config: %w", err) + } + + clusterConf, ok := existingConf.Data[constants.ClusterConfigurationKey] + if !ok { + return kubeadmv1beta3.ClusterConfiguration{}, nil, errors.New("ClusterConfiguration missing from kubeadm-config") + } + + var existingClusterConfig kubeadmv1beta3.ClusterConfiguration + if err := yaml.Unmarshal([]byte(clusterConf), &existingClusterConfig); err != nil { + return kubeadmv1beta3.ClusterConfiguration{}, nil, fmt.Errorf("unmarshaling ClusterConfiguration: %w", err) + } + + return existingClusterConfig, existingConf, nil +} + // applyComponentsCM applies the k8s components ConfigMap to the cluster. func (k *KubeCmd) applyComponentsCM(ctx context.Context, components *corev1.ConfigMap) error { if err := k.retryAction(ctx, func(ctx context.Context) error { @@ -441,51 +468,6 @@ func (k *KubeCmd) retryAction(ctx context.Context, action func(ctx context.Conte return retrier.Do(ctx) } -// patchKubeadmConfig fetches and unpacks the kube-system/kubeadm-config ClusterConfiguration entry, -// runs doPatch on it and uploads the result. -func (k *KubeCmd) patchKubeadmConfig(ctx context.Context, doPatch func(*kubeadm.ClusterConfiguration)) error { - var kubeadmConfig *corev1.ConfigMap - if err := k.retryAction(ctx, func(ctx context.Context) error { - var err error - kubeadmConfig, err = k.kubectl.GetConfigMap(ctx, constants.ConstellationNamespace, constants.KubeadmConfigMap) - return err - }); err != nil { - return fmt.Errorf("retrieving current kubeadm-config: %w", err) - } - - clusterConfigData, ok := kubeadmConfig.Data[constants.ClusterConfigurationKey] - if !ok { - return errors.New("ClusterConfiguration missing from kubeadm-config") - } - - var clusterConfiguration kubeadm.ClusterConfiguration - if err := runtime.DecodeInto(kubeadmscheme.Codecs.UniversalDecoder(), []byte(clusterConfigData), &clusterConfiguration); err != nil { - return fmt.Errorf("decoding cluster configuration data: %w", err) - } - - doPatch(&clusterConfiguration) - - opt := k8sjson.SerializerOptions{Yaml: true} - serializer := k8sjson.NewSerializerWithOptions(k8sjson.DefaultMetaFactory, kubeadmscheme.Scheme, kubeadmscheme.Scheme, opt) - encoder := kubeadmscheme.Codecs.EncoderForVersion(serializer, kubeadmv1beta4.SchemeGroupVersion) - newConfigYAML, err := runtime.Encode(encoder, &clusterConfiguration) - if err != nil { - return fmt.Errorf("marshaling ClusterConfiguration: %w", err) - } - - kubeadmConfig.Data[constants.ClusterConfigurationKey] = string(newConfigYAML) - k.log.Debug("Triggering kubeadm config update now") - if err = k.retryAction(ctx, func(ctx context.Context) error { - _, err := k.kubectl.UpdateConfigMap(ctx, kubeadmConfig) - return err - }); err != nil { - return fmt.Errorf("setting new kubeadm config: %w", err) - } - - k.log.Debug("Successfully patched the cluster's kubeadm-config") - return nil -} - func checkForApplyError(expected, actual updatev1alpha1.NodeVersion) error { var err error switch { diff --git a/internal/constellation/kubecmd/kubecmd_test.go b/internal/constellation/kubecmd/kubecmd_test.go index 08c9e7e92..74e9562c1 100644 --- a/internal/constellation/kubecmd/kubecmd_test.go +++ b/internal/constellation/kubecmd/kubecmd_test.go @@ -180,7 +180,7 @@ func TestUpgradeNodeImage(t *testing.T) { log: logger.NewTest(t), } - err = upgrader.UpgradeNodeImage(t.Context(), tc.newImageVersion, fmt.Sprintf("/path/to/image:%s", tc.newImageVersion.String()), tc.force) + err = upgrader.UpgradeNodeImage(context.Background(), tc.newImageVersion, fmt.Sprintf("/path/to/image:%s", tc.newImageVersion.String()), tc.force) // Check upgrades first because if we checked err first, UpgradeImage may error due to other reasons and still trigger an upgrade. if tc.wantUpdate { assert.NotNil(unstructuredClient.updatedObject) @@ -281,9 +281,6 @@ func TestUpgradeKubernetesVersion(t *testing.T) { } kubectl := &stubKubectl{ unstructuredInterface: unstructuredClient, - configMaps: map[string]*corev1.ConfigMap{ - constants.KubeadmConfigMap: {Data: map[string]string{"ClusterConfiguration": kubeadmClusterConfigurationV1Beta4}}, - }, } if tc.customClientFn != nil { kubectl.unstructuredInterface = tc.customClientFn(nodeVersion) @@ -296,7 +293,7 @@ func TestUpgradeKubernetesVersion(t *testing.T) { log: logger.NewTest(t), } - err = upgrader.UpgradeKubernetesVersion(t.Context(), tc.newKubernetesVersion, tc.force) + err = upgrader.UpgradeKubernetesVersion(context.Background(), tc.newKubernetesVersion, tc.force) // Check upgrades first because if we checked err first, UpgradeImage may error due to other reasons and still trigger an upgrade. if tc.wantUpdate { assert.NotNil(unstructuredClient.updatedObject) @@ -603,7 +600,7 @@ func TestApplyJoinConfig(t *testing.T) { maxAttempts: 5, } - err := cmd.ApplyJoinConfig(t.Context(), tc.newAttestationCfg, []byte{0x11}) + err := cmd.ApplyJoinConfig(context.Background(), tc.newAttestationCfg, []byte{0x11}) if tc.wantErr { assert.Error(err) return @@ -667,7 +664,7 @@ func TestRetryAction(t *testing.T) { return errs[failureCtr] } - err := k.retryAction(t.Context(), action) + err := k.retryAction(context.Background(), action) if tc.wantErr { assert.Error(err) assert.Equal(min(tc.failures, maxAttempts), failureCtr) @@ -679,50 +676,6 @@ func TestRetryAction(t *testing.T) { } } -func TestExtendClusterConfigCertSANs(t *testing.T) { - ctx := t.Context() - - testCases := map[string]struct { - clusterConfig string - }{ - "kubeadmv1beta3.ClusterConfiguration": { - clusterConfig: kubeadmClusterConfigurationV1Beta3, - }, - "kubeadmv1beta4.ClusterConfiguration": { - clusterConfig: kubeadmClusterConfigurationV1Beta4, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - require := require.New(t) - assert := assert.New(t) - kubectl := &fakeConfigMapClient{ - configMaps: map[string]*corev1.ConfigMap{ - constants.KubeadmConfigMap: {Data: map[string]string{"ClusterConfiguration": tc.clusterConfig}}, - }, - } - cmd := &KubeCmd{ - kubectl: kubectl, - log: logger.NewTest(t), - retryInterval: time.Millisecond, - } - - err := cmd.ExtendClusterConfigCertSANs(ctx, []string{"example.com"}) - require.NoError(err) - - cm := kubectl.configMaps["kubeadm-config"] - require.NotNil(cm) - cc := cm.Data["ClusterConfiguration"] - require.NotNil(cc) - // Verify that SAN was added. - assert.Contains(cc, "example.com") - // Verify that config was written in v1beta4, regardless of the version read. - assert.Contains(cc, "kubeadm.k8s.io/v1beta4") - }) - } -} - type fakeUnstructuredClient struct { mock.Mock } @@ -882,83 +835,3 @@ func supportedValidK8sVersions() (res []versions.ValidK8sVersion) { } return } - -var kubeadmClusterConfigurationV1Beta3 = ` -apiVersion: kubeadm.k8s.io/v1beta3 -kind: ClusterConfiguration -apiServer: - certSANs: - - 127.0.0.1 - extraArgs: - kubelet-certificate-authority: /etc/kubernetes/pki/ca.crt - profiling: "false" - extraVolumes: - - hostPath: /var/log/kubernetes/audit/ - mountPath: /var/log/kubernetes/audit/ - name: audit-log - pathType: DirectoryOrCreate -certificatesDir: /etc/kubernetes/pki -clusterName: test-55bbf58d -controlPlaneEndpoint: 34.149.125.227:6443 -controllerManager: - extraArgs: - cloud-provider: external -dns: - disabled: true -encryptionAlgorithm: RSA-2048 -etcd: - local: - dataDir: /var/lib/etcd -imageRepository: registry.k8s.io -kubernetesVersion: v1.31.1 -networking: - dnsDomain: cluster.local - serviceSubnet: 10.96.0.0/12 -proxy: - disabled: true -scheduler: - extraArgs: - profiling: "false" -` - -var kubeadmClusterConfigurationV1Beta4 = ` -apiVersion: kubeadm.k8s.io/v1beta4 -kind: ClusterConfiguration -apiServer: - certSANs: - - 127.0.0.1 - extraArgs: - - name: kubelet-certificate-authority - value: /etc/kubernetes/pki/ca.crt - - name: profiling - value: "false" - extraVolumes: - - hostPath: /var/log/kubernetes/audit/ - mountPath: /var/log/kubernetes/audit/ - name: audit-log - pathType: DirectoryOrCreate -certificatesDir: /etc/kubernetes/pki -clusterName: test-55bbf58d -controlPlaneEndpoint: 34.149.125.227:6443 -controllerManager: - extraArgs: - - name: cloud-provider - value: external -dns: - disabled: true -encryptionAlgorithm: RSA-2048 -etcd: - local: - dataDir: /var/lib/etcd -imageRepository: registry.k8s.io -kubernetesVersion: v1.31.1 -networking: - dnsDomain: cluster.local - serviceSubnet: 10.96.0.0/12 -proxy: - disabled: true -scheduler: - extraArgs: - - name: profiling - value: "false" -` diff --git a/internal/crypto/BUILD.bazel b/internal/crypto/BUILD.bazel index 0b3e402d9..28131c022 100644 --- a/internal/crypto/BUILD.bazel +++ b/internal/crypto/BUILD.bazel @@ -6,10 +6,7 @@ go_library( srcs = ["crypto.go"], importpath = "github.com/edgelesssys/constellation/v2/internal/crypto", visibility = ["//:__subpackages__"], - deps = [ - "@org_golang_x_crypto//hkdf", - "@org_golang_x_crypto//ssh", - ], + deps = ["@org_golang_x_crypto//hkdf"], ) go_test( diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go index 0a88ec2f5..081e25d71 100644 --- a/internal/crypto/crypto.go +++ b/internal/crypto/crypto.go @@ -9,7 +9,6 @@ package crypto import ( "bytes" - "crypto/ed25519" "crypto/rand" "crypto/sha256" "crypto/x509" @@ -19,7 +18,6 @@ import ( "math/big" "golang.org/x/crypto/hkdf" - "golang.org/x/crypto/ssh" ) const ( @@ -64,19 +62,6 @@ func GenerateRandomBytes(length int) ([]byte, error) { return nonce, nil } -// GenerateEmergencySSHCAKey creates a CA that is used to sign keys for emergency ssh access. -func GenerateEmergencySSHCAKey(seed []byte) (ssh.Signer, error) { - _, priv, err := ed25519.GenerateKey(bytes.NewReader(seed)) - if err != nil { - return nil, err - } - ca, err := ssh.NewSignerFromSigner(priv) - if err != nil { - return nil, err - } - return ca, nil -} - // PemToX509Cert takes a list of PEM-encoded certificates, parses the first one and returns it // as an x.509 certificate. func PemToX509Cert(raw []byte) (*x509.Certificate, error) { diff --git a/internal/crypto/crypto_test.go b/internal/crypto/crypto_test.go index 12c3bdc9c..674ec4c84 100644 --- a/internal/crypto/crypto_test.go +++ b/internal/crypto/crypto_test.go @@ -7,7 +7,6 @@ SPDX-License-Identifier: AGPL-3.0-only package crypto import ( - "crypto/ed25519" "crypto/x509" "testing" @@ -122,47 +121,6 @@ func TestGenerateRandomBytes(t *testing.T) { assert.Len(n3, 16) } -func TestGenerateEmergencySSHCAKey(t *testing.T) { - nullKey := make([]byte, ed25519.SeedSize) - - testCases := map[string]struct { - key []byte - wantErr bool - }{ - "key length = 0": { - key: make([]byte, 0), - wantErr: true, - }, - "valid key": { - key: nullKey, - }, - "nil input": { - key: nil, - wantErr: true, - }, - "long key": { - key: make([]byte, 256), - }, - "key too short": { - key: make([]byte, ed25519.SeedSize-1), - wantErr: true, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - - _, err := GenerateEmergencySSHCAKey(tc.key) - if tc.wantErr { - assert.Error(err) - } else { - assert.NoError(err) - } - }) - } -} - func TestPemToX509Cert(t *testing.T) { testCases := map[string]struct { pemCert []byte diff --git a/internal/grpc/atlscredentials/atlscredentials_test.go b/internal/grpc/atlscredentials/atlscredentials_test.go index 71a73e997..5753eb631 100644 --- a/internal/grpc/atlscredentials/atlscredentials_test.go +++ b/internal/grpc/atlscredentials/atlscredentials_test.go @@ -73,7 +73,7 @@ func TestATLSCredentials(t *testing.T) { defer conn.Close() client := initproto.NewAPIClient(conn) - _, err = client.Init(t.Context(), &initproto.InitRequest{}) + _, err = client.Init(context.Background(), &initproto.InitRequest{}) }() } diff --git a/internal/grpc/dialer/dialer.go b/internal/grpc/dialer/dialer.go index a04e56310..44bf33d87 100644 --- a/internal/grpc/dialer/dialer.go +++ b/internal/grpc/dialer/dialer.go @@ -67,9 +67,6 @@ func (d *Dialer) DialNoVerify(target string) (*grpc.ClientConn, error) { } func (d *Dialer) grpcWithDialer() grpc.DialOption { - if d.netDialer == nil { - return grpc.EmptyDialOption{} - } return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) { return d.netDialer.DialContext(ctx, "tcp", addr) }) diff --git a/internal/grpc/dialer/dialer_test.go b/internal/grpc/dialer/dialer_test.go index dd926b489..6c93c64f9 100644 --- a/internal/grpc/dialer/dialer_test.go +++ b/internal/grpc/dialer/dialer_test.go @@ -86,7 +86,7 @@ func TestDial(t *testing.T) { defer conn.Close() client := grpc_testing.NewTestServiceClient(conn) - _, err = client.EmptyCall(t.Context(), &grpc_testing.Empty{}) + _, err = client.EmptyCall(context.Background(), &grpc_testing.Empty{}) if tc.wantErr { assert.Error(err) diff --git a/internal/grpc/grpclog/grpclog_test.go b/internal/grpc/grpclog/grpclog_test.go index 73578fb66..eb912521f 100644 --- a/internal/grpc/grpclog/grpclog_test.go +++ b/internal/grpc/grpclog/grpclog_test.go @@ -76,7 +76,7 @@ func TestLogStateChanges(t *testing.T) { var wg sync.WaitGroup isReadyCallbackCalled := false - LogStateChangesUntilReady(t.Context(), tc.conn, logger, &wg, func() { isReadyCallbackCalled = true }) + LogStateChangesUntilReady(context.Background(), tc.conn, logger, &wg, func() { isReadyCallbackCalled = true }) wg.Wait() tc.assert(t, logger, isReadyCallbackCalled) }) diff --git a/internal/imagefetcher/imagefetcher_test.go b/internal/imagefetcher/imagefetcher_test.go index af30f1c85..1397c4fb4 100644 --- a/internal/imagefetcher/imagefetcher_test.go +++ b/internal/imagefetcher/imagefetcher_test.go @@ -256,7 +256,7 @@ func TestFetchReference(t *testing.T) { fs: af, } - reference, err := fetcher.FetchReference(t.Context(), tc.provider, variant.Dummy{}, + reference, err := fetcher.FetchReference(context.Background(), tc.provider, variant.Dummy{}, tc.image, "someRegion", false) if tc.wantErr { diff --git a/internal/imagefetcher/raw_test.go b/internal/imagefetcher/raw_test.go index 4e597ce6d..e2bbd8b9d 100644 --- a/internal/imagefetcher/raw_test.go +++ b/internal/imagefetcher/raw_test.go @@ -8,6 +8,7 @@ package imagefetcher import ( "bytes" + "context" "io" "net/http" "os" @@ -90,7 +91,7 @@ func TestDownloadWithProgress(t *testing.T) { fs: fs, } var outBuffer bytes.Buffer - err := downloader.downloadWithProgress(t.Context(), &outBuffer, false, tc.source, "someVersion.raw") + err := downloader.downloadWithProgress(context.Background(), &outBuffer, false, tc.source, "someVersion.raw") if tc.wantErr { assert.Error(err) return @@ -166,7 +167,7 @@ func TestDownload(t *testing.T) { fs: fs, } var outBuffer bytes.Buffer - gotDestination, err := downloader.Download(t.Context(), &outBuffer, false, tc.source, "someVersion") + gotDestination, err := downloader.Download(context.Background(), &outBuffer, false, tc.source, "someVersion") if tc.wantErr { assert.Error(err) return diff --git a/internal/installer/installer_test.go b/internal/installer/installer_test.go index 1cbd09c4a..1e346f434 100644 --- a/internal/installer/installer_test.go +++ b/internal/installer/installer_test.go @@ -132,7 +132,7 @@ func TestInstall(t *testing.T) { retriable: func(_ error) bool { return false }, } - err := inst.Install(t.Context(), tc.component) + err := inst.Install(context.Background(), tc.component) if tc.wantErr { assert.Error(err) return @@ -340,7 +340,7 @@ func TestRetryDownloadToTempDir(t *testing.T) { } // abort retryDownloadToTempDir in some test cases by using the context - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) defer cancel() wg := sync.WaitGroup{} @@ -429,7 +429,7 @@ func TestDownloadToTempDir(t *testing.T) { fs: &afero.Afero{Fs: afs}, hClient: &hClient, } - path, err := inst.downloadToTempDir(t.Context(), "http://server/path") + path, err := inst.downloadToTempDir(context.Background(), "http://server/path") if tc.wantErr { assert.Error(err) return diff --git a/internal/kms/kms/cluster/cluster_test.go b/internal/kms/kms/cluster/cluster_test.go index 0bfc5331a..d9ec6d7a1 100644 --- a/internal/kms/kms/cluster/cluster_test.go +++ b/internal/kms/kms/cluster/cluster_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package cluster import ( + "context" "strings" "testing" @@ -28,7 +29,7 @@ func TestClusterKMS(t *testing.T) { require.NoError(err) keyLower, err := kms.GetDEK( - t.Context(), + context.Background(), strings.ToLower(testVector.InfoPrefix+testVector.Info), int(testVector.Length), ) @@ -37,7 +38,7 @@ func TestClusterKMS(t *testing.T) { // output of the KMS should be case sensitive keyUpper, err := kms.GetDEK( - t.Context(), + context.Background(), strings.ToUpper(testVector.InfoPrefix+testVector.Info), int(testVector.Length), ) @@ -104,7 +105,7 @@ func TestVectorsHKDF(t *testing.T) { } require.NoError(err) - out, err := kms.GetDEK(t.Context(), tc.dekID, int(tc.dekSize)) + out, err := kms.GetDEK(context.Background(), tc.dekID, int(tc.dekSize)) require.NoError(err) assert.Equal(tc.wantKey, out) }) diff --git a/internal/kms/kms/internal/internal_test.go b/internal/kms/kms/internal/internal_test.go index 0ac6cd163..a7fc25ca6 100644 --- a/internal/kms/kms/internal/internal_test.go +++ b/internal/kms/kms/internal/internal_test.go @@ -135,7 +135,7 @@ func TestGetDEK(t *testing.T) { Storage: tc.storage, } - dek, err := client.GetDEK(t.Context(), "volume-01", 32) + dek, err := client.GetDEK(context.Background(), "volume-01", 32) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/setup/setup_test.go b/internal/kms/setup/setup_test.go index 8b88191e3..73bb29565 100644 --- a/internal/kms/setup/setup_test.go +++ b/internal/kms/setup/setup_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package setup import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/kms/uri" @@ -25,12 +26,12 @@ func TestMain(m *testing.M) { func TestSetUpKMS(t *testing.T) { assert := assert.New(t) - kms, err := KMS(t.Context(), "storage://unknown", "kms://unknown") + kms, err := KMS(context.Background(), "storage://unknown", "kms://unknown") assert.Error(err) assert.Nil(kms) masterSecret := uri.MasterSecret{Key: []byte("key"), Salt: []byte("salt")} - kms, err = KMS(t.Context(), "storage://no-store", masterSecret.EncodeToURI()) + kms, err = KMS(context.Background(), "storage://no-store", masterSecret.EncodeToURI()) assert.NoError(err) assert.NotNil(kms) } diff --git a/internal/kms/storage/awss3/awss3_test.go b/internal/kms/storage/awss3/awss3_test.go index 14c84f7be..4e07ab84d 100644 --- a/internal/kms/storage/awss3/awss3_test.go +++ b/internal/kms/storage/awss3/awss3_test.go @@ -80,7 +80,7 @@ func TestAWSS3Get(t *testing.T) { client: tc.client, } - out, err := store.Get(t.Context(), "test-key") + out, err := store.Get(context.Background(), "test-key") if tc.wantErr { assert.Error(err) @@ -122,7 +122,7 @@ func TestAWSS3Put(t *testing.T) { testData := []byte{0x1, 0x2, 0x3} - err := store.Put(t.Context(), "test-key", testData) + err := store.Put(context.Background(), "test-key", testData) if tc.wantErr { assert.Error(err) } else { @@ -163,7 +163,7 @@ func TestAWSS3CreateBucket(t *testing.T) { client: tc.client, } - err := store.createBucket(t.Context(), "test-bucket", "test-region") + err := store.createBucket(context.Background(), "test-bucket", "test-region") if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/storage/azureblob/azureblob_test.go b/internal/kms/storage/azureblob/azureblob_test.go index fb78fa0b8..93a5f2987 100644 --- a/internal/kms/storage/azureblob/azureblob_test.go +++ b/internal/kms/storage/azureblob/azureblob_test.go @@ -51,7 +51,7 @@ func TestAzureGet(t *testing.T) { container: "test", } - out, err := client.Get(t.Context(), "test-key") + out, err := client.Get(context.Background(), "test-key") if tc.wantErr { assert.Error(err) @@ -93,7 +93,7 @@ func TestAzurePut(t *testing.T) { container: "test", } - err := client.Put(t.Context(), "test-key", testData) + err := client.Put(context.Background(), "test-key", testData) if tc.wantErr { assert.Error(err) return @@ -130,7 +130,7 @@ func TestCreateContainerOrContinue(t *testing.T) { container: "test", } - err := client.createContainerOrContinue(t.Context()) + err := client.createContainerOrContinue(context.Background()) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/storage/gcs/gcs_test.go b/internal/kms/storage/gcs/gcs_test.go index b4be5f08f..5678afee5 100644 --- a/internal/kms/storage/gcs/gcs_test.go +++ b/internal/kms/storage/gcs/gcs_test.go @@ -103,7 +103,7 @@ func TestGCPGet(t *testing.T) { bucketName: "test", } - out, err := client.Get(t.Context(), "test-key") + out, err := client.Get(context.Background(), "test-key") if tc.wantErr { assert.Error(err) @@ -160,7 +160,7 @@ func TestGCPPut(t *testing.T) { } testData := []byte{0x1, 0x2, 0x3} - err := client.Put(t.Context(), "test-key", testData) + err := client.Put(context.Background(), "test-key", testData) if tc.wantErr { assert.Error(err) } else { @@ -211,7 +211,7 @@ func TestGCPCreateContainerOrContinue(t *testing.T) { bucketName: "test", } - err := client.createContainerOrContinue(t.Context(), "project") + err := client.createContainerOrContinue(context.Background(), "project") if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/storage/memfs/memfs_test.go b/internal/kms/storage/memfs/memfs_test.go index 3aeb894e6..98d246d1b 100644 --- a/internal/kms/storage/memfs/memfs_test.go +++ b/internal/kms/storage/memfs/memfs_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package memfs import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/kms/storage" @@ -29,7 +30,7 @@ func TestMemMapStorage(t *testing.T) { testDEK1 := []byte("test DEK") testDEK2 := []byte("more test DEK") - ctx := t.Context() + ctx := context.Background() // request unset value _, err := store.Get(ctx, "test:input") diff --git a/internal/kms/test/aws_test.go b/internal/kms/test/aws_test.go index e295a3bbe..073a80946 100644 --- a/internal/kms/test/aws_test.go +++ b/internal/kms/test/aws_test.go @@ -34,7 +34,7 @@ func TestAwsStorage(t *testing.T) { } require := require.New(t) - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() // create bucket @@ -105,7 +105,7 @@ func TestAwsKms(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AWSConfig{ diff --git a/internal/kms/test/azure_test.go b/internal/kms/test/azure_test.go index 1022db09f..855b4dd54 100644 --- a/internal/kms/test/azure_test.go +++ b/internal/kms/test/azure_test.go @@ -31,7 +31,7 @@ func TestAzureStorage(t *testing.T) { } require := require.New(t) - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AzureBlobConfig{ @@ -59,7 +59,7 @@ func TestAzureKeyKMS(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AzureConfig{ @@ -88,7 +88,7 @@ func TestAzureKeyHSM(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AzureConfig{ diff --git a/internal/kms/test/gcp_test.go b/internal/kms/test/gcp_test.go index 0e8c66b74..35162e0f1 100644 --- a/internal/kms/test/gcp_test.go +++ b/internal/kms/test/gcp_test.go @@ -32,7 +32,7 @@ func TestGCPKMS(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.GCPConfig{ @@ -59,7 +59,7 @@ func TestGcpStorage(t *testing.T) { } require := require.New(t) - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.GoogleCloudStorageConfig{ diff --git a/internal/kms/test/integration_test.go b/internal/kms/test/integration_test.go index 3a8217c6e..bd6dccd80 100644 --- a/internal/kms/test/integration_test.go +++ b/internal/kms/test/integration_test.go @@ -64,7 +64,7 @@ func runKMSTest(t *testing.T, kms kms.CloudKMS) { dekName := "test-dek" - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() res, err := kms.GetDEK(ctx, dekName, config.SymmetricKeyLength) @@ -90,7 +90,7 @@ func runStorageTest(t *testing.T, store kms.Storage) { testData := []byte("Constellation test data") testName := "constellation-test" - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() err := store.Put(ctx, testName, testData) diff --git a/internal/license/checker_enterprise_test.go b/internal/license/checker_enterprise_test.go index 6ab66d61a..1443ef2f1 100644 --- a/internal/license/checker_enterprise_test.go +++ b/internal/license/checker_enterprise_test.go @@ -10,6 +10,7 @@ package license import ( "bytes" + "context" "io" "net/http" "testing" @@ -82,7 +83,7 @@ func TestQuotaCheck(t *testing.T) { }), } - quota, err := client.CheckLicense(t.Context(), cloudprovider.Unknown, Init, tc.license) + quota, err := client.CheckLicense(context.Background(), cloudprovider.Unknown, Init, tc.license) if tc.wantError { assert.Error(err) diff --git a/internal/license/integration/license_integration_test.go b/internal/license/integration/license_integration_test.go index 16997f2ca..f4b67f00d 100644 --- a/internal/license/integration/license_integration_test.go +++ b/internal/license/integration/license_integration_test.go @@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-only package integration import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" @@ -38,7 +39,7 @@ func TestQuotaCheckIntegration(t *testing.T) { client := license.NewChecker() - quota, err := client.CheckLicense(t.Context(), cloudprovider.Unknown, "test", tc.license) + quota, err := client.CheckLicense(context.Background(), cloudprovider.Unknown, "test", tc.license) if tc.wantError { assert.Error(err) diff --git a/internal/osimage/uplosi/uplosi.conf.in b/internal/osimage/uplosi/uplosi.conf.in index 2978d31e0..74ec45434 100644 --- a/internal/osimage/uplosi/uplosi.conf.in +++ b/internal/osimage/uplosi/uplosi.conf.in @@ -12,7 +12,6 @@ subscriptionID = "0d202bbb-4fa7-4af8-8125-58c269a05435" location = "northeurope" resourceGroup = "constellation-images" sharingNamePrefix = "constellation" -sharingProfile = "community" sku = "constellation" publisher = "edgelesssys" diff --git a/internal/retry/retry_test.go b/internal/retry/retry_test.go index 4f636e8b2..8885ac715 100644 --- a/internal/retry/retry_test.go +++ b/internal/retry/retry_test.go @@ -71,7 +71,7 @@ func TestDo(t *testing.T) { retriable: isRetriable, } retrierResult := make(chan error, 1) - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) defer cancel() go func() { retrierResult <- retrier.Do(ctx) }() diff --git a/internal/sigstore/rekor_integration_test.go b/internal/sigstore/rekor_integration_test.go index 8d85e21da..4870109fb 100644 --- a/internal/sigstore/rekor_integration_test.go +++ b/internal/sigstore/rekor_integration_test.go @@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-only package sigstore import ( + "context" "testing" "github.com/stretchr/testify/assert" @@ -42,7 +43,7 @@ func TestRekorSearchByHash(t *testing.T) { rekor, err := NewRekor() require.NoError(err) - uuids, err := rekor.SearchByHash(t.Context(), tc.hash) + uuids, err := rekor.SearchByHash(context.Background(), tc.hash) assert.NoError(err) if tc.wantEmpty { @@ -84,7 +85,7 @@ func TestVerifyEntry(t *testing.T) { rekor, err := NewRekor() require.NoError(err) - err = rekor.VerifyEntry(t.Context(), tc.uuid, tc.pubKey) + err = rekor.VerifyEntry(context.Background(), tc.uuid, tc.pubKey) if tc.wantError { assert.Error(err) return diff --git a/internal/staticupload/staticupload_test.go b/internal/staticupload/staticupload_test.go index 3bf30f07f..eace5cc1a 100644 --- a/internal/staticupload/staticupload_test.go +++ b/internal/staticupload/staticupload_test.go @@ -108,7 +108,7 @@ func TestUpload(t *testing.T) { cacheInvalidationWaitTimeout: tc.cacheInvalidationWaitTimeout, logger: logger.NewTest(t), } - _, err := client.Upload(t.Context(), tc.in) + _, err := client.Upload(context.Background(), tc.in) var invalidationErr *InvalidationError if tc.wantCacheInvalidationErr { @@ -220,7 +220,7 @@ func TestDeleteObject(t *testing.T) { cacheInvalidationWaitTimeout: tc.cacheInvalidationWaitTimeout, logger: logger.NewTest(t), } - _, err := client.DeleteObject(t.Context(), newObjectInput(tc.nilInput, tc.nilKey)) + _, err := client.DeleteObject(context.Background(), newObjectInput(tc.nilInput, tc.nilKey)) var invalidationErr *InvalidationError if tc.wantCacheInvalidationErr { @@ -259,7 +259,7 @@ func TestDeleteObject(t *testing.T) { cacheInvalidationWaitTimeout: tc.cacheInvalidationWaitTimeout, logger: logger.NewTest(t), } - _, err := client.DeleteObjects(t.Context(), newObjectsInput(tc.nilInput, tc.nilKey)) + _, err := client.DeleteObjects(context.Background(), newObjectsInput(tc.nilInput, tc.nilKey)) var invalidationErr *InvalidationError if tc.wantCacheInvalidationErr { @@ -401,7 +401,7 @@ func TestFlush(t *testing.T) { invalidationIDs: tc.invalidationIDs, logger: logger.NewTest(t), } - err := client.Flush(t.Context()) + err := client.Flush(context.Background()) if tc.wantCacheInvalidationErr { var invalidationErr *InvalidationError @@ -444,18 +444,18 @@ func TestConcurrency(t *testing.T) { upload := func() { defer wg.Done() - _, _ = client.Upload(t.Context(), newInput()) + _, _ = client.Upload(context.Background(), newInput()) } deleteObject := func() { defer wg.Done() - _, _ = client.DeleteObject(t.Context(), &s3.DeleteObjectInput{ + _, _ = client.DeleteObject(context.Background(), &s3.DeleteObjectInput{ Bucket: ptr("test-bucket"), Key: ptr("test-key"), }) } deleteObjects := func() { defer wg.Done() - _, _ = client.DeleteObjects(t.Context(), &s3.DeleteObjectsInput{ + _, _ = client.DeleteObjects(context.Background(), &s3.DeleteObjectsInput{ Bucket: ptr("test-bucket"), Delete: &s3types.Delete{ Objects: []s3types.ObjectIdentifier{ @@ -466,7 +466,7 @@ func TestConcurrency(t *testing.T) { } flushClient := func() { defer wg.Done() - _ = client.Flush(t.Context()) + _ = client.Flush(context.Background()) } for i := 0; i < 100; i++ { diff --git a/internal/versions/components/components.pb.go b/internal/versions/components/components.pb.go index 5236421c8..90083065e 100644 --- a/internal/versions/components/components.pb.go +++ b/internal/versions/components/components.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: internal/versions/components/components.proto package components @@ -11,7 +11,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -22,13 +21,14 @@ const ( ) type Component struct { - state protoimpl.MessageState `protogen:"open.v1"` - Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` - Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` - InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` - Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` + Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` + InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` + Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` } func (x *Component) Reset() { @@ -91,24 +91,33 @@ func (x *Component) GetExtract() bool { var File_internal_versions_components_components_proto protoreflect.FileDescriptor -const file_internal_versions_components_components_proto_rawDesc = "" + - "\n" + - "-internal/versions/components/components.proto\x12\n" + - "components\"n\n" + - "\tComponent\x12\x10\n" + - "\x03url\x18\x01 \x01(\tR\x03url\x12\x12\n" + - "\x04hash\x18\x02 \x01(\tR\x04hash\x12!\n" + - "\finstall_path\x18\x03 \x01(\tR\vinstallPath\x12\x18\n" + - "\aextract\x18\x04 \x01(\bR\aextractBFZDgithub.com/edgelesssys/constellation/v2/internal/versions/componentsb\x06proto3" +var file_internal_versions_components_components_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, + 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, + 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x0a, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x6e, 0x0a, 0x09, 0x43, + 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x61, + 0x73, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x12, 0x21, + 0x0a, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x50, 0x61, 0x74, + 0x68, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x42, 0x46, 0x5a, 0x44, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, + 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, + 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, + 0x6e, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} var ( file_internal_versions_components_components_proto_rawDescOnce sync.Once - file_internal_versions_components_components_proto_rawDescData []byte + file_internal_versions_components_components_proto_rawDescData = file_internal_versions_components_components_proto_rawDesc ) func file_internal_versions_components_components_proto_rawDescGZIP() []byte { file_internal_versions_components_components_proto_rawDescOnce.Do(func() { - file_internal_versions_components_components_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_internal_versions_components_components_proto_rawDesc), len(file_internal_versions_components_components_proto_rawDesc))) + file_internal_versions_components_components_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_versions_components_components_proto_rawDescData) }) return file_internal_versions_components_components_proto_rawDescData } @@ -134,7 +143,7 @@ func file_internal_versions_components_components_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_internal_versions_components_components_proto_rawDesc), len(file_internal_versions_components_components_proto_rawDesc)), + RawDescriptor: file_internal_versions_components_components_proto_rawDesc, NumEnums: 0, NumMessages: 1, NumExtensions: 0, @@ -145,6 +154,7 @@ func file_internal_versions_components_components_proto_init() { MessageInfos: file_internal_versions_components_components_proto_msgTypes, }.Build() File_internal_versions_components_components_proto = out.File + file_internal_versions_components_components_proto_rawDesc = nil file_internal_versions_components_components_proto_goTypes = nil file_internal_versions_components_components_proto_depIdxs = nil } diff --git a/internal/versions/versions.go b/internal/versions/versions.go index 044f65aed..aadeae874 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -100,12 +100,12 @@ func ResolveK8sPatchVersion(k8sVersion string) (string, error) { // supported patch version as PATCH. func k8sVersionFromMajorMinor(version string) string { switch version { + case semver.MajorMinor(string(V1_28)): + return string(V1_28) case semver.MajorMinor(string(V1_29)): return string(V1_29) case semver.MajorMinor(string(V1_30)): return string(V1_30) - case semver.MajorMinor(string(V1_31)): - return string(V1_31) default: return "" } @@ -169,26 +169,26 @@ const ( // GcpGuestImage image for GCP guest agent. // Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml. - GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:v20250515.0.0@sha256:3b5bfa54ebe97ada83fcaf0a0879dcfdc986a7a4ec20443b7398e432d7a15de9" // renovate:container + GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:v20240816.0.0@sha256:a6f871346da12d95a1961cb247343ccaa708039f49999ce56d00e35f3f701b97" // renovate:container // NodeMaintenanceOperatorImage is the image for the node maintenance operator. NodeMaintenanceOperatorImage = "quay.io/medik8s/node-maintenance-operator:v0.17.0@sha256:bf1c5758b3d266dd6234422d156c67ffdd47f50f70ce17d5cef1de6065030337" // renovate:container // LogstashImage is the container image of logstash, used for log collection by debugd. - LogstashImage = "ghcr.io/edgelesssys/constellation/logstash-debugd:v2.22.0-pre.0.20250401104011-810c8448d9ad@sha256:48d3de1c066a502ffa97b45ed39028a1e9cf0a63f5b57d29f9826c4d860f1a28" // renovate:container + LogstashImage = "ghcr.io/edgelesssys/constellation/logstash-debugd:v2.17.0-pre.0.20240627193502-8aed4bb0fe45@sha256:d6c5a06049e5c1b9d7ba4b83367fa0c06ba2d1b65e1d299f3e00f465f310642b" // renovate:container // FilebeatImage is the container image of filebeat, used for log collection by debugd. - FilebeatImage = "ghcr.io/edgelesssys/constellation/filebeat-debugd:v2.22.0-pre.0.20250401104011-810c8448d9ad@sha256:7dc8044f9968b9984a1a6da46ea24f7979223938ea9bf01d9847edabb1dc4c35" // renovate:container + FilebeatImage = "ghcr.io/edgelesssys/constellation/filebeat-debugd:v2.17.0-pre.0.20240627193502-8aed4bb0fe45@sha256:606adccf544a15e6b9ae9e11eec707668660bc1af346ff72559404e36da5baa2" // renovate:container // MetricbeatImage is the container image of filebeat, used for log collection by debugd. - MetricbeatImage = "ghcr.io/edgelesssys/constellation/metricbeat-debugd:v2.22.0-pre.0.20250401104011-810c8448d9ad@sha256:6df163384d3a905c8a182683a551b151f324588d1fbbf410c3988447b934e597" // renovate:container + MetricbeatImage = "ghcr.io/edgelesssys/constellation/metricbeat-debugd:v2.17.0-pre.0.20240627193502-8aed4bb0fe45@sha256:690b9d36cc334a7f83b58ca905169bb9f1c955b7a436c0044a07f4ce15a90594" // renovate:container // currently supported versions. //nolint:revive - V1_29 ValidK8sVersion = "v1.29.15" // renovate:kubernetes-release + V1_28 ValidK8sVersion = "v1.28.15" // renovate:kubernetes-release //nolint:revive - V1_30 ValidK8sVersion = "v1.30.13" // renovate:kubernetes-release + V1_29 ValidK8sVersion = "v1.29.11" // renovate:kubernetes-release //nolint:revive - V1_31 ValidK8sVersion = "v1.31.9" // renovate:kubernetes-release + V1_30 ValidK8sVersion = "v1.30.7" // renovate:kubernetes-release // Default k8s version deployed by Constellation. - Default ValidK8sVersion = V1_30 + Default ValidK8sVersion = V1_29 ) // Regenerate the hashes by running go generate. @@ -197,65 +197,132 @@ const ( // VersionConfigs holds download URLs for all required kubernetes components for every supported version. var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ - V1_29: { - ClusterVersion: "v1.29.15", // renovate:kubernetes-release + V1_28: { + ClusterVersion: "v1.28.15", // renovate:kubernetes-release KubernetesComponents: components.Components{ { - Url: "https://github.com/containernetworking/plugins/releases/download/v1.7.1/cni-plugins-linux-amd64-v1.7.1.tgz", // renovate:cni-plugins-release - Hash: "sha256:1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098", + Url: "https://github.com/containernetworking/plugins/releases/download/v1.6.0/cni-plugins-linux-amd64-v1.6.0.tgz", // renovate:cni-plugins-release + Hash: "sha256:682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d", InstallPath: constants.CniPluginsDir, Extract: true, }, { - Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.33.0/crictl-v1.33.0-linux-amd64.tar.gz", // renovate:crictl-release - Hash: "sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f", + Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.31.1/crictl-v1.31.1-linux-amd64.tar.gz", // renovate:crictl-release + Hash: "sha256:0a03ba6b1e4c253d63627f8d210b2ea07675a8712587e697657b236d06d7d231", InstallPath: constants.BinDir, Extract: true, }, { - Url: "https://dl.k8s.io/v1.29.15/bin/linux/amd64/kubelet", // renovate:kubernetes-release - Hash: "sha256:cd0228a5820f98bbb6371344e5d6645f6486d767c30f927a1d0ec8d17eca4da5", + Url: "https://dl.k8s.io/v1.28.15/bin/linux/amd64/kubelet", // renovate:kubernetes-release + Hash: "sha256:b07a27fd5bd2419c9c623de15c1dd339af84eb27e9276c81070071065db00036", InstallPath: constants.KubeletPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.29.15/bin/linux/amd64/kubeadm", // renovate:kubernetes-release - Hash: "sha256:d0744fbaa1e67fc65c4a3409f083e01a4ede58181c759b2feeb08b1ef10d6201", + Url: "https://dl.k8s.io/v1.28.15/bin/linux/amd64/kubeadm", // renovate:kubernetes-release + Hash: "sha256:0555b2c2fd30efcdb44b7fba5460c3dc3d3e39f2301e1eef7894a9f8976e1b4c", InstallPath: constants.KubeadmPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.29.15/bin/linux/amd64/kubectl", // renovate:kubernetes-release - Hash: "sha256:3473e14c7b024a6e5403c6401b273b3faff8e5b1fed022d633815eb3168e4516", + Url: "https://dl.k8s.io/v1.28.15/bin/linux/amd64/kubectl", // renovate:kubernetes-release + Hash: "sha256:1f7651ad0b50ef4561aa82e77f3ad06599b5e6b0b2a5fb6c4f474d95a77e41c5", InstallPath: constants.KubectlPath, Extract: false, }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI5LjE1QHNoYTI1NjpmZDgyYzc0ZTA3NzNhMTAzOTYwNTU5MDQ3NTMxMjY0MTFiM2E5NTg0Y2M0NTNlMWM3MTUyYzgxMDE4YTkzM2I2In1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI4LjE1QHNoYTI1Njo2ZGZhODRmNWQ2YmU3MTFhZTBkMTk3NTgyMDFkMzM3ZTgzNmFiN2RlNzMzMDZmZjE0NzI1Y2VhYTk3OGZlYThmIn1d", InstallPath: patchFilePath("kube-apiserver"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI5LjE1QHNoYTI1Njo0ZjA1YmUyYzA2NjdkOWY0OTc1YmNjNDNkNWUxMzZiMjQzNjk0NmY4NGM4ZjdkYzJkMmRhMTQzOTJlNzYxYTcxIn1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI4LjE1QHNoYTI1NjpkYWRkMmEzNzg0NzgzMDE4YTdlZTg1ODhkMTFmNzg3ZmVlNGQ1NDI0ZjJjZGQ2Y2U4OWQzYmExODQ0YTZjMTc1In1d", InstallPath: patchFilePath("kube-controller-manager"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI5LjE1QHNoYTI1NjoyNzYxMDhhNDU0MWE1MTg5NGEwMTA2MzMyMzBmN2I2ZDEwZTkyZTczMDI3NGYyNGJkMjFlODI3ZTY0MjQzZDY2In1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI4LjE1QHNoYTI1Njo4MmY0YTQyMzE3NDUwODU4ZDNkNzBmZGU1YjNjMGYyMjE1M2VhMTU1ZmQwNTNmMDk4NjU5OTlhNDY2MWYyZGNhIn1d", InstallPath: patchFilePath("kube-scheduler"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjIxLTBAc2hhMjU2OmQ1OGMwMzVkZjU1NzA4MGEyNzM4N2Q2ODcwOTJlM2ZjMmI2NGM2ZDBlMzE2MmRjNTE0NTNhMTE1Zjg0N2QxMjEifV0=", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjE1LTBAc2hhMjU2OmE2ZGM2M2U2ZThjZmEwMzA3ZDc4NTE3NjJmYTZiNjI5YWZiMThmMjhkOGFhM2ZhYjVhNmU5MWI0YWY2MDAyNmEifV0=", InstallPath: patchFilePath("etcd"), }, }, // CloudControllerManagerImageAWS is the CCM image used on AWS. // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. - CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.29.8@sha256:3f8e7be967f76b328123d53846c21dcd930b60094f9f4abd8bf5ab0fe108e6e4", // renovate:container + CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.9@sha256:168905b591796fbd07cb35cd0e3f206fdb7efb30e325c9bf7fa70d1b48989f73", // renovate:container // CloudControllerManagerImageAzure is the CCM image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.29.15@sha256:22e562ab13b52c8725add9cf87b5c91b2ca7da75bbf08529163890616ffe4ca7", // renovate:container + CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.28.13@sha256:8b853f4f54a09c363806714189435933a8575ac6dca27e991976bd685603113e", // renovate:container // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.29.15@sha256:049bf87e7df4653c191b31228b3868627ce2268328158ef39270ca25f3e55b39", // renovate:container + CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.28.13@sha256:525ca9c8a44bbdfa9acc0a417776bb822a1bbdaaf27d9776b8dcf5b3519c346a", // renovate:container + // CloudControllerManagerImageGCP is the CCM image used on GCP. + CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v28.10.0@sha256:f3b6fa7faea27b4a303c91b3bc7ee192b050e21e27579e9f3da90ae4ba38e626", // renovate:container + // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. + CloudControllerManagerImageOpenStack: "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.26.4@sha256:05e846fb13481b6dbe4a1e50491feb219e8f5101af6cf662a086115735624db0", // renovate:container + // External service image. Depends on k8s version. + // Check for new versions at https://github.com/kubernetes/autoscaler/releases. + ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.28.7@sha256:77906954da9171425c8c8d3286091818143b6dcf9039abd49b8f33f1502978a1", // renovate:container + }, + V1_29: { + ClusterVersion: "v1.29.11", // renovate:kubernetes-release + KubernetesComponents: components.Components{ + { + Url: "https://github.com/containernetworking/plugins/releases/download/v1.6.0/cni-plugins-linux-amd64-v1.6.0.tgz", // renovate:cni-plugins-release + Hash: "sha256:682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d", + InstallPath: constants.CniPluginsDir, + Extract: true, + }, + { + Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.31.1/crictl-v1.31.1-linux-amd64.tar.gz", // renovate:crictl-release + Hash: "sha256:0a03ba6b1e4c253d63627f8d210b2ea07675a8712587e697657b236d06d7d231", + InstallPath: constants.BinDir, + Extract: true, + }, + { + Url: "https://dl.k8s.io/v1.29.11/bin/linux/amd64/kubelet", // renovate:kubernetes-release + Hash: "sha256:1aaa9025cceac0c9a4df295a58aa79d8932a5b13a43c8910412c9ef970c42d21", + InstallPath: constants.KubeletPath, + Extract: false, + }, + { + Url: "https://dl.k8s.io/v1.29.11/bin/linux/amd64/kubeadm", // renovate:kubernetes-release + Hash: "sha256:6cf3567bd69a14859fb80fb39a09196dc2de1729ae72566e7e4819c5600e49c6", + InstallPath: constants.KubeadmPath, + Extract: false, + }, + { + Url: "https://dl.k8s.io/v1.29.11/bin/linux/amd64/kubectl", // renovate:kubernetes-release + Hash: "sha256:14d7ea4ada60ff15ef3b7734a83c4d05cff164d4843b6f4c081a50b86547c17d", + InstallPath: constants.KubectlPath, + Extract: false, + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI5LjExQHNoYTI1Njo2NTQ1ZjZmNjJjMWYwZjBhZmZmNTM0YzIyNzZiZDI0MmZmZGFjNTRlNzNiMjJjYzEwMzQzNTIyYzcyYjlmNzcxIn1d", + InstallPath: patchFilePath("kube-apiserver"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI5LjExQHNoYTI1Njo1OTU1NDgyZDg5NWFhNGE0MTNhNzBhZjUwNjcwNjA1OTIzOGIzNjM3ZmQ3MzA1OTRlNTljOTkwOTU0MjIxZjEzIn1d", + InstallPath: patchFilePath("kube-controller-manager"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI5LjExQHNoYTI1NjpmZTA3OGYyNmJmMTQzMDFmNzk0NjhkNzlhNWQyZDQzMWIzNDZhNGFiYjFjYWI0ZTliMWY5YmE4OTE0OTY0MTYxIn1d", + InstallPath: patchFilePath("kube-scheduler"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjE1LTBAc2hhMjU2OmE2ZGM2M2U2ZThjZmEwMzA3ZDc4NTE3NjJmYTZiNjI5YWZiMThmMjhkOGFhM2ZhYjVhNmU5MWI0YWY2MDAyNmEifV0=", + InstallPath: patchFilePath("etcd"), + }, + }, + // CloudControllerManagerImageAWS is the CCM image used on AWS. + // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. + CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.29.6@sha256:8074b8828a33fb273833e8fd374dda6a0ab10335ae8e19684fbd61eeff7d3594", // renovate:container + // CloudControllerManagerImageAzure is the CCM image used on Azure. + // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. + CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.29.11@sha256:2ecdca660c03b17110a4ee732230424ce0377c5b1756a4408666e40938ee976a", // renovate:container + // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. + // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. + CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.29.11@sha256:17888b0ebaec6735214b85d20bdcc8062f051bc27e835454e9ef89734d34aa4b", // renovate:container // CloudControllerManagerImageGCP is the CCM image used on GCP. CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v29.5.1@sha256:ebbc6f5755725b6c2c81ca1d1580e2feba83572c41608b739c50f85b2e5de936", // renovate:container // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. @@ -265,138 +332,71 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.29.5@sha256:76865740be7c965b35ee1524931bb4abfe4c27b5bfad280e84068cd6653ee7bb", // renovate:container }, V1_30: { - ClusterVersion: "v1.30.13", // renovate:kubernetes-release + ClusterVersion: "v1.30.7", // renovate:kubernetes-release KubernetesComponents: components.Components{ { - Url: "https://github.com/containernetworking/plugins/releases/download/v1.7.1/cni-plugins-linux-amd64-v1.7.1.tgz", // renovate:cni-plugins-release - Hash: "sha256:1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098", + Url: "https://github.com/containernetworking/plugins/releases/download/v1.6.0/cni-plugins-linux-amd64-v1.6.0.tgz", // renovate:cni-plugins-release + Hash: "sha256:682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d", InstallPath: constants.CniPluginsDir, Extract: true, }, { - Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.33.0/crictl-v1.33.0-linux-amd64.tar.gz", // renovate:crictl-release - Hash: "sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f", + Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.31.1/crictl-v1.31.1-linux-amd64.tar.gz", // renovate:crictl-release + Hash: "sha256:0a03ba6b1e4c253d63627f8d210b2ea07675a8712587e697657b236d06d7d231", InstallPath: constants.BinDir, Extract: true, }, { - Url: "https://dl.k8s.io/v1.30.13/bin/linux/amd64/kubelet", // renovate:kubernetes-release - Hash: "sha256:b8d8c3cc0c13b2e42c1d83ab6c03024825bc01887c923fd6f8568ebe066ec28e", + Url: "https://dl.k8s.io/v1.30.7/bin/linux/amd64/kubelet", // renovate:kubernetes-release + Hash: "sha256:4b2fb90661e2b7be8b34b5bd405652590f6351a9f55194430fa16d547a7c9d16", InstallPath: constants.KubeletPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.30.13/bin/linux/amd64/kubeadm", // renovate:kubernetes-release - Hash: "sha256:dbea796b7b716f7b30ea99e021c3730ef3debace4c8a62c88abfc266b3ab7a96", + Url: "https://dl.k8s.io/v1.30.7/bin/linux/amd64/kubeadm", // renovate:kubernetes-release + Hash: "sha256:3635901a3a6e5b0124547151de700a1dbd4571531327a32edbec43bb155b877b", InstallPath: constants.KubeadmPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.30.13/bin/linux/amd64/kubectl", // renovate:kubernetes-release - Hash: "sha256:b92bd89b27386b671841d5970b926b645c2ae44e5ca0663cff0f1c836a1530ee", + Url: "https://dl.k8s.io/v1.30.7/bin/linux/amd64/kubectl", // renovate:kubernetes-release + Hash: "sha256:3950ec7b81b9aa5a3856dd6155e42e1ad12a2fa8b050502f5a9652050f94a8ee", InstallPath: constants.KubectlPath, Extract: false, }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjMwLjEzQHNoYTI1NjpiZDY4ZDgxYzIwYWQ1NzgxYWRlYzlmNmVhZTI0YzgzZDZmNjZjM2FmYzBkNGJhYTMyZDNmMmQ4NjVjODJkNDM2In1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjMwLjdAc2hhMjU2OjEzZjRmMGY1ODUwYjM5NzQyMTAxYzY1NmIxYmJkNTA5MGVhY2YyNzA4NGFkODliNDg5ZmM4MjRlZjQ4MmVkOWMifV0=", InstallPath: patchFilePath("kube-apiserver"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjMwLjEzQHNoYTI1NjpiODVhNWQ3ODVjYzAwYjAzNjEzZjY3YTdhZmNhMWU5MWIyYTBjY2Y0Y2VkOGU2OWQzOGJkYTVmNjg2OTgwZjNmIn1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjMwLjdAc2hhMjU2OjViOGRjMjZjMDViMjczY2UxOThmYmFmNGViMTc5ZjNiNmQ2OTE5YzZlMjExNmQzNmRjN2Y4MjU1NTM3NGM2ODcifV0=", InstallPath: patchFilePath("kube-controller-manager"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjMwLjEzQHNoYTI1NjpiZmE1ZjEwZGMzZTE0MzE2Nzg1ZjIzZjhlMWY0ZTRkYmM1NTZiMDMzMjcwZDkxMTg1ZmNhMDU3NzM1M2NhZDMzIn1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjMwLjdAc2hhMjU2OjAwYjE2ZGI5OTExMDFiNzM2MWYyZjE4MDM1ZTFjNjUyNmMwY2U2YzlhOTU2ODUyNDgyNGI0YmNjZGYxYWZiZDYifV0=", InstallPath: patchFilePath("kube-scheduler"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjIxLTBAc2hhMjU2OmQ1OGMwMzVkZjU1NzA4MGEyNzM4N2Q2ODcwOTJlM2ZjMmI2NGM2ZDBlMzE2MmRjNTE0NTNhMTE1Zjg0N2QxMjEifV0=", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjE1LTBAc2hhMjU2OmE2ZGM2M2U2ZThjZmEwMzA3ZDc4NTE3NjJmYTZiNjI5YWZiMThmMjhkOGFhM2ZhYjVhNmU5MWI0YWY2MDAyNmEifV0=", InstallPath: patchFilePath("etcd"), }, }, // CloudControllerManagerImageAWS is the CCM image used on AWS. // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. - CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.30.8@sha256:f4e82b924e967656d8df9f467c9c1915509e94e228b53840a7f9f2367e1ba9f5", // renovate:container + CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.30.3@sha256:30a1758dec30814178c787e2d50f46bb141e9f0bb2e16190ddd19df15f957874", // renovate:container // CloudControllerManagerImageAzure is the CCM image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.30.12@sha256:6ad276146282674bc5bfd3b344eedcd5c95fb21b2b575ae9441feda3949e2b7f", // renovate:container + CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.30.7@sha256:03b2876f481507781a27b56a6e66c1928b7b93774e787e52a5239aefa41191e4", // renovate:container // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.12@sha256:5725b02ca72e3d8204e2f12b50845a261772db87ab722621bc9f1aba9c5197c7", // renovate:container + CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.7@sha256:f18feb78e36eef88f0e23d98d798476d2bf6837de11892fe118ab043afdcd497", // renovate:container // CloudControllerManagerImageGCP is the CCM image used on GCP. - CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v30.1.4@sha256:0c3695a18d3825492196facb092e5fe56e466fa8517cde5a206fe21630c1da13", // renovate:container + CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v30.1.0@sha256:64d2d5d4d2b5fb426c307c64ada9a61b64e797b56d9768363f145f2bd957998f", // renovate:container // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. CloudControllerManagerImageOpenStack: "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.26.4@sha256:05e846fb13481b6dbe4a1e50491feb219e8f5101af6cf662a086115735624db0", // renovate:container // External service image. Depends on k8s version. // Check for new versions at https://github.com/kubernetes/autoscaler/releases. - ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.30.4@sha256:f508cac11c8300f27529ed73f8d80f9b1949f819e8f8787f28afcb8e47ceb2b4", // renovate:container - }, - V1_31: { - ClusterVersion: "v1.31.9", // renovate:kubernetes-release - KubernetesComponents: components.Components{ - { - Url: "https://github.com/containernetworking/plugins/releases/download/v1.7.1/cni-plugins-linux-amd64-v1.7.1.tgz", // renovate:cni-plugins-release - Hash: "sha256:1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098", - InstallPath: constants.CniPluginsDir, - Extract: true, - }, - { - Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.33.0/crictl-v1.33.0-linux-amd64.tar.gz", // renovate:crictl-release - Hash: "sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f", - InstallPath: constants.BinDir, - Extract: true, - }, - { - Url: "https://dl.k8s.io/v1.31.9/bin/linux/amd64/kubelet", // renovate:kubernetes-release - Hash: "sha256:4e5e2bce4e80575a253654877f0156393d79647a36afb784da27f3ddef446456", - InstallPath: constants.KubeletPath, - Extract: false, - }, - { - Url: "https://dl.k8s.io/v1.31.9/bin/linux/amd64/kubeadm", // renovate:kubernetes-release - Hash: "sha256:9653845e48754df94842cce1ef76874e7f4c1a32d782dd0c7e6cf12e3a718dde", - InstallPath: constants.KubeadmPath, - Extract: false, - }, - { - Url: "https://dl.k8s.io/v1.31.9/bin/linux/amd64/kubectl", // renovate:kubernetes-release - Hash: "sha256:720d31a15368ad56993c127a7d4fa2688a8520029c2e6be86b1a877ad6f92624", - InstallPath: constants.KubectlPath, - Extract: false, - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjMxLjlAc2hhMjU2OjViNjhmMGRmMjIwMTM0MjJkYzhmYjlkZGZjZmY1MTNlYjZmYzkyZjlkYmY4YWFlNDE1NTVjODk1ZWZlZjVhMjAifV0=", - InstallPath: patchFilePath("kube-apiserver"), - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjMxLjlAc2hhMjU2OmJlOWU3OTg3ZDMyM2IzOGExMmUyODQzNmNmZjZkNmVjNmZjMzFmZmRkM2VhMTFlYWE5ZDc0ODUyZTlkMzEyNDgifV0=", - InstallPath: patchFilePath("kube-controller-manager"), - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjMxLjlAc2hhMjU2OmViMzU4YzczNDZiYjE3YWIyYzYzOWMzZmY4YWI3NmExNDdkZWM3YWU2MDlmNWMwYzI4MDAyMzNlNDIyNTNlZDEifV0=", - InstallPath: patchFilePath("kube-scheduler"), - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjIxLTBAc2hhMjU2OmQ1OGMwMzVkZjU1NzA4MGEyNzM4N2Q2ODcwOTJlM2ZjMmI2NGM2ZDBlMzE2MmRjNTE0NTNhMTE1Zjg0N2QxMjEifV0=", - InstallPath: patchFilePath("etcd"), - }, - }, - // CloudControllerManagerImageAWS is the CCM image used on AWS. - // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. - CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.31.5@sha256:6f94a695828de888c8efc57e3243db9e788709767f687a6a8cb07c2e42158862", // renovate:container - // CloudControllerManagerImageAzure is the CCM image used on Azure. - // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.31.6@sha256:d54893f220256659d40d1cf4d47f2df4453fcf24e3bbad420733653ab20a1b6a", // renovate:container - // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. - // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.31.6@sha256:b1201e7ce23e574f8b7e391ff061bc00f2d82e1b0b943f3770924b1f88db887e", // renovate:container - // CloudControllerManagerImageGCP is the CCM image used on GCP. - CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v30.1.4@sha256:0c3695a18d3825492196facb092e5fe56e466fa8517cde5a206fe21630c1da13", // renovate:container - // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. - CloudControllerManagerImageOpenStack: "registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.32.0@sha256:25e0539888590240483b60dec84c2387fd3cc48bd81dc10a3f6b01fef2585548", // renovate:container - // External service image. Depends on k8s version. - // Check for new versions at https://github.com/kubernetes/autoscaler/releases. - ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.31.2@sha256:2f2ae9f88573d45d8c72d22abff97fb77fd8d9e55f40e57aa282957e56fd3a1a", // renovate:container + ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.30.3@sha256:08fd86ee093760849ac4fd579eb90185b669fc20aa56c156aa34ea7b73dd5e34", // renovate:container }, } diff --git a/joinservice/internal/certcache/certcache_test.go b/joinservice/internal/certcache/certcache_test.go index e1e60beba..a742d43c6 100644 --- a/joinservice/internal/certcache/certcache_test.go +++ b/joinservice/internal/certcache/certcache_test.go @@ -116,7 +116,7 @@ func TestCreateCertChainCache(t *testing.T) { assert := assert.New(t) require := require.New(t) - ctx := t.Context() + ctx := context.Background() c := &Client{ attVariant: variant.Dummy{}, @@ -204,7 +204,7 @@ func TestGetCertChainCache(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - ctx := t.Context() + ctx := context.Background() c := NewClient(logger.NewTest(t), tc.kubeClient, variant.Dummy{}) diff --git a/joinservice/internal/kms/kms_test.go b/joinservice/internal/kms/kms_test.go index f506d0a42..cd831ddc4 100644 --- a/joinservice/internal/kms/kms_test.go +++ b/joinservice/internal/kms/kms_test.go @@ -60,7 +60,7 @@ func TestGetDataKey(t *testing.T) { client.grpc = tc.client - res, err := client.GetDataKey(t.Context(), "disk-uuid", 32) + res, err := client.GetDataKey(context.Background(), "disk-uuid", 32) if tc.wantErr { assert.Error(err) } else { diff --git a/joinservice/internal/server/BUILD.bazel b/joinservice/internal/server/BUILD.bazel index eed06e663..7e29a733c 100644 --- a/joinservice/internal/server/BUILD.bazel +++ b/joinservice/internal/server/BUILD.bazel @@ -19,7 +19,6 @@ go_library( "@org_golang_google_grpc//codes", "@org_golang_google_grpc//credentials", "@org_golang_google_grpc//status", - "@org_golang_x_crypto//ssh", ], ) @@ -29,7 +28,6 @@ go_test( embed = [":server"], deps = [ "//internal/attestation", - "//internal/constants", "//internal/logger", "//internal/versions/components", "//joinservice/joinproto", diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go index e6fc82b95..21bb24d67 100644 --- a/joinservice/internal/server/server.go +++ b/joinservice/internal/server/server.go @@ -9,7 +9,6 @@ package server import ( "context" - "crypto/ed25519" "fmt" "log/slog" "net" @@ -22,7 +21,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/versions/components" "github.com/edgelesssys/constellation/v2/joinservice/joinproto" - "golang.org/x/crypto/ssh" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials" @@ -102,18 +100,6 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi return nil, status.Errorf(codes.Internal, "getting key for stateful disk: %s", err) } - log.Info("Requesting emergency SSH CA derivation key") - sshCAKeySeed, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize) - if err != nil { - log.With(slog.Any("error", err)).Error("Failed to get seed material to derive SSH CA key") - return nil, status.Errorf(codes.Internal, "getting emergency SSH CA seed material: %s", err) - } - ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed) - if err != nil { - log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from seed material") - return nil, status.Errorf(codes.Internal, "generating ssh emergency CA key: %s", err) - } - log.Info("Creating Kubernetes join token") kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL) if err != nil { @@ -181,7 +167,6 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi KubeletCert: kubeletCert, ControlPlaneFiles: controlPlaneFiles, KubernetesComponents: components, - AuthorizedCaPublicKey: ssh.MarshalAuthorizedKey(ca.PublicKey()), }, nil } diff --git a/joinservice/internal/server/server_test.go b/joinservice/internal/server/server_test.go index 4fbf0c5b6..ff11c7b57 100644 --- a/joinservice/internal/server/server_test.go +++ b/joinservice/internal/server/server_test.go @@ -8,13 +8,11 @@ package server import ( "context" - "crypto/ed25519" "errors" "testing" "time" "github.com/edgelesssys/constellation/v2/internal/attestation" - "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/versions/components" "github.com/edgelesssys/constellation/v2/joinservice/joinproto" @@ -31,7 +29,6 @@ func TestMain(m *testing.M) { func TestIssueJoinTicket(t *testing.T) { someErr := errors.New("error") testKey := []byte{0x1, 0x2, 0x3} - testCaKey := make([]byte, ed25519.SeedSize) testCert := []byte{0x4, 0x5, 0x6} measurementSecret := []byte{0x7, 0x8, 0x9} uuid := "uuid" @@ -65,7 +62,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -75,7 +71,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsErr: someErr}, @@ -86,7 +81,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node", getNameErr: someErr}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -97,7 +91,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, addNodeToJoiningNodesErr: someErr, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -115,7 +108,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -126,7 +118,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{getCertErr: someErr, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -141,7 +132,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -149,28 +139,6 @@ func TestIssueJoinTicket(t *testing.T) { "GetControlPlaneCertificateKey fails": { isControlPlane: true, kubeadm: stubTokenGetter{token: testJoinToken, certificateKeyErr: someErr}, - kms: stubKeyGetter{dataKeys: map[string][]byte{ - uuid: testKey, - attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, - }}, - ca: stubCA{cert: testCert, nodeName: "node"}, - kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, - wantErr: true, - }, - "CA data key to short": { - kubeadm: stubTokenGetter{token: testJoinToken}, - kms: stubKeyGetter{dataKeys: map[string][]byte{ - uuid: testKey, - attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testKey, - }}, - ca: stubCA{cert: testCert, nodeName: "node"}, - kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, - wantErr: true, - }, - "CA data key doesn't exist": { - kubeadm: stubTokenGetter{token: testJoinToken}, kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, @@ -201,7 +169,7 @@ func TestIssueJoinTicket(t *testing.T) { DiskUuid: "uuid", IsControlPlane: tc.isControlPlane, } - resp, err := api.IssueJoinTicket(t.Context(), req) + resp, err := api.IssueJoinTicket(context.Background(), req) if tc.wantErr { assert.Error(err) return @@ -265,7 +233,7 @@ func TestIssueRejoinTicker(t *testing.T) { req := &joinproto.IssueRejoinTicketRequest{ DiskUuid: uuid, } - resp, err := api.IssueRejoinTicket(t.Context(), req) + resp, err := api.IssueRejoinTicket(context.Background(), req) if tc.wantErr { assert.Error(err) return diff --git a/joinservice/internal/watcher/validator_test.go b/joinservice/internal/watcher/validator_test.go index 2fb99e3e1..efada4028 100644 --- a/joinservice/internal/watcher/validator_test.go +++ b/joinservice/internal/watcher/validator_test.go @@ -147,7 +147,7 @@ func TestUpdate(t *testing.T) { // test connection to server clientOID := variant.Dummy{} - resp, err := testConnection(t.Context(), require, server.URL, clientOID) + resp, err := testConnection(require, server.URL, clientOID) require.NoError(err) defer resp.Body.Close() body, err := io.ReadAll(resp.Body) @@ -159,7 +159,7 @@ func TestUpdate(t *testing.T) { require.NoError(validator.Update()) // client connection should fail now, since the server's validator expects a different OID from the client - resp, err = testConnection(t.Context(), require, server.URL, clientOID) + resp, err = testConnection(require, server.URL, clientOID) if err == nil { defer resp.Body.Close() } @@ -230,12 +230,12 @@ func TestUpdateConcurrency(t *testing.T) { wg.Wait() } -func testConnection(ctx context.Context, require *require.Assertions, url string, oid variant.Getter) (*http.Response, error) { +func testConnection(require *require.Assertions, url string, oid variant.Getter) (*http.Response, error) { clientConfig, err := atls.CreateAttestationClientTLSConfig(fakeIssuer{oid}, nil) require.NoError(err) client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}} - req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) return client.Do(req) } diff --git a/joinservice/joinproto/join.pb.go b/joinservice/joinproto/join.pb.go index 9c8af76d7..bf5478c02 100644 --- a/joinservice/joinproto/join.pb.go +++ b/joinservice/joinproto/join.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: joinservice/joinproto/join.proto package joinproto @@ -16,7 +16,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -27,12 +26,13 @@ const ( ) type IssueJoinTicketRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` - CertificateRequest []byte `protobuf:"bytes,2,opt,name=certificate_request,json=certificateRequest,proto3" json:"certificate_request,omitempty"` - IsControlPlane bool `protobuf:"varint,3,opt,name=is_control_plane,json=isControlPlane,proto3" json:"is_control_plane,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` + CertificateRequest []byte `protobuf:"bytes,2,opt,name=certificate_request,json=certificateRequest,proto3" json:"certificate_request,omitempty"` + IsControlPlane bool `protobuf:"varint,3,opt,name=is_control_plane,json=isControlPlane,proto3" json:"is_control_plane,omitempty"` } func (x *IssueJoinTicketRequest) Reset() { @@ -87,7 +87,10 @@ func (x *IssueJoinTicketRequest) GetIsControlPlane() bool { } type IssueJoinTicketResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` MeasurementSalt []byte `protobuf:"bytes,2,opt,name=measurement_salt,json=measurementSalt,proto3" json:"measurement_salt,omitempty"` MeasurementSecret []byte `protobuf:"bytes,3,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"` @@ -98,9 +101,6 @@ type IssueJoinTicketResponse struct { ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,8,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"` KubernetesVersion string `protobuf:"bytes,9,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"` KubernetesComponents []*components.Component `protobuf:"bytes,10,rep,name=kubernetes_components,json=kubernetesComponents,proto3" json:"kubernetes_components,omitempty"` - AuthorizedCaPublicKey []byte `protobuf:"bytes,11,opt,name=authorized_ca_public_key,json=authorizedCaPublicKey,proto3" json:"authorized_ca_public_key,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache } func (x *IssueJoinTicketResponse) Reset() { @@ -203,19 +203,13 @@ func (x *IssueJoinTicketResponse) GetKubernetesComponents() []*components.Compon return nil } -func (x *IssueJoinTicketResponse) GetAuthorizedCaPublicKey() []byte { - if x != nil { - return x.AuthorizedCaPublicKey - } - return nil -} - type ControlPlaneCertOrKey struct { - state protoimpl.MessageState `protogen:"open.v1"` - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` } func (x *ControlPlaneCertOrKey) Reset() { @@ -263,10 +257,11 @@ func (x *ControlPlaneCertOrKey) GetData() []byte { } type IssueRejoinTicketRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` } func (x *IssueRejoinTicketRequest) Reset() { @@ -307,11 +302,12 @@ func (x *IssueRejoinTicketRequest) GetDiskUuid() string { } type IssueRejoinTicketResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` - MeasurementSecret []byte `protobuf:"bytes,2,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` + MeasurementSecret []byte `protobuf:"bytes,2,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"` } func (x *IssueRejoinTicketResponse) Reset() { @@ -360,46 +356,96 @@ func (x *IssueRejoinTicketResponse) GetMeasurementSecret() []byte { var File_joinservice_joinproto_join_proto protoreflect.FileDescriptor -const file_joinservice_joinproto_join_proto_rawDesc = "" + - "\n" + - " joinservice/joinproto/join.proto\x12\x04join\x1a-internal/versions/components/components.proto\"\x90\x01\n" + - "\x16IssueJoinTicketRequest\x12\x1b\n" + - "\tdisk_uuid\x18\x01 \x01(\tR\bdiskUuid\x12/\n" + - "\x13certificate_request\x18\x02 \x01(\fR\x12certificateRequest\x12(\n" + - "\x10is_control_plane\x18\x03 \x01(\bR\x0eisControlPlane\"\xc7\x04\n" + - "\x17IssueJoinTicketResponse\x12$\n" + - "\x0estate_disk_key\x18\x01 \x01(\fR\fstateDiskKey\x12)\n" + - "\x10measurement_salt\x18\x02 \x01(\fR\x0fmeasurementSalt\x12-\n" + - "\x12measurement_secret\x18\x03 \x01(\fR\x11measurementSecret\x12!\n" + - "\fkubelet_cert\x18\x04 \x01(\fR\vkubeletCert\x12.\n" + - "\x13api_server_endpoint\x18\x05 \x01(\tR\x11apiServerEndpoint\x12\x14\n" + - "\x05token\x18\x06 \x01(\tR\x05token\x12>\n" + - "\x1cdiscovery_token_ca_cert_hash\x18\a \x01(\tR\x18discoveryTokenCaCertHash\x12O\n" + - "\x13control_plane_files\x18\b \x03(\v2\x1f.join.control_plane_cert_or_keyR\x11controlPlaneFiles\x12-\n" + - "\x12kubernetes_version\x18\t \x01(\tR\x11kubernetesVersion\x12J\n" + - "\x15kubernetes_components\x18\n" + - " \x03(\v2\x15.components.ComponentR\x14kubernetesComponents\x127\n" + - "\x18authorized_ca_public_key\x18\v \x01(\fR\x15authorizedCaPublicKey\"C\n" + - "\x19control_plane_cert_or_key\x12\x12\n" + - "\x04name\x18\x01 \x01(\tR\x04name\x12\x12\n" + - "\x04data\x18\x02 \x01(\fR\x04data\"7\n" + - "\x18IssueRejoinTicketRequest\x12\x1b\n" + - "\tdisk_uuid\x18\x01 \x01(\tR\bdiskUuid\"p\n" + - "\x19IssueRejoinTicketResponse\x12$\n" + - "\x0estate_disk_key\x18\x01 \x01(\fR\fstateDiskKey\x12-\n" + - "\x12measurement_secret\x18\x02 \x01(\fR\x11measurementSecret2\xab\x01\n" + - "\x03API\x12N\n" + - "\x0fIssueJoinTicket\x12\x1c.join.IssueJoinTicketRequest\x1a\x1d.join.IssueJoinTicketResponse\x12T\n" + - "\x11IssueRejoinTicket\x12\x1e.join.IssueRejoinTicketRequest\x1a\x1f.join.IssueRejoinTicketResponseB?Z=github.com/edgelesssys/constellation/v2/joinservice/joinprotob\x06proto3" +var file_joinservice_joinproto_join_proto_rawDesc = []byte{ + 0x0a, 0x20, 0x6a, 0x6f, 0x69, 0x6e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, + 0x69, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x04, 0x6a, 0x6f, 0x69, 0x6e, 0x1a, 0x2d, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, + 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, + 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, + 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x16, 0x49, 0x73, 0x73, 0x75, + 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x69, 0x73, 0x6b, 0x55, 0x75, 0x69, 0x64, 0x12, + 0x2f, 0x0a, 0x13, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x72, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x12, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, + 0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f, + 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x22, 0x8e, 0x04, 0x0a, 0x17, 0x49, + 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, + 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x10, + 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x61, 0x6c, 0x74, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x53, 0x61, 0x6c, 0x74, 0x12, 0x2d, 0x0a, 0x12, 0x6d, 0x65, 0x61, 0x73, 0x75, + 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0c, 0x52, 0x11, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, + 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x6b, 0x75, + 0x62, 0x65, 0x6c, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x12, 0x2e, 0x0a, 0x13, 0x61, 0x70, 0x69, + 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x61, 0x70, 0x69, 0x53, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, + 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, + 0x3e, 0x0a, 0x1c, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, + 0x65, 0x6e, 0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, + 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, + 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65, 0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, + 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, + 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6a, + 0x6f, 0x69, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, + 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x52, 0x11, 0x63, + 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, + 0x12, 0x2d, 0x0a, 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x76, + 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x75, + 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, + 0x4a, 0x0a, 0x15, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6f, + 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, + 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x43, 0x6f, 0x6d, 0x70, + 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x52, 0x14, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, + 0x73, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x43, 0x0a, 0x19, 0x63, + 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, + 0x74, 0x5f, 0x6f, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, + 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, + 0x22, 0x37, 0x0a, 0x18, 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, + 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, + 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x64, 0x69, 0x73, 0x6b, 0x55, 0x75, 0x69, 0x64, 0x22, 0x70, 0x0a, 0x19, 0x49, 0x73, 0x73, + 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, + 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b, 0x65, 0x79, 0x12, 0x2d, 0x0a, 0x12, + 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x32, 0xab, 0x01, 0x0a, 0x03, + 0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, + 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, + 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, 0x73, 0x75, + 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x54, 0x0a, 0x11, 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, + 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1e, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, + 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, + 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, + 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3f, 0x5a, 0x3d, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, + 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} var ( file_joinservice_joinproto_join_proto_rawDescOnce sync.Once - file_joinservice_joinproto_join_proto_rawDescData []byte + file_joinservice_joinproto_join_proto_rawDescData = file_joinservice_joinproto_join_proto_rawDesc ) func file_joinservice_joinproto_join_proto_rawDescGZIP() []byte { file_joinservice_joinproto_join_proto_rawDescOnce.Do(func() { - file_joinservice_joinproto_join_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_joinservice_joinproto_join_proto_rawDesc), len(file_joinservice_joinproto_join_proto_rawDesc))) + file_joinservice_joinproto_join_proto_rawDescData = protoimpl.X.CompressGZIP(file_joinservice_joinproto_join_proto_rawDescData) }) return file_joinservice_joinproto_join_proto_rawDescData } @@ -436,7 +482,7 @@ func file_joinservice_joinproto_join_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_joinservice_joinproto_join_proto_rawDesc), len(file_joinservice_joinproto_join_proto_rawDesc)), + RawDescriptor: file_joinservice_joinproto_join_proto_rawDesc, NumEnums: 0, NumMessages: 5, NumExtensions: 0, @@ -447,6 +493,7 @@ func file_joinservice_joinproto_join_proto_init() { MessageInfos: file_joinservice_joinproto_join_proto_msgTypes, }.Build() File_joinservice_joinproto_join_proto = out.File + file_joinservice_joinproto_join_proto_rawDesc = nil file_joinservice_joinproto_join_proto_goTypes = nil file_joinservice_joinproto_join_proto_depIdxs = nil } diff --git a/joinservice/joinproto/join.proto b/joinservice/joinproto/join.proto index 89c40b8a0..2a910a039 100644 --- a/joinservice/joinproto/join.proto +++ b/joinservice/joinproto/join.proto @@ -45,8 +45,6 @@ message IssueJoinTicketResponse { string kubernetes_version = 9; // kubernetes_components is a list of components to install on the node. repeated components.Component kubernetes_components = 10; - // authorized_ca_public_key is an ssh ca key that can be used to connect to a node in case of an emergency. - bytes authorized_ca_public_key = 11; } message control_plane_cert_or_key { diff --git a/keyservice/internal/server/server_test.go b/keyservice/internal/server/server_test.go index 203a9f939..f5c2b2d3b 100644 --- a/keyservice/internal/server/server_test.go +++ b/keyservice/internal/server/server_test.go @@ -32,23 +32,23 @@ func TestGetDataKey(t *testing.T) { kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}} api := New(log, kms) - res, err := api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + res, err := api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) require.NoError(err) assert.Equal(kms.derivedKey, res.DataKey) // Test no data key id - res, err = api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{Length: 32}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{Length: 32}) require.Error(err) assert.Nil(res) // Test no / zero key length - res, err = api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"}) require.Error(err) assert.Nil(res) // Test derive key error api = New(log, &stubKMS{deriveKeyErr: errors.New("error")}) - res, err = api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) assert.Error(err) assert.Nil(res) } diff --git a/keyservice/keyserviceproto/keyservice.pb.go b/keyservice/keyserviceproto/keyservice.pb.go index ee7a23ff2..c311c035a 100644 --- a/keyservice/keyserviceproto/keyservice.pb.go +++ b/keyservice/keyserviceproto/keyservice.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: keyservice/keyserviceproto/keyservice.proto package keyserviceproto @@ -15,7 +15,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -26,11 +25,12 @@ const ( ) type GetDataKeyRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - DataKeyId string `protobuf:"bytes,1,opt,name=data_key_id,json=dataKeyId,proto3" json:"data_key_id,omitempty"` - Length uint32 `protobuf:"varint,2,opt,name=length,proto3" json:"length,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DataKeyId string `protobuf:"bytes,1,opt,name=data_key_id,json=dataKeyId,proto3" json:"data_key_id,omitempty"` + Length uint32 `protobuf:"varint,2,opt,name=length,proto3" json:"length,omitempty"` } func (x *GetDataKeyRequest) Reset() { @@ -78,10 +78,11 @@ func (x *GetDataKeyRequest) GetLength() uint32 { } type GetDataKeyResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - DataKey []byte `protobuf:"bytes,1,opt,name=data_key,json=dataKey,proto3" json:"data_key,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DataKey []byte `protobuf:"bytes,1,opt,name=data_key,json=dataKey,proto3" json:"data_key,omitempty"` } func (x *GetDataKeyResponse) Reset() { @@ -123,26 +124,38 @@ func (x *GetDataKeyResponse) GetDataKey() []byte { var File_keyservice_keyserviceproto_keyservice_proto protoreflect.FileDescriptor -const file_keyservice_keyserviceproto_keyservice_proto_rawDesc = "" + - "\n" + - "+keyservice/keyserviceproto/keyservice.proto\x12\x03kms\"K\n" + - "\x11GetDataKeyRequest\x12\x1e\n" + - "\vdata_key_id\x18\x01 \x01(\tR\tdataKeyId\x12\x16\n" + - "\x06length\x18\x02 \x01(\rR\x06length\"/\n" + - "\x12GetDataKeyResponse\x12\x19\n" + - "\bdata_key\x18\x01 \x01(\fR\adataKey2D\n" + - "\x03API\x12=\n" + - "\n" + - "GetDataKey\x12\x16.kms.GetDataKeyRequest\x1a\x17.kms.GetDataKeyResponseBDZBgithub.com/edgelesssys/constellation/v2/keyservice/keyserviceprotob\x06proto3" +var file_keyservice_keyserviceproto_keyservice_proto_rawDesc = []byte{ + 0x0a, 0x2b, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6b, 0x65, 0x79, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6b, 0x65, 0x79, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6b, + 0x6d, 0x73, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, + 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, + 0x74, 0x61, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, + 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, + 0x2f, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, + 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, + 0x32, 0x44, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, + 0x74, 0x61, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, + 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, + 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, + 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x32, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6b, 0x65, 0x79, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} var ( file_keyservice_keyserviceproto_keyservice_proto_rawDescOnce sync.Once - file_keyservice_keyserviceproto_keyservice_proto_rawDescData []byte + file_keyservice_keyserviceproto_keyservice_proto_rawDescData = file_keyservice_keyserviceproto_keyservice_proto_rawDesc ) func file_keyservice_keyserviceproto_keyservice_proto_rawDescGZIP() []byte { file_keyservice_keyserviceproto_keyservice_proto_rawDescOnce.Do(func() { - file_keyservice_keyserviceproto_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_keyservice_keyserviceproto_keyservice_proto_rawDesc), len(file_keyservice_keyserviceproto_keyservice_proto_rawDesc))) + file_keyservice_keyserviceproto_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_keyserviceproto_keyservice_proto_rawDescData) }) return file_keyservice_keyserviceproto_keyservice_proto_rawDescData } @@ -171,7 +184,7 @@ func file_keyservice_keyserviceproto_keyservice_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_keyservice_keyserviceproto_keyservice_proto_rawDesc), len(file_keyservice_keyserviceproto_keyservice_proto_rawDesc)), + RawDescriptor: file_keyservice_keyserviceproto_keyservice_proto_rawDesc, NumEnums: 0, NumMessages: 2, NumExtensions: 0, @@ -182,6 +195,7 @@ func file_keyservice_keyserviceproto_keyservice_proto_init() { MessageInfos: file_keyservice_keyserviceproto_keyservice_proto_msgTypes, }.Build() File_keyservice_keyserviceproto_keyservice_proto = out.File + file_keyservice_keyserviceproto_keyservice_proto_rawDesc = nil file_keyservice_keyserviceproto_keyservice_proto_goTypes = nil file_keyservice_keyserviceproto_keyservice_proto_depIdxs = nil } diff --git a/nix/container/libvirtd_base.nix b/nix/container/libvirtd_base.nix index f58a2366a..5ebaf3e91 100644 --- a/nix/container/libvirtd_base.nix +++ b/nix/container/libvirtd_base.nix @@ -62,22 +62,12 @@ let ''; startScript = pkgsLinux.writeShellApplication { name = "start.sh"; - runtimeInputs = let nixpkgs24_11 = import "${pkgs.fetchFromGitHub { - # Pinned release which contains swtpm v0.8.2 - # Newer versions of NixOS package swtpm v0.10.0 with https://github.com/stefanberger/swtpm/pull/896 - # This release breaks MiniConstellation since either libvirt, or the Terraform libvirt provider - # tries to apply the TPM config twice, resulting in an error during the setup phase - owner = "NixOS"; - repo = "nixpkgs"; - tag = "24.11"; - hash = "sha256-CqCX4JG7UiHvkrBTpYC3wcEurvbtTADLbo3Ns2CEoL8="; - }}"{system = "x86_64-linux";}; in - with pkgsLinux; [ + runtimeInputs = with pkgsLinux; [ shadow coreutils libvirt qemu - nixpkgs24_11.swtpm + swtpm ]; text = '' set -euo pipefail diff --git a/nix/lib/by-name/constellationRepoRoot/package.nix b/nix/lib/by-name/constellationRepoRoot/package.nix deleted file mode 100644 index 38c9cdefa..000000000 --- a/nix/lib/by-name/constellationRepoRoot/package.nix +++ /dev/null @@ -1,3 +0,0 @@ -# Returns a reference to the root path of the Constellation repository. - -_: ../../../../. diff --git a/nix/lib/by-name/constellationRepoRootSrc/package.nix b/nix/lib/by-name/constellationRepoRootSrc/package.nix deleted file mode 100644 index 462df7ab1..000000000 --- a/nix/lib/by-name/constellationRepoRootSrc/package.nix +++ /dev/null @@ -1,12 +0,0 @@ -# Returns a package set originating from the root of the Constellation repository. -# The `files` attribute is a list of paths relative to the root of the repository. - -{ lib }: -files: -let - filteredFiles = lib.map (subpath: lib.path.append lib.constellationRepoRoot subpath) files; -in -lib.fileset.toSource { - root = lib.constellationRepoRoot; - fileset = lib.fileset.unions filteredFiles; -} diff --git a/nix/lib/by-name/constellationVersion/package.nix b/nix/lib/by-name/constellationVersion/package.nix deleted file mode 100644 index b65ebe85e..000000000 --- a/nix/lib/by-name/constellationVersion/package.nix +++ /dev/null @@ -1,3 +0,0 @@ -# Returns the current Continuum version, as defined in `version.txt`. - -{ lib }: builtins.readFile (lib.path.append lib.constellationRepoRoot "version.txt") diff --git a/nix/lib/default.nix b/nix/lib/default.nix deleted file mode 100644 index bd731cbf3..000000000 --- a/nix/lib/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - callPackage, -}: -lib.packagesFromDirectoryRecursive { - inherit callPackage; - directory = ./by-name; -} diff --git a/nix/packages/by-name/buildConstellationGoModule/package.nix b/nix/packages/by-name/buildConstellationGoModule/package.nix deleted file mode 100644 index b58d020e0..000000000 --- a/nix/packages/by-name/buildConstellationGoModule/package.nix +++ /dev/null @@ -1,26 +0,0 @@ -# A 'wrapped' Go builder for Constellation, which doesn't require a `vendorHash` to be set in each package. -# Instead, one central vendor hash is set here, and all packages inherit it. - -{ - buildGo124Module, - constellation-canonical-go-package, -}: -args: -(buildGo124Module ( - { - # We run tests in CI, so don't run them at build time. - doCheck = false; - - # Disable CGO by default. - env.CGO_ENABLED = "0"; - } - // args -)).overrideAttrs - (_oldAttrs: { - inherit (constellation-canonical-go-package) - goModules - vendorHash - proxyVendor - deleteVendor - ; - }) diff --git a/nix/packages/by-name/constellation-canonical-go-package/package.nix b/nix/packages/by-name/constellation-canonical-go-package/package.nix deleted file mode 100644 index 0fd299ffd..000000000 --- a/nix/packages/by-name/constellation-canonical-go-package/package.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - lib, - buildGo124Module, -}: -buildGo124Module { - pname = "constellation-canonical-go-package"; - version = lib.constellationVersion; - - src = lib.constellationRepoRootSrc [ - "go.mod" - "go.sum" - ]; - - vendorHash = "sha256-McWiTTz1HTdG3x0LI87CF6oTRFtxSiV3LCCBJb9YG4U="; - - doCheck = false; - - proxyVendor = true; -} diff --git a/nix/packages/default.nix b/nix/packages/default.nix deleted file mode 100644 index bd731cbf3..000000000 --- a/nix/packages/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - callPackage, -}: -lib.packagesFromDirectoryRecursive { - inherit callPackage; - directory = ./by-name; -} diff --git a/operators/constellation-node-operator/Makefile b/operators/constellation-node-operator/Makefile index 777b1ecb1..ca2bd0906 100644 --- a/operators/constellation-node-operator/Makefile +++ b/operators/constellation-node-operator/Makefile @@ -86,11 +86,11 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./" output:crd:artifacts:config=config/crd/bases .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. - $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." + $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./" .PHONY: fmt fmt: ## Run go fmt against code. @@ -162,7 +162,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ## Tool Versions KUSTOMIZE_VERSION ?= v3.8.7 -CONTROLLER_TOOLS_VERSION ?= v0.16.4 +CONTROLLER_TOOLS_VERSION ?= v0.9.0 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize diff --git a/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go b/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go index b25cfc280..198fc055c 100644 --- a/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go +++ b/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go @@ -1,4 +1,5 @@ //go:build !ignore_autogenerated +// +build !ignore_autogenerated // Code generated by controller-gen. DO NOT EDIT. diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml index 9156e3e71..6a014a394 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: autoscalingstrategies.update.edgeless.systems spec: group: update.edgeless.systems @@ -21,19 +22,14 @@ spec: API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml index 1beca7221..9c8e9e5a2 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: joiningnodes.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: JoiningNode is the Schema for the joiningnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml index 4b7f7b7e0..e4c435ec1 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: nodeversions.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: NodeVersion is the Schema for the nodeversions API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -66,49 +62,65 @@ spec: description: AwaitingAnnotation is a list of nodes that are waiting for the operator to annotate them. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array budget: description: Budget is the amount of extra nodes that can be created @@ -119,35 +131,43 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -162,6 +182,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -177,386 +201,514 @@ spec: description: Donors is a list of outdated nodes that donate labels to heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array heirs: description: Heirs is a list of nodes using the latest image that still need to inherit labels from donors. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array invalid: description: Invalid is a list of invalid nodes (nodes that cannot be processed by the operator due to missing information or transient faults). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array mints: description: Mints is a list of up to date nodes that will become heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array obsolete: description: Obsolete is a list of obsolete nodes (nodes that have been created by the operator but are no longer needed). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array outdated: description: Outdated is a list of nodes that are using an outdated image. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array pending: description: Pending is a list of pending nodes (joining or leaving the cluster). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array upToDate: description: UpToDate is a list of nodes that are using the latest image and labels. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array required: - activeclusterversionupgrade diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml index c6cd2db6a..7c5b5618b 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: pendingnodes.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: PendingNode is the Schema for the pendingnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -40,11 +36,10 @@ spec: description: PendingNodeSpec defines the desired state of PendingNode. properties: deadline: - description: |- - Deadline is the deadline for reaching the goal state. - Joining nodes will be terminated if the deadline is exceeded. - Leaving nodes will remain as unschedulable to prevent data loss. - If not specified, the node may remain in the pending state indefinitely. + description: Deadline is the deadline for reaching the goal state. + Joining nodes will be terminated if the deadline is exceeded. Leaving + nodes will remain as unschedulable to prevent data loss. If not + specified, the node may remain in the pending state indefinitely. format: date-time type: string goal: diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml index 5eed4ebc8..0f87fbab1 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: scalinggroups.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: ScalingGroup is the Schema for the scalinggroups API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -61,8 +57,8 @@ spec: format: int32 type: integer nodeGroupName: - description: NodeGroupName is the human friendly name of the node - group as defined in the Constellation configuration. + description: NodeGroupName is the human friendly name of the node group + as defined in the Constellation configuration. type: string nodeImage: description: NodeVersion is the name of the NodeVersion resource. @@ -81,35 +77,43 @@ spec: description: Conditions represent the latest available observations of an object's state. items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -124,6 +128,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/operators/constellation-node-operator/config/manager/manager.yaml b/operators/constellation-node-operator/config/manager/manager.yaml index 314209305..32b39e301 100644 --- a/operators/constellation-node-operator/config/manager/manager.yaml +++ b/operators/constellation-node-operator/config/manager/manager.yaml @@ -31,9 +31,6 @@ spec: - /manager args: - --leader-elect - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json image: controller:latest name: manager securityContext: @@ -63,9 +60,6 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -97,10 +91,6 @@ spec: configMap: name: gceconf optional: true - - name: gcekey - secret: - secretName: gcekey - optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/operators/constellation-node-operator/config/rbac/role.yaml b/operators/constellation-node-operator/config/rbac/role.yaml index a1f60ee8f..8700132c4 100644 --- a/operators/constellation-node-operator/config/rbac/role.yaml +++ b/operators/constellation-node-operator/config/rbac/role.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + creationTimestamp: null name: manager-role rules: - apiGroups: @@ -11,7 +12,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -57,10 +57,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -73,20 +69,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -105,3 +119,81 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update diff --git a/operators/constellation-node-operator/controllers/nodeversion_controller.go b/operators/constellation-node-operator/controllers/nodeversion_controller.go index c46c7b313..ff706c702 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_controller.go +++ b/operators/constellation-node-operator/controllers/nodeversion_controller.go @@ -83,7 +83,7 @@ func NewNodeVersionReconciler(nodeReplacer nodeReplacer, etcdRemover etcdRemover //+kubebuilder:rbac:groups=nodemaintenance.medik8s.io,resources=nodemaintenances,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=nodes/status,verbs=get -//+kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get;watch +//+kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get // Reconcile replaces outdated nodes with new nodes as specified in the NodeVersion spec. func (r *NodeVersionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { @@ -214,7 +214,7 @@ func (r *NodeVersionReconciler) Reconcile(ctx context.Context, req ctrl.Request) return ctrl.Result{Requeue: shouldRequeue}, nil } - newNodeConfig := newNodeConfig{desiredNodeVersion, groups.Outdated, groups.Donors, pendingNodeList.Items, scalingGroupByID, newNodesBudget} + newNodeConfig := newNodeConfig{desiredNodeVersion, groups.Outdated, pendingNodeList.Items, scalingGroupByID, newNodesBudget} if err := r.createNewNodes(ctx, newNodeConfig); err != nil { logr.Error(err, "Creating new nodes") return ctrl.Result{Requeue: shouldRequeue}, nil @@ -614,15 +614,6 @@ func (r *NodeVersionReconciler) createNewNodes(ctx context.Context, config newNo if config.newNodesBudget < 1 || len(config.outdatedNodes) == 0 { return nil } - // We need to look at both the outdated nodes *and* the nodes that have already - // been moved to the donors here because even if a CP node has already been moved to - // the donors, we still want to defer worker upgrades until the new CP node is actually joined. - hasOutdatedControlPlanes := false - for _, entry := range append(config.outdatedNodes, config.donors...) { - if nodeutil.IsControlPlaneNode(&entry) { - hasOutdatedControlPlanes = true - } - } outdatedNodesPerScalingGroup := make(map[string]int) for _, node := range config.outdatedNodes { // skip outdated nodes that got assigned an heir in this Reconcile call @@ -657,12 +648,6 @@ func (r *NodeVersionReconciler) createNewNodes(ctx context.Context, config newNo continue } if requiredNodesPerScalingGroup[scalingGroupID] == 0 { - logr.Info("No new nodes needed for scaling group", "scalingGroup", scalingGroupID) - continue - } - // if we are a worker group and still have outdated control planes, we must wait for them to be upgraded. - if hasOutdatedControlPlanes && scalingGroup.Spec.Role != updatev1alpha1.ControlPlaneRole { - logr.Info("There are still outdated control plane nodes which must be replaced first before this worker scaling group is upgraded", "scalingGroup", scalingGroupID) continue } for { @@ -694,7 +679,7 @@ func (r *NodeVersionReconciler) createNewNodes(ctx context.Context, config newNo if err := r.Create(ctx, pendingNode); err != nil { return err } - logr.Info("Created new node", "createdNode", nodeName, "scalingGroup", scalingGroupID, "requiredNodes", requiredNodesPerScalingGroup[scalingGroupID]) + logr.Info("Created new node", "createdNode", nodeName, "scalingGroup", scalingGroupID) requiredNodesPerScalingGroup[scalingGroupID]-- config.newNodesBudget-- } @@ -954,7 +939,6 @@ type kubernetesServerVersionGetter interface { type newNodeConfig struct { desiredNodeVersion updatev1alpha1.NodeVersion outdatedNodes []corev1.Node - donors []corev1.Node pendingNodes []updatev1alpha1.PendingNode scalingGroupByID map[string]updatev1alpha1.ScalingGroup newNodesBudget int diff --git a/operators/constellation-node-operator/controllers/nodeversion_controller_test.go b/operators/constellation-node-operator/controllers/nodeversion_controller_test.go index e3df48e57..c9ae88042 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_controller_test.go +++ b/operators/constellation-node-operator/controllers/nodeversion_controller_test.go @@ -123,7 +123,7 @@ func TestAnnotateNodes(t *testing.T) { }, }, } - annotated, invalid := reconciler.annotateNodes(t.Context(), []corev1.Node{tc.node}) + annotated, invalid := reconciler.annotateNodes(context.Background(), []corev1.Node{tc.node}) if tc.wantAnnotated == nil { assert.Len(annotated, 0) assert.Len(invalid, 1) @@ -226,7 +226,7 @@ func TestPairDonorsAndHeirs(t *testing.T) { }, } nodeImage := updatev1alpha1.NodeVersion{} - pairs := reconciler.pairDonorsAndHeirs(t.Context(), &nodeImage, []corev1.Node{tc.outdatedNode}, []mintNode{tc.mintNode}) + pairs := reconciler.pairDonorsAndHeirs(context.Background(), &nodeImage, []corev1.Node{tc.outdatedNode}, []mintNode{tc.mintNode}) if tc.wantPair == nil { assert.Len(pairs, 0) return @@ -315,7 +315,7 @@ func TestMatchDonorsAndHeirs(t *testing.T) { stubReaderClient: *newStubReaderClient(t, []runtime.Object{&tc.donor, &tc.heir}, nil, nil), }, } - pairs := reconciler.matchDonorsAndHeirs(t.Context(), nil, []corev1.Node{tc.donor}, []corev1.Node{tc.heir}) + pairs := reconciler.matchDonorsAndHeirs(context.Background(), nil, []corev1.Node{tc.donor}, []corev1.Node{tc.heir}) if tc.wantPair == nil { assert.Len(pairs, 0) return @@ -330,7 +330,6 @@ func TestMatchDonorsAndHeirs(t *testing.T) { func TestCreateNewNodes(t *testing.T) { testCases := map[string]struct { outdatedNodes []corev1.Node - donors []corev1.Node pendingNodes []updatev1alpha1.PendingNode scalingGroupByID map[string]updatev1alpha1.ScalingGroup budget int @@ -574,105 +573,6 @@ func TestCreateNewNodes(t *testing.T) { }, budget: 1, }, - "control plane node upgraded first": { - outdatedNodes: []corev1.Node{ - // CP node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "control-plane-node", - Annotations: map[string]string{ - scalingGroupAnnotation: "control-plane-scaling-group", - }, - Labels: map[string]string{ - // Mark this as a CP node as per - // https://kubernetes.io/docs/reference/labels-annotations-taints/#node-role-kubernetes-io-control-plane - "node-role.kubernetes.io/control-plane": "", - }, - }, - }, - // Worker node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "node", - Annotations: map[string]string{ - scalingGroupAnnotation: "scaling-group", - }, - }, - }, - }, - scalingGroupByID: map[string]updatev1alpha1.ScalingGroup{ - "scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "scaling-group", - Role: updatev1alpha1.WorkerRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - "control-plane-scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "control-plane-scaling-group", - Role: updatev1alpha1.ControlPlaneRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - }, - budget: 2, - wantCreateCalls: []string{"control-plane-scaling-group"}, - }, - "worker not upgraded while cp is in donors": { - donors: []corev1.Node{ - // CP node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "control-plane-node", - Annotations: map[string]string{ - scalingGroupAnnotation: "control-plane-scaling-group", - }, - Labels: map[string]string{ - // Mark this as a CP node as per - // https://kubernetes.io/docs/reference/labels-annotations-taints/#node-role-kubernetes-io-control-plane - "node-role.kubernetes.io/control-plane": "", - }, - }, - }, - }, - outdatedNodes: []corev1.Node{ - // Worker node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "node", - Annotations: map[string]string{ - scalingGroupAnnotation: "scaling-group", - }, - }, - }, - }, - scalingGroupByID: map[string]updatev1alpha1.ScalingGroup{ - "scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "scaling-group", - Role: updatev1alpha1.WorkerRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - "control-plane-scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "control-plane-scaling-group", - Role: updatev1alpha1.ControlPlaneRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - }, - budget: 1, - }, } for name, tc := range testCases { @@ -692,8 +592,8 @@ func TestCreateNewNodes(t *testing.T) { }, Scheme: getScheme(t), } - newNodeConfig := newNodeConfig{desiredNodeImage, tc.outdatedNodes, tc.donors, tc.pendingNodes, tc.scalingGroupByID, tc.budget} - err := reconciler.createNewNodes(t.Context(), newNodeConfig) + newNodeConfig := newNodeConfig{desiredNodeImage, tc.outdatedNodes, tc.pendingNodes, tc.scalingGroupByID, tc.budget} + err := reconciler.createNewNodes(context.Background(), newNodeConfig) require.NoError(err) assert.Equal(tc.wantCreateCalls, reconciler.nodeReplacer.(*stubNodeReplacerWriter).createCalls) }) diff --git a/operators/constellation-node-operator/controllers/nodeversion_watches_test.go b/operators/constellation-node-operator/controllers/nodeversion_watches_test.go index cdc75450f..690c1d2c4 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_watches_test.go +++ b/operators/constellation-node-operator/controllers/nodeversion_watches_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package controllers import ( + "context" "errors" "testing" @@ -249,7 +250,7 @@ func TestFindObjectsForScalingGroup(t *testing.T) { } assert := assert.New(t) reconciler := NodeVersionReconciler{} - requests := reconciler.findObjectsForScalingGroup(t.Context(), &scalingGroup) + requests := reconciler.findObjectsForScalingGroup(context.TODO(), &scalingGroup) assert.ElementsMatch(wantRequests, requests) } @@ -283,7 +284,7 @@ func TestFindAllNodeVersions(t *testing.T) { reconciler := NodeVersionReconciler{ Client: newStubReaderClient(t, []runtime.Object{tc.nodeVersion}, nil, tc.listNodeVersionsErr), } - requests := reconciler.findAllNodeVersions(t.Context(), nil) + requests := reconciler.findAllNodeVersions(context.TODO(), nil) assert.ElementsMatch(tc.wantRequests, requests) }) } diff --git a/operators/constellation-node-operator/controllers/pendingnode_controller_test.go b/operators/constellation-node-operator/controllers/pendingnode_controller_test.go index 949d7d8f2..1a564af76 100644 --- a/operators/constellation-node-operator/controllers/pendingnode_controller_test.go +++ b/operators/constellation-node-operator/controllers/pendingnode_controller_test.go @@ -137,7 +137,7 @@ func TestFindObjectsForNode(t *testing.T) { reconciler := PendingNodeReconciler{ Client: newStubReaderClient(t, []runtime.Object{tc.pendingNode}, nil, tc.listPendingNodesErr), } - requests := reconciler.findObjectsForNode(t.Context(), &corev1.Node{ + requests := reconciler.findObjectsForNode(context.TODO(), &corev1.Node{ ObjectMeta: metav1.ObjectMeta{ Name: "pending-node", }, @@ -218,7 +218,7 @@ func TestReachedGoal(t *testing.T) { reconciler := PendingNodeReconciler{ Client: newStubReaderClient(t, []runtime.Object{&tc.pendingNode}, tc.getPendingNodeErr, nil), } - reachedGoal, err := reconciler.reachedGoal(t.Context(), tc.pendingNode, tc.nodeState) + reachedGoal, err := reconciler.reachedGoal(context.Background(), tc.pendingNode, tc.nodeState) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go b/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go index 2a75ee1ea..d939f2029 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go @@ -91,7 +91,7 @@ func TestGetNodeImage(t *testing.T) { describeInstancesErr: tc.describeInstancesErr, }, } - gotImage, err := client.GetNodeImage(t.Context(), tc.providerID) + gotImage, err := client.GetNodeImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -199,7 +199,7 @@ func TestGetScalingGroupID(t *testing.T) { describeInstancesErr: tc.describeInstancesErr, }, } - gotScalingID, err := client.GetScalingGroupID(t.Context(), tc.providerID) + gotScalingID, err := client.GetScalingGroupID(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -357,7 +357,7 @@ func TestCreateNode(t *testing.T) { setDesiredCapacityErr: tc.setDesiredCapacityErr, }, } - nodeName, providerID, err := client.CreateNode(t.Context(), tc.providerID) + nodeName, providerID, err := client.CreateNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -398,7 +398,7 @@ func TestDeleteNode(t *testing.T) { terminateInstanceErr: tc.terminateInstanceErr, }, } - err := client.DeleteNode(t.Context(), tc.providerID) + err := client.DeleteNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go b/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go index fdf11100c..b2745358f 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "errors" "testing" @@ -160,7 +161,7 @@ func TestGetNodeState(t *testing.T) { describeInstanceStatusErr: tc.describeInstanceStatusErr, }, } - nodeState, err := client.GetNodeState(t.Context(), tc.providerID) + nodeState, err := client.GetNodeState(context.Background(), tc.providerID) assert.Equal(tc.wantState, nodeState) if tc.wantErr { assert.Error(err) diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go b/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go index dc3144f6c..b5e4f60ce 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "testing" "github.com/aws/aws-sdk-go-v2/service/autoscaling" @@ -90,7 +91,7 @@ func TestGetScalingGroupImage(t *testing.T) { }, }, } - scalingGroupImage, err := client.GetScalingGroupImage(t.Context(), tc.providerID) + scalingGroupImage, err := client.GetScalingGroupImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -215,7 +216,7 @@ func TestSetScalingGroupImage(t *testing.T) { }, }, } - err := client.SetScalingGroupImage(t.Context(), tc.providerID, tc.imageURI) + err := client.SetScalingGroupImage(context.Background(), tc.providerID, tc.imageURI) if tc.wantErr { assert.Error(err) return @@ -318,7 +319,7 @@ func TestListScalingGroups(t *testing.T) { describeAutoScalingGroupsErr: tc.describeAutoScalingGroupsErr, }, } - gotGroups, err := client.ListScalingGroups(t.Context(), tc.providerID) + gotGroups, err := client.ListScalingGroups(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go index 61fa6b2ed..866cf535f 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go @@ -98,7 +98,7 @@ func TestGetNodeImage(t *testing.T) { getErr: tc.getScaleSetVMErr, }, } - gotImage, err := client.GetNodeImage(t.Context(), tc.providerID) + gotImage, err := client.GetNodeImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -131,7 +131,7 @@ func TestGetScalingGroupID(t *testing.T) { require := require.New(t) client := Client{} - gotScalingGroupID, err := client.GetScalingGroupID(t.Context(), tc.providerID) + gotScalingGroupID, err := client.GetScalingGroupID(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -262,7 +262,7 @@ func TestCreateNode(t *testing.T) { var createErr error go func() { defer wg.Done() - gotNodeName, gotProviderID, createErr = client.CreateNode(t.Context(), tc.scalingGroupID) + gotNodeName, gotProviderID, createErr = client.CreateNode(context.Background(), tc.scalingGroupID) }() // want error before PollUntilDone is called @@ -319,7 +319,7 @@ func TestDeleteNode(t *testing.T) { client := Client{ scaleSetsAPI: &stubScaleSetsAPI{deleteErr: tc.deleteErr}, } - err := client.DeleteNode(t.Context(), tc.providerID) + err := client.DeleteNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -343,25 +343,25 @@ func TestCapacityPollingHandler(t *testing.T) { }, wantedCapacity: wantCapacity, } - assert.NoError(handler.Poll(t.Context())) + assert.NoError(handler.Poll(context.Background())) assert.False(handler.Done()) // Calling Result early should error - assert.Error(handler.Result(t.Context(), &gotCapacity)) + assert.Error(handler.Result(context.Background(), &gotCapacity)) // let scaleSet API error handler.scaleSetsAPI.(*stubScaleSetsAPI).getErr = errors.New("get error") - assert.Error(handler.Poll(t.Context())) + assert.Error(handler.Poll(context.Background())) handler.scaleSetsAPI.(*stubScaleSetsAPI).getErr = nil // let scaleSet API return invalid SKU handler.scaleSetsAPI.(*stubScaleSetsAPI).scaleSet.SKU = nil - assert.Error(handler.Poll(t.Context())) + assert.Error(handler.Poll(context.Background())) // let Poll finish handler.scaleSetsAPI.(*stubScaleSetsAPI).scaleSet.SKU = &armcompute.SKU{Capacity: to.Ptr(wantCapacity)} - assert.NoError(handler.Poll(t.Context())) + assert.NoError(handler.Poll(context.Background())) assert.True(handler.Done()) - assert.NoError(handler.Result(t.Context(), &gotCapacity)) + assert.NoError(handler.Result(context.Background(), &gotCapacity)) assert.Equal(wantCapacity, gotCapacity) } diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go index 70cb9df6b..7c12ed749 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "errors" "net/http" "testing" @@ -66,7 +67,7 @@ func TestGetNodeState(t *testing.T) { instanceViewErr: tc.getInstanceViewErr, }, } - gotState, err := client.GetNodeState(t.Context(), tc.providerID) + gotState, err := client.GetNodeState(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go index 2bef88541..1f9e1516d 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "errors" "testing" @@ -102,7 +103,7 @@ func TestGetScalingGroupImage(t *testing.T) { getErr: tc.getScaleSetErr, }, } - gotImage, err := client.GetScalingGroupImage(t.Context(), tc.scalingGroupID) + gotImage, err := client.GetScalingGroupImage(context.Background(), tc.scalingGroupID) if tc.wantErr { assert.Error(err) return @@ -154,7 +155,7 @@ func TestSetScalingGroupImage(t *testing.T) { resultErr: tc.resultErr, }, } - err := client.SetScalingGroupImage(t.Context(), tc.scalingGroupID, tc.imageURI) + err := client.SetScalingGroupImage(context.Background(), tc.scalingGroupID, tc.imageURI) if tc.wantErr { assert.Error(err) return @@ -290,7 +291,7 @@ func TestListScalingGroups(t *testing.T) { }, }, } - gotGroups, err := client.ListScalingGroups(t.Context(), "uid") + gotGroups, err := client.ListScalingGroups(context.Background(), "uid") if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel b/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel index 72548055d..54100de98 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel @@ -29,6 +29,7 @@ go_library( "@com_github_spf13_afero//:afero", "@com_google_cloud_go_compute//apiv1", "@com_google_cloud_go_compute//apiv1/computepb", + "@org_golang_google_api//compute/v1:compute", "@org_golang_google_api//googleapi", "@org_golang_google_api//iterator", "@org_golang_google_protobuf//proto", @@ -61,6 +62,7 @@ go_test( "@com_github_stretchr_testify//require", "@com_google_cloud_go_compute//apiv1", "@com_google_cloud_go_compute//apiv1/computepb", + "@org_golang_google_api//compute/v1:compute", "@org_golang_google_api//googleapi", "@org_golang_google_api//iterator", "@org_golang_google_protobuf//proto", diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/api.go b/operators/constellation-node-operator/internal/cloud/gcp/client/api.go index 12966da9e..15c56ece5 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/api.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/api.go @@ -12,6 +12,7 @@ import ( compute "cloud.google.com/go/compute/apiv1" "cloud.google.com/go/compute/apiv1/computepb" "github.com/googleapis/gax-go/v2" + computeREST "google.golang.org/api/compute/v1" ) type projectAPI interface { @@ -27,13 +28,9 @@ type instanceAPI interface { } type instanceTemplateAPI interface { - Close() error - Get(ctx context.Context, req *computepb.GetInstanceTemplateRequest, - opts ...gax.CallOption) (*computepb.InstanceTemplate, error) - Delete(ctx context.Context, req *computepb.DeleteInstanceTemplateRequest, - opts ...gax.CallOption) (Operation, error) - Insert(ctx context.Context, req *computepb.InsertInstanceTemplateRequest, - opts ...gax.CallOption) (Operation, error) + Get(projectID, template string) (*computeREST.InstanceTemplate, error) + Delete(projectID, template string) (*computeREST.Operation, error) + Insert(projectID string, template *computeREST.InstanceTemplate) (*computeREST.Operation, error) } type instanceGroupManagersAPI interface { diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/client.go b/operators/constellation-node-operator/internal/cloud/gcp/client/client.go index aa0a46ae7..e9dbc3a4e 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/client.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/client.go @@ -14,6 +14,7 @@ import ( compute "cloud.google.com/go/compute/apiv1" "github.com/spf13/afero" + computeREST "google.golang.org/api/compute/v1" ) // Client is a client for the Google Compute Engine. @@ -48,12 +49,17 @@ func New(ctx context.Context, configPath string) (*Client, error) { return nil, err } closers = append(closers, insAPI) - templAPI, err := compute.NewInstanceTemplatesRESTClient(ctx) + + // TODO(msanft): Go back to protobuf-based API when it supports setting + // a confidential instance type. + // See https://github.com/googleapis/google-cloud-go/issues/10873 for the current status. + restClient, err := computeREST.NewService(ctx) if err != nil { _ = closeAll(closers) return nil, err } - closers = append(closers, templAPI) + templAPI := computeREST.NewInstanceTemplatesService(restClient) + groupAPI, err := compute.NewInstanceGroupManagersRESTClient(ctx) if err != nil { _ = closeAll(closers) @@ -81,7 +87,6 @@ func (c *Client) Close() error { closers := []closer{ c.projectAPI, c.instanceAPI, - c.instanceTemplateAPI, c.instanceGroupManagersAPI, c.diskAPI, } diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go index e7779453b..58816c561 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go @@ -12,6 +12,7 @@ import ( compute "cloud.google.com/go/compute/apiv1" "cloud.google.com/go/compute/apiv1/computepb" "github.com/googleapis/gax-go/v2" + computeREST "google.golang.org/api/compute/v1" "google.golang.org/api/iterator" "google.golang.org/protobuf/proto" ) @@ -47,7 +48,7 @@ func (a stubInstanceAPI) Get(_ context.Context, _ *computepb.GetInstanceRequest, } type stubInstanceTemplateAPI struct { - template *computepb.InstanceTemplate + template *computeREST.InstanceTemplate getErr error deleteErr error insertErr error @@ -57,30 +58,16 @@ func (a stubInstanceTemplateAPI) Close() error { return nil } -func (a stubInstanceTemplateAPI) Get(_ context.Context, _ *computepb.GetInstanceTemplateRequest, - _ ...gax.CallOption, -) (*computepb.InstanceTemplate, error) { +func (a stubInstanceTemplateAPI) Get(_, _ string) (*computeREST.InstanceTemplate, error) { return a.template, a.getErr } -func (a stubInstanceTemplateAPI) Delete(_ context.Context, _ *computepb.DeleteInstanceTemplateRequest, - _ ...gax.CallOption, -) (Operation, error) { - return &stubOperation{ - &computepb.Operation{ - Name: proto.String("name"), - }, - }, a.deleteErr +func (a stubInstanceTemplateAPI) Delete(_, _ string) (*computeREST.Operation, error) { + return &computeREST.Operation{}, a.deleteErr } -func (a stubInstanceTemplateAPI) Insert(_ context.Context, _ *computepb.InsertInstanceTemplateRequest, - _ ...gax.CallOption, -) (Operation, error) { - return &stubOperation{ - &computepb.Operation{ - Name: proto.String("name"), - }, - }, a.insertErr +func (a stubInstanceTemplateAPI) Insert(_ string, _ *computeREST.InstanceTemplate) (*computeREST.Operation, error) { + return &computeREST.Operation{}, a.insertErr } type stubInstanceGroupManagersAPI struct { diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go b/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go index 3d34efba7..da87f596c 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go @@ -12,26 +12,27 @@ import ( compute "cloud.google.com/go/compute/apiv1" "cloud.google.com/go/compute/apiv1/computepb" "github.com/googleapis/gax-go/v2" + computeREST "google.golang.org/api/compute/v1" ) type instanceTemplateClient struct { - *compute.InstanceTemplatesClient + *computeREST.InstanceTemplatesService } func (c *instanceTemplateClient) Close() error { - return c.InstanceTemplatesClient.Close() + return nil // no-op } -func (c *instanceTemplateClient) Delete(ctx context.Context, req *computepb.DeleteInstanceTemplateRequest, - opts ...gax.CallOption, -) (Operation, error) { - return c.InstanceTemplatesClient.Delete(ctx, req, opts...) +func (c *instanceTemplateClient) Get(project, template string) (*computeREST.InstanceTemplate, error) { + return c.InstanceTemplatesService.Get(project, template).Do() } -func (c *instanceTemplateClient) Insert(ctx context.Context, req *computepb.InsertInstanceTemplateRequest, - opts ...gax.CallOption, -) (Operation, error) { - return c.InstanceTemplatesClient.Insert(ctx, req, opts...) +func (c *instanceTemplateClient) Delete(project, template string) (*computeREST.Operation, error) { + return c.InstanceTemplatesService.Delete(project, template).Do() +} + +func (c *instanceTemplateClient) Insert(projectID string, template *computeREST.InstanceTemplate) (*computeREST.Operation, error) { + return c.InstanceTemplatesService.Insert(projectID, template).Do() } type instanceGroupManagersClient struct { diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go index 0aff94c6e..8ce178dca 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "errors" "math/rand" "testing" @@ -100,7 +101,7 @@ func TestGetNodeImage(t *testing.T) { disk: tc.disk, }, } - gotImage, err := client.GetNodeImage(t.Context(), tc.providerID) + gotImage, err := client.GetNodeImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -161,7 +162,7 @@ func TestGetScalingGroupID(t *testing.T) { instance: &instance, }, } - gotScalingGroupID, err := client.GetScalingGroupID(t.Context(), tc.providerID) + gotScalingGroupID, err := client.GetScalingGroupID(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -220,7 +221,7 @@ func TestCreateNode(t *testing.T) { }, prng: rand.New(rand.NewSource(int64(time.Now().Nanosecond()))), } - instanceName, providerID, err := client.CreateNode(t.Context(), tc.scalingGroupID) + instanceName, providerID, err := client.CreateNode(context.Background(), tc.scalingGroupID) if tc.wantErr { assert.Error(err) return @@ -286,7 +287,7 @@ func TestDeleteNode(t *testing.T) { }, }, } - err := client.DeleteNode(t.Context(), tc.providerID) + err := client.DeleteNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go index e201d965a..5791d7fd4 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "errors" "net/http" "testing" @@ -107,7 +108,7 @@ func TestGetNodeState(t *testing.T) { }, }, } - nodeState, err := client.GetNodeState(t.Context(), tc.providerID) + nodeState, err := client.GetNodeState(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go index d3e9b64e0..cd0c90326 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "errors" "testing" @@ -56,7 +57,7 @@ func TestCanonicalProjectID(t *testing.T) { getErr: tc.getProjectErr, }, } - gotID, err := client.canonicalProjectID(t.Context(), tc.projectID) + gotID, err := client.canonicalProjectID(context.Background(), tc.projectID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go index d5bef4ab7..3f10af753 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go @@ -16,6 +16,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/constants" updatev1alpha1 "github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api/v1alpha1" cspapi "github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/internal/cloud/api" + computeREST "google.golang.org/api/compute/v1" "google.golang.org/api/iterator" ) @@ -49,29 +50,22 @@ func (c *Client) SetScalingGroupImage(ctx context.Context, scalingGroupID, image } // clone template with desired image - if instanceTemplate.Name == nil { + if instanceTemplate.Name == "" { return fmt.Errorf("instance template of scaling group %q has no name", scalingGroupID) } - instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage = &imageURI - newTemplateName, err := generateInstanceTemplateName(*instanceTemplate.Name) + instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage = imageURI + newTemplateName, err := generateInstanceTemplateName(instanceTemplate.Name) if err != nil { return err } - instanceTemplate.Name = &newTemplateName - op, err := c.instanceTemplateAPI.Insert(ctx, &computepb.InsertInstanceTemplateRequest{ - Project: project, - InstanceTemplateResource: instanceTemplate, - }) - if err != nil { + instanceTemplate.Name = newTemplateName + if _, err := c.instanceTemplateAPI.Insert(project, instanceTemplate); err != nil { return fmt.Errorf("cloning instance template: %w", err) } - if err := op.Wait(ctx); err != nil { - return fmt.Errorf("waiting for cloned instance template: %w", err) - } newTemplateURI := joinInstanceTemplateURI(project, newTemplateName) // update instance group manager to use new template - op, err = c.instanceGroupManagersAPI.SetInstanceTemplate(ctx, &computepb.SetInstanceTemplateInstanceGroupManagerRequest{ + op, err := c.instanceGroupManagersAPI.SetInstanceTemplate(ctx, &computepb.SetInstanceTemplateInstanceGroupManagerRequest{ InstanceGroupManager: instanceGroupName, Project: project, Zone: zone, @@ -135,10 +129,7 @@ func (c *Client) ListScalingGroups(ctx context.Context, uid string) ([]cspapi.Sc if len(templateURI) < 1 { continue // invalid template URI } - template, err := c.instanceTemplateAPI.Get(ctx, &computepb.GetInstanceTemplateRequest{ - Project: c.projectID, - InstanceTemplate: templateURI[len(templateURI)-1], - }) + template, err := c.instanceTemplateAPI.Get(c.projectID, templateURI[len(templateURI)-1]) if err != nil { retErr = errors.Join(retErr, fmt.Errorf("getting instance template %q: %w", templateURI[len(templateURI)-1], err)) continue @@ -199,7 +190,7 @@ func (c *Client) ListScalingGroups(ctx context.Context, uid string) ([]cspapi.Sc return results, nil } -func (c *Client) getScalingGroupTemplate(ctx context.Context, scalingGroupID string) (*computepb.InstanceTemplate, error) { +func (c *Client) getScalingGroupTemplate(ctx context.Context, scalingGroupID string) (*computeREST.InstanceTemplate, error) { project, zone, instanceGroupName, err := splitInstanceGroupID(scalingGroupID) if err != nil { return nil, err @@ -219,22 +210,19 @@ func (c *Client) getScalingGroupTemplate(ctx context.Context, scalingGroupID str if err != nil { return nil, fmt.Errorf("splitting instance template name: %w", err) } - instanceTemplate, err := c.instanceTemplateAPI.Get(ctx, &computepb.GetInstanceTemplateRequest{ - InstanceTemplate: instanceTemplateName, - Project: instanceTemplateProject, - }) + instanceTemplate, err := c.instanceTemplateAPI.Get(instanceTemplateProject, instanceTemplateName) if err != nil { return nil, fmt.Errorf("getting instance template %q: %w", instanceTemplateName, err) } return instanceTemplate, nil } -func instanceTemplateSourceImage(instanceTemplate *computepb.InstanceTemplate) (string, error) { +func instanceTemplateSourceImage(instanceTemplate *computeREST.InstanceTemplate) (string, error) { if instanceTemplate.Properties == nil || len(instanceTemplate.Properties.Disks) == 0 || instanceTemplate.Properties.Disks[0].InitializeParams == nil || - instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage == nil { + instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage == "" { return "", errors.New("instance template has no source image") } - return uriNormalize(*instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage), nil + return uriNormalize(instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage), nil } diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go index d6d3a8325..01629951d 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package client import ( + "context" "errors" "testing" @@ -15,6 +16,7 @@ import ( cspapi "github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/internal/cloud/api" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + computeREST "google.golang.org/api/compute/v1" "google.golang.org/protobuf/proto" ) @@ -22,7 +24,7 @@ func TestGetScalingGroupImage(t *testing.T) { testCases := map[string]struct { scalingGroupID string instanceGroupManagerTemplateID *string - instanceTemplate *computepb.InstanceTemplate + instanceTemplate *computeREST.InstanceTemplate getInstanceGroupManagerErr error getInstanceTemplateErr error wantImage string @@ -31,12 +33,12 @@ func TestGetScalingGroupImage(t *testing.T) { "getting image works": { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image", }, }, }, @@ -71,8 +73,8 @@ func TestGetScalingGroupImage(t *testing.T) { "instance template has no disks": { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{}, + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{}, }, wantErr: true, }, @@ -95,7 +97,7 @@ func TestGetScalingGroupImage(t *testing.T) { template: tc.instanceTemplate, }, } - gotImage, err := client.GetScalingGroupImage(t.Context(), tc.scalingGroupID) + gotImage, err := client.GetScalingGroupImage(context.Background(), tc.scalingGroupID) if tc.wantErr { assert.Error(err) return @@ -111,7 +113,7 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID string imageURI string instanceGroupManagerTemplateID *string - instanceTemplate *computepb.InstanceTemplate + instanceTemplate *computeREST.InstanceTemplate getInstanceGroupManagerErr error getInstanceTemplateErr error setInstanceTemplateErr error @@ -122,13 +124,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -139,13 +141,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image", }, }, }, @@ -181,8 +183,8 @@ func TestSetScalingGroupImage(t *testing.T) { "instance template has no disks": { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{}, + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{}, }, wantErr: true, }, @@ -190,12 +192,12 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -207,13 +209,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template-999999999999999999999"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template-999999999999999999999", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -225,13 +227,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -244,13 +246,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -280,7 +282,7 @@ func TestSetScalingGroupImage(t *testing.T) { template: tc.instanceTemplate, }, } - err := client.SetScalingGroupImage(t.Context(), tc.scalingGroupID, tc.imageURI) + err := client.SetScalingGroupImage(context.Background(), tc.scalingGroupID, tc.imageURI) if tc.wantErr { assert.Error(err) return @@ -447,15 +449,15 @@ func TestListScalingGroups(t *testing.T) { }, }, instanceTemplateAPI: &stubInstanceTemplateAPI{ - template: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{ + template: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{ Labels: tc.templateLabels, }, }, getErr: tc.templateGetErr, }, } - gotGroups, err := client.ListScalingGroups(t.Context(), "uid") + gotGroups, err := client.ListScalingGroups(context.Background(), "uid") if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/deploy/deploy_test.go b/operators/constellation-node-operator/internal/deploy/deploy_test.go index 505071ce5..d091714ae 100644 --- a/operators/constellation-node-operator/internal/deploy/deploy_test.go +++ b/operators/constellation-node-operator/internal/deploy/deploy_test.go @@ -86,7 +86,7 @@ func TestInitialResources(t *testing.T) { }, } scalingGroupGetter := newScalingGroupGetter(tc.items, tc.imageErr, tc.nameErr, tc.listErr) - err := InitialResources(t.Context(), k8sClient, &stubImageInfo{}, scalingGroupGetter, "uid") + err := InitialResources(context.Background(), k8sClient, &stubImageInfo{}, scalingGroupGetter, "uid") if tc.wantErr { assert.Error(err) return @@ -156,7 +156,7 @@ func TestCreateAutoscalingStrategy(t *testing.T) { require := require.New(t) k8sClient := &fakeK8sClient{createErr: tc.createErr} - err := createAutoscalingStrategy(t.Context(), k8sClient, "stub") + err := createAutoscalingStrategy(context.Background(), k8sClient, "stub") if tc.wantErr { assert.Error(err) return @@ -246,7 +246,7 @@ func TestCreateNodeVersion(t *testing.T) { if tc.existingNodeVersion != nil { k8sClient.createdObjects = append(k8sClient.createdObjects, tc.existingNodeVersion) } - err := createNodeVersion(t.Context(), k8sClient, "image-reference", "image-version") + err := createNodeVersion(context.Background(), k8sClient, "image-reference", "image-version") if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/etcd/etcd.go b/operators/constellation-node-operator/internal/etcd/etcd.go index 60f00a145..5f4e33c89 100644 --- a/operators/constellation-node-operator/internal/etcd/etcd.go +++ b/operators/constellation-node-operator/internal/etcd/etcd.go @@ -127,7 +127,7 @@ func getInitialEndpoints(k8sClient client.Client) ([]string, error) { } type etcdClient interface { - MemberList(ctx context.Context, opts ...clientv3.OpOption) (*clientv3.MemberListResponse, error) + MemberList(ctx context.Context) (*clientv3.MemberListResponse, error) MemberRemove(ctx context.Context, memberID uint64) (*clientv3.MemberRemoveResponse, error) Sync(ctx context.Context) error Close() error diff --git a/operators/constellation-node-operator/internal/etcd/etcd_test.go b/operators/constellation-node-operator/internal/etcd/etcd_test.go index b7c64f401..5775140cb 100644 --- a/operators/constellation-node-operator/internal/etcd/etcd_test.go +++ b/operators/constellation-node-operator/internal/etcd/etcd_test.go @@ -54,7 +54,7 @@ func TestRemoveEtcdMemberFromCluster(t *testing.T) { }, listErr: tc.memberListErr, }} - err := client.RemoveEtcdMemberFromCluster(t.Context(), tc.vpcIP) + err := client.RemoveEtcdMemberFromCluster(context.Background(), tc.vpcIP) if tc.wantErr { assert.Error(err) return @@ -98,7 +98,7 @@ func TestGetMemberID(t *testing.T) { members: tc.members, listErr: tc.memberListErr, }} - gotMemberID, err := client.getMemberID(t.Context(), "192.0.2.1") + gotMemberID, err := client.getMemberID(context.Background(), "192.0.2.1") if tc.wantErr { assert.Error(err) return @@ -185,7 +185,7 @@ type stubEtcdClient struct { closeErr error } -func (c *stubEtcdClient) MemberList(_ context.Context, _ ...clientv3.OpOption) (*clientv3.MemberListResponse, error) { +func (c *stubEtcdClient) MemberList(_ context.Context) (*clientv3.MemberListResponse, error) { return &clientv3.MemberListResponse{ Members: c.members, }, c.listErr diff --git a/operators/constellation-node-operator/internal/executor/executor_test.go b/operators/constellation-node-operator/internal/executor/executor_test.go index adb14546f..328425f26 100644 --- a/operators/constellation-node-operator/internal/executor/executor_test.go +++ b/operators/constellation-node-operator/internal/executor/executor_test.go @@ -29,7 +29,7 @@ func TestStartTriggersImmediateReconciliation(t *testing.T) { } exec := New(ctrl, cfg) // on start, the executor should trigger a reconciliation - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called ctrl.stop <- struct{}{} @@ -48,10 +48,10 @@ func TestStartMultipleTimesIsCoalesced(t *testing.T) { } exec := New(ctrl, cfg) // start once - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) // start again multiple times for i := 0; i < 10; i++ { - _ = exec.Start(t.Context()) + _ = exec.Start(context.Background()) } <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called @@ -72,7 +72,7 @@ func TestErrorTriggersImmediateReconciliation(t *testing.T) { RateLimiter: &stubRateLimiter{}, // no rate limiting } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) for i := 0; i < 10; i++ { <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called } @@ -96,7 +96,7 @@ func TestErrorTriggersRateLimiting(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called once to trigger rate limiting ctrl.stop <- struct{}{} @@ -120,7 +120,7 @@ func TestRequeueAfterResultRequeueInterval(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) for i := 0; i < 10; i++ { <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called } @@ -143,7 +143,7 @@ func TestExternalTrigger(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // initial trigger for i := 0; i < 10; i++ { exec.Trigger() @@ -167,7 +167,7 @@ func TestSimultaneousExternalTriggers(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // initial trigger for i := 0; i < 100; i++ { exec.Trigger() // extra trigger calls are coalesced @@ -184,7 +184,7 @@ func TestSimultaneousExternalTriggers(t *testing.T) { func TestContextCancel(t *testing.T) { assert := assert.New(t) - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) ctrl := newStubController(Result{}, nil) cfg := Config{ PollingFrequency: time.Hour * 24 * 365, // 1 year. Should be high enough to not trigger the timer in the test. @@ -219,7 +219,7 @@ func TestRequeueAfterPollingFrequency(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) for i := 0; i < 10; i++ { <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called } diff --git a/operators/constellation-node-operator/internal/poller/poller_test.go b/operators/constellation-node-operator/internal/poller/poller_test.go index a51edd03b..e60564150 100644 --- a/operators/constellation-node-operator/internal/poller/poller_test.go +++ b/operators/constellation-node-operator/internal/poller/poller_test.go @@ -49,17 +49,17 @@ func TestResult(t *testing.T) { pollErr: tc.pollErr, resultErr: tc.resultErr, }) - _, firstErr := poller.Result(t.Context()) + _, firstErr := poller.Result(context.Background()) if tc.wantErr { assert.Error(firstErr) // calling Result again should return the same error - _, secondErr := poller.Result(t.Context()) + _, secondErr := poller.Result(context.Background()) assert.Equal(firstErr, secondErr) return } assert.NoError(firstErr) // calling Result again should still not return an error - _, secondErr := poller.Result(t.Context()) + _, secondErr := poller.Result(context.Background()) assert.NoError(secondErr) }) } @@ -136,7 +136,7 @@ func TestPollUntilDone(t *testing.T) { wg.Add(1) go func() { defer wg.Done() - gotResult, gotErr = poller.PollUntilDone(t.Context(), &PollUntilDoneOptions{ + gotResult, gotErr = poller.PollUntilDone(context.Background(), &PollUntilDoneOptions{ MaxBackoff: tc.maxBackoff, Clock: clock, }) diff --git a/operators/constellation-node-operator/internal/upgrade/upgrade_test.go b/operators/constellation-node-operator/internal/upgrade/upgrade_test.go index 417e2fd3d..394ffc54d 100644 --- a/operators/constellation-node-operator/internal/upgrade/upgrade_test.go +++ b/operators/constellation-node-operator/internal/upgrade/upgrade_test.go @@ -40,7 +40,7 @@ func TestGRPCDialer(t *testing.T) { require.Equal(os.ModeSocket, fileInfo.Mode()&os.ModeType) upgradeClient := newClientWithAddress(sockAddr) - require.NoError(upgradeClient.Upgrade(t.Context(), []*components.Component{}, "v1.29.6")) + require.NoError(upgradeClient.Upgrade(context.Background(), []*components.Component{}, "v1.29.6")) } type fakeUpgradeAgent struct { diff --git a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go index df90901c9..5f312d97b 100644 --- a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go +++ b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go @@ -88,7 +88,7 @@ func TestCreateScalingGroupIfNotExists(t *testing.T) { autoscalingGroupName: "autoscaling-group-name", role: updatev1alpha1.WorkerRole, } - err := createScalingGroupIfNotExists(t.Context(), newScalingGroupConfig) + err := createScalingGroupIfNotExists(context.Background(), newScalingGroupConfig) if tc.wantErr { assert.Error(err) return @@ -184,7 +184,7 @@ func TestPatchNodeGroupName(t *testing.T) { getErr: tc.getErr, updateErr: tc.updateErr, } - gotExists, gotErr := patchNodeGroupName(t.Context(), k8sClient, "resource-name", "node-group-name") + gotExists, gotErr := patchNodeGroupName(context.Background(), k8sClient, "resource-name", "node-group-name") if tc.wantErr { assert.Error(gotErr) return diff --git a/renovate.json5 b/renovate.json5 index cba66f393..8424d5473 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,418 +1,303 @@ { - $schema: 'https://docs.renovatebot.com/renovate-schema.json', - extends: [ - 'config:recommended', - ':preserveSemverRanges', - 'helpers:pinGitHubActionDigests', - ':separateMajorReleases', - ':semanticCommitsDisabled', + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":preserveSemverRanges", + "helpers:pinGitHubActionDigests", + ":separateMajorReleases", + ":semanticCommitsDisabled", ], - commitMessagePrefix: 'deps:', - commitMessageAction: 'update', - addLabels: [ - 'dependencies' - ], - postUpdateOptions: [ - 'gomodTidy', - 'gomodUpdateImportPaths', - 'gomodMassage' - ], - ignorePaths: [ - 'internal/constellation/helm/charts/aws-load-balancer-controller/**', - 'internal/constellation/helm/charts/cilium/**', - 'internal/constellation/helm/charts/coredns/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/aws-csi-driver/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/azuredisk-csi-driver/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/openstack-cinder-csi/**', - 'operators/constellation-node-operator/config/manager/kustomization.yaml', - ], - ignoreDeps: [ - 'github.com/edgelesssys/constellation/v2', - 'github.com/daniel-weisse/go-cryptsetup', - // Only update once they fixed dependency violations on their side. - 'github.com/google/go-tpm-tools', + "commitMessagePrefix": "deps:", + "commitMessageAction": "update", + "addLabels": ["dependencies"], + "postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths"], + "prConcurrentLimit": 4, + "ignorePaths": [ + "internal/constellation/helm/charts/cilium/**", + "internal/constellation/helm/charts/edgeless/csi/charts/aws-csi-driver/**", + "internal/constellation/helm/charts/edgeless/csi/charts/azuredisk-csi-driver/**", + "internal/constellation/helm/charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/**", + "internal/constellation/helm/charts/edgeless/csi/charts/openstack-cinder-csi/**", + "operators/constellation-node-operator/config/manager/kustomization.yaml", ], + "ignoreDeps": ["github.com/edgelesssys/constellation/v2"], // Rules for changing renovates behaviour for different packages. // The documentation for configuration options can be found here: // https://docs.renovatebot.com/configuration-options/ - packageRules: [ + "packageRules": [ { - matchManagers: [ - 'gomod' + "matchManagers": ["gomod"], + "matchDepTypes": ["indirect"], + "matchUpdateTypes": [ + "minor", + "patch", + "pin", + "pinDigest", + "digest", + "lockFileMaintenance", + "rollback", + "bump", ], - matchDepTypes: [ - 'indirect' - ], - matchUpdateTypes: [ - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'digest', - 'lockFileMaintenance', - 'rollback', - 'bump', - ], - enabled: true, - prPriority: -30, + "enabled": true, + "prPriority": -30, }, { // Group update of direct Go dependencies. - groupName: 'Go dependencies', - matchManagers: [ - 'gomod' - ], - matchDepTypes: [ - 'require', - 'replace' - ], - matchUpdateTypes: [ - 'bump', - 'digest', - 'lockFileMaintenance', - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'rollback', - ], - matchDepNames: [ - '!github.com/bazelbuild/rules_go', - ], - schedule: [ - 'before 8am on monday', - ], - }, - { - // Group update of rules_go dependencies. - groupName: 'rules_go dependencies', - matchManagers: [ - 'gomod', - 'bazel', - 'bazel-module', - ], - matchDepNames: [ - 'github.com/bazelbuild/rules_go', - 'io_bazel_rules_go', - 'rules_go', - ], - schedule: [ - 'before 8am on tuesday', + "groupName": "Go dependencies", + "matchManagers": ["gomod"], + "matchDepTypes": ["require"], + "matchUpdateTypes": [ + "bump", + "digest", + "lockFileMaintenance", + "minor", + "patch", + "pin", + "pinDigest", + "rollback", ], + "schedule": ["before 8am on monday"], }, { // Group update of Terraform dependencies. - groupName: 'Terraform dependencies', - matchManagers: [ - 'terraform' - ], - matchUpdateTypes: [ - 'bump', - 'digest', - 'lockFileMaintenance', - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'rollback', - ], - schedule: [ - 'before 8am on wednesday', + "groupName": "Terraform dependencies", + "matchManagers": ["terraform"], + "matchUpdateTypes": [ + "bump", + "digest", + "lockFileMaintenance", + "minor", + "patch", + "pin", + "pinDigest", + "rollback", ], + "schedule": ["before 8am on wednesday"], }, { - matchManagers: [ - 'bazelisk', - 'bazel', - 'bazel-module', - ], - matchDepNames: [ - 'bazel', - 'bazel_gazelle', - 'gazelle', - ], - groupName: 'bazel (core)', + "matchManagers": ["bazelisk", "bazel", "bazel-module"], + "matchDepNames": ["bazel", "io_bazel_rules_go", "bazel_gazelle", "rules_go", "gazelle"], + "groupName": "bazel (core)", }, { - matchManagers: [ - 'bazel', + "matchManagers": ["bazel"], + "matchDepNames": [ + "!bazel", + "!io_bazel_rules_go", + "!bazel_gazelle", + "!rules_go", + "!gazelle", ], - matchDepNames: [ - '!bazel', - '!io_bazel_rules_go', - '!bazel_gazelle', - '!rules_go', - '!gazelle', - ], - groupName: 'bazel (plugins)', + "groupName": "bazel (plugins)", }, { - matchManagers: [ - 'bazel-module' + "matchManagers": ["bazel-module"], + "matchDepNames": [ + "!bazel", + "!io_bazel_rules_go", + "!bazel_gazelle", + "!rules_go", + "!gazelle", ], - matchDepNames: [ - '!bazel', - '!io_bazel_rules_go', - '!bazel_gazelle', - '!rules_go', - '!gazelle', - ], - groupName: 'bazel (modules)', + "groupName": "bazel (modules)", }, { - matchDatasources: [ - 'golang-version' - ], - allowedVersions: '1.23', + "matchDatasources": ["golang-version"], + "allowedVersions": "1.23", }, { - matchManagers: [ - 'pip_requirements' - ], - groupName: 'Python dependencies', + "matchManagers": ["pip_requirements"], + "groupName": "Python dependencies", }, { - matchManagers: [ - 'github-actions' - ], - groupName: 'GitHub action dependencies', - matchUpdateTypes: [ - 'major', - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'digest', - 'lockFileMaintenance', - 'rollback', - 'bump', - ], - schedule: [ - 'before 8am on tuesday' + "matchManagers": ["github-actions"], + "groupName": "GitHub action dependencies", + "matchUpdateTypes": [ + "major", + "minor", + "patch", + "pin", + "pinDigest", + "digest", + "lockFileMaintenance", + "rollback", + "bump", ], + "schedule": ["before 8am on tuesday"], }, { - matchDepNames: [ - 'kubernetes/kubernetes' + "matchDepNames": ["kubernetes/kubernetes"], + // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "Kubernetes versions", + "prPriority": 15, + }, + { + "matchDepNames": [ + "registry.k8s.io/provider-aws/cloud-controller-manager", ], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'Kubernetes versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained AWS versions", + "prPriority": 15, }, { - matchDepNames: [ - 'registry.k8s.io/provider-aws/cloud-controller-manager', + "matchDepNames": [ + "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager", + "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager", ], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained AWS versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained Azure versions", + "prPriority": 15, }, { - matchDepNames: [ - 'mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager', - 'mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager', + "matchDepNames": [ + "docker.io/k8scloudprovider/openstack-cloud-controller-manager", ], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained Azure versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained OpenStack versions", + "prPriority": 15, }, { - matchDepNames: [ - 'docker.io/k8scloudprovider/openstack-cloud-controller-manager', - ], + "matchDepNames": ["registry.k8s.io/autoscaling/cluster-autoscaler"], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained OpenStack versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained GCP versions", + "prPriority": 15, }, { - matchDepNames: [ - 'registry.k8s.io/autoscaling/cluster-autoscaler' - ], - // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained GCP versions', - prPriority: 15, - }, - { - matchDepNames: [ - 'ghcr.io/edgelesssys/cloud-provider-gcp' - ], + "matchDepNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"], // example match: v1.2.3 (1. -> compatibility, 2 -> minor, 3 -> patch) - versioning: 'regex:^(?v\\d+\\.)(?\\d+)\\.(?\\d+)$', - groupName: 'cloud-provider-gcp (K8s version constrained)', - prPriority: 15, + "versioning": "regex:^(?v\\d+\\.)(?\\d+)\\.(?\\d+)$", + "groupName": "cloud-provider-gcp (K8s version constrained)", + "prPriority": 15, }, { - matchPackageNames: [ - 'ghcr.io/edgelesssys/{/,}**', - '!ghcr.io/edgelesssys/cloud-provider-gcp', - '!ghcr.io/edgelesssys/constellation/s3proxy', - ], - versioning: 'semver', + "matchPackagePrefixes": ["ghcr.io/edgelesssys/"], + "excludePackageNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"], + "versioning": "semver", // Allow packages of ghcr.io/edgelesssys to update to unstable prereleases. // This is necessary because renovate will not update minor versions of // containers that are already tagged as a prerelease in the code // if this is not set. - ignoreUnstable: false, - groupName: 'Constellation containers', - prPriority: 20, - schedule: [ - 'before 8am on thursday' - ], + "ignoreUnstable": false, + "groupName": "Constellation containers", + "prPriority": 20, + "schedule": ["before 8am on thursday"], }, { - matchDepNames: [ - 'registry.k8s.io/kas-network-proxy/proxy-agent', - 'registry.k8s.io/kas-network-proxy/proxy-server', + "matchDepNames": [ + "registry.k8s.io/kas-network-proxy/proxy-agent", + "registry.k8s.io/kas-network-proxy/proxy-server", ], - versioning: 'semver', - groupName: 'K8s version independent containers', - prPriority: 15, + "versioning": "semver", + "groupName": "K8s version independent containers", + "prPriority": 15, }, { - matchDepNames: [ - '^k8s.io/client-go' - ], - matchUpdateTypes: [ - 'major' - ], - enabled: false, + "matchDepNames": ["^k8s.io/client-go"], + "matchUpdateTypes": ["major"], + "enabled": false, }, { - matchCategories: [ - 'python', - 'js', - 'node' - ], - prPriority: -20, + "matchCategories": ["python", "js", "node"], + "prPriority": -20, }, { - matchManagers: [ - 'github-actions' - ], - matchDepNames: [ - 'slsa-framework/slsa-github-generator' - ], - pinDigests: false, + "matchManagers": ["github-actions"], + "matchDepNames": ["slsa-framework/slsa-github-generator"], + "pinDigests": false, }, { - additionalBranchPrefix: '{{packageName}}-', - groupName: '{{packageName}}', - matchDepNames: [ - '/_(darwin|linux)_(arm64|amd64)$/', - ], + "matchDepPatterns": ["_(darwin|linux)_(arm64|amd64)$"], + "additionalBranchPrefix": "{{packageName}}-", + "groupName": "{{packageName}}", }, ], // Regex Managers allow detection of other versions in files that renovate // cannot parse by default. For more information, look at // https://docs.renovatebot.com/modules/manager/regex/ . - customManagers: [ + "regexManagers": [ { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$"], + "matchStrings": [ // Match all container packages. // example match:' "registry.io/owner/foo/bar:v1.2.3@sha256:somehash" // renovate:container' // (registry.io/owner/foo/bar -> depName, v1.2.3 -> currentValue, sha256:somehash -> currentDigest) - ' \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+\\/\\/ renovate:container', + " \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+\\/\\/ renovate:container", ], - datasourceTemplate: 'docker', + "datasourceTemplate": "docker", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$"], + "matchStrings": [ // Match kubernetes releases. - // example match:' "https://dl.k8s.io/v1.2.3/foo" // renovate:kubernetes-release' + // example match:' "https://storage.googleapis.com/kubernetes-release/release/v1.2.3/foo" // renovate:kubernetes-release' // (v1.2.3 -> currentValue) - ' \"https:\\/\\/dl\\.k8s\\.io\\/(?[^\\/\\s\"]+)\\/[^\"]+\"[^\\n]+\\/\\/ renovate:kubernetes-release', + " \"https:\\/\\/storage\\.googleapis\\.com\\/kubernetes-release\\/release\\/(?[^\\/\\s\"]+)\\/[^\"]+\"[^\\n]+\\/\\/ renovate:kubernetes-release", // Match kubernetes releases. // example match:' " "v1.2.3" // renovate:kubernetes-release"' // (v1.2.3 -> currentValue) - ' \"(?v\\d+\\.\\d+\\.\\d+)\"[^\\n]+\\/\\/ renovate:kubernetes-release', + " \"(?v\\d+\\.\\d+\\.\\d+)\"[^\\n]+\\/\\/ renovate:kubernetes-release", ], - depNameTemplate: 'kubernetes/kubernetes', - datasourceTemplate: 'github-releases', + "depNameTemplate": "kubernetes/kubernetes", + "datasourceTemplate": "github-releases", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$', - '[.]github\\/(actions|workflows)\\/.*[.]ya?ml' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$", "[.]github\\/(actions|workflows)\\/.*[.]ya?ml"], + "matchStrings": [ // Match github releases. // example match:' "https://github.com/foo/bar/releases/download/v1.2.3/foo.bin" // renovate:github-release' // (foo/bar -> depName, v1.2.3 -> currentValue) - 'https:\\/\\/github\\.com\\/(?[^\\/\\s\"]+\\/[^\\/\\s\"]+)\\/releases\\/download\\/(?[^\\/\\s\"]+).*renovate:github-release', + "https:\\/\\/github\\.com\\/(?[^\\/\\s\"]+\\/[^\\/\\s\"]+)\\/releases\\/download\\/(?[^\\/\\s\"]+).*renovate:github-release", ], - datasourceTemplate: 'github-releases', + "datasourceTemplate": "github-releases", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$"], + "matchStrings": [ // Match kubernetes cri-tools releases (https://github.com/kubernetes-sigs/cri-tools). // example Match:' "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.2.3/foo"' // (v1.2.3 -> currentValue) - ' \"https:\\/\\/github\\.com\\/kubernetes-sigs\\/cri-tools\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"', + " \"https:\\/\\/github\\.com\\/kubernetes-sigs\\/cri-tools\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"", ], - depNameTemplate: 'kubernetes-sigs/cri-tools', - datasourceTemplate: 'github-releases', - autoReplaceStringTemplate: ' \"https://github.com/kubernetes-sigs/cri-tools/releases/download/{{{newValue}}}/crictl-{{{newValue}}}-linux-amd64.tar.gz\"', + "depNameTemplate": "kubernetes-sigs/cri-tools", + "datasourceTemplate": "github-releases", + "autoReplaceStringTemplate": " \"https://github.com/kubernetes-sigs/cri-tools/releases/download/{{{newValue}}}/crictl-{{{newValue}}}-linux-amd64.tar.gz\"", }, { - customType: 'regex', - fileMatch: [ - 'versions.go$' - ], - matchStrings: [ + "fileMatch": ["versions.go$"], + "matchStrings": [ // Match containernetworking plugin releases (https://github.com/containernetworking/plugins). // example Match:' "https://github.com/containernetworking/plugins/releases/download/v1.2.3/foo"' // (v1.2.3 -> currentValue) - ' \"https:\\/\\/github\\.com\\/containernetworking\\/plugins\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"', + " \"https:\\/\\/github\\.com\\/containernetworking\\/plugins\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"", ], - depNameTemplate: 'containernetworking/plugins', - datasourceTemplate: 'github-releases', - autoReplaceStringTemplate: ' \"https://github.com/containernetworking/plugins/releases/download/{{{newValue}}}/cni-plugins-linux-amd64-{{{newValue}}}.tgz\"', + "depNameTemplate": "containernetworking/plugins", + "datasourceTemplate": "github-releases", + "autoReplaceStringTemplate": " \"https://github.com/containernetworking/plugins/releases/download/{{{newValue}}}/cni-plugins-linux-amd64-{{{newValue}}}.tgz\"", }, { - customType: 'regex', - fileMatch: [ - '\\.yaml$', - '\\.yml$' - ], - matchStrings: [ + "fileMatch": ["\\.yaml$", "\\.yml$"], + "matchStrings": [ // Match `go install` commands. - // example Match: 'go install foo.bar@0000000000000000000000000000000000000000' + // example Match: "go install foo.bar@0000000000000000000000000000000000000000" // (foo.bar -> depName, 0000000000000000000000000000000000000000 -> currentValue) - 'go install (?[^@]+?)@(?[0-9a-f]{40})', + "go install (?[^@]+?)@(?[0-9a-f]{40})", ], - datasourceTemplate: 'go', + "datasourceTemplate": "go", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)e2e_s3proxy/action.yml$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)e2e_s3proxy/action.yml$"], + "matchStrings": [ // Match mint tags (ghcr.io/edgelesssys/mint). // example Match:' "ghcr.io/edgelesssys/mint:v1.2.3"' // (ghcr.io/edgelesssys/mint -> depName, v1.2.3 -> currentValue) - 'IMAGE: \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+# renovate:mint-fork', + "IMAGE: \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+# renovate:mint-fork", ], - datasourceTemplate: 'docker', + "datasourceTemplate": "docker", }, ], } diff --git a/rfc/016-node-access.md b/rfc/016-node-access.md index abc495400..0c6875c48 100644 --- a/rfc/016-node-access.md +++ b/rfc/016-node-access.md @@ -1,3 +1,7 @@ +--- +status: approved, not implemented +--- + # RFC 016: Node Access ## Background diff --git a/s3proxy/deploy/deployment-s3proxy.yaml b/s3proxy/deploy/deployment-s3proxy.yaml index 73c7bf098..aa8e4b1f0 100644 --- a/s3proxy/deploy/deployment-s3proxy.yaml +++ b/s3proxy/deploy/deployment-s3proxy.yaml @@ -72,7 +72,7 @@ spec: spec: containers: - name: s3proxy - image: ghcr.io/edgelesssys/constellation/s3proxy:v2.23.0 + image: ghcr.io/edgelesssys/constellation/s3proxy:v2.13.0-pre args: - "--level=-1" ports: diff --git a/s3proxy/deploy/s3proxy/Chart.yaml b/s3proxy/deploy/s3proxy/Chart.yaml index f07afba51..61d62946b 100644 --- a/s3proxy/deploy/s3proxy/Chart.yaml +++ b/s3proxy/deploy/s3proxy/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: s3proxy description: Helm chart to deploy s3proxy. type: application -version: 0.0.0 +version: 2.20.0 diff --git a/s3proxy/deploy/s3proxy/values.yaml b/s3proxy/deploy/s3proxy/values.yaml index d70f349e3..60f9b7717 100644 --- a/s3proxy/deploy/s3proxy/values.yaml +++ b/s3proxy/deploy/s3proxy/values.yaml @@ -1,12 +1,9 @@ # Secrets to use for S3 access. awsAccessKeyID: "replaceme" awsSecretAccessKey: "replaceme" - # Pod image to deploy. -image: "ghcr.io/edgelesssys/constellation/s3proxy:v2.23.1" - +image: "ghcr.io/edgelesssys/constellation/s3proxy:v2.20.0" # Control if multipart uploads are blocked. allowMultipart: false - # Number of pod replicas to deploy. replicaCount: 1 diff --git a/s3proxy/internal/kms/kms_test.go b/s3proxy/internal/kms/kms_test.go index f506d0a42..cd831ddc4 100644 --- a/s3proxy/internal/kms/kms_test.go +++ b/s3proxy/internal/kms/kms_test.go @@ -60,7 +60,7 @@ func TestGetDataKey(t *testing.T) { client.grpc = tc.client - res, err := client.GetDataKey(t.Context(), "disk-uuid", 32) + res, err := client.GetDataKey(context.Background(), "disk-uuid", 32) if tc.wantErr { assert.Error(err) } else { diff --git a/terraform-provider-constellation/docs/resources/cluster.md b/terraform-provider-constellation/docs/resources/cluster.md index a88026a23..c2a322582 100644 --- a/terraform-provider-constellation/docs/resources/cluster.md +++ b/terraform-provider-constellation/docs/resources/cluster.md @@ -69,7 +69,7 @@ resource "constellation_cluster" "azure_example" { See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports. - `image` (Attributes) Constellation OS Image to use on the nodes. (see [below for nested schema](#nestedatt--image)) - `init_secret` (String) Secret used for initialization of the cluster. -- `kubernetes_version` (String) The Kubernetes version to use for the cluster. The supported versions are [v1.29.15 v1.30.13 v1.31.9]. +- `kubernetes_version` (String) The Kubernetes version to use for the cluster. The supported versions are [v1.28.15 v1.29.11 v1.30.7]. - `master_secret` (String) Hex-encoded 32-byte master secret for the cluster. - `master_secret_salt` (String) Hex-encoded 32-byte master secret salt for the cluster. - `measurement_salt` (String) Hex-encoded 32-byte measurement salt for the cluster. diff --git a/terraform-provider-constellation/examples/full/aws/main.tf b/terraform-provider-constellation/examples/full/aws/main.tf index 03856e81b..1229d810e 100644 --- a/terraform-provider-constellation/examples/full/aws/main.tf +++ b/terraform-provider-constellation/examples/full/aws/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform-provider-constellation/examples/full/azure/main.tf b/terraform-provider-constellation/examples/full/azure/main.tf index 761406f61..eba3ab291 100644 --- a/terraform-provider-constellation/examples/full/azure/main.tf +++ b/terraform-provider-constellation/examples/full/azure/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform-provider-constellation/examples/full/gcp/main.tf b/terraform-provider-constellation/examples/full/gcp/main.tf index c16906785..b93f6eed8 100644 --- a/terraform-provider-constellation/examples/full/gcp/main.tf +++ b/terraform-provider-constellation/examples/full/gcp/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -45,11 +45,11 @@ resource "random_bytes" "measurement_salt" { module "gcp_iam" { // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0 - source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp" - project_id = local.project_id - name_prefix = local.name - zone = local.zone - region = local.region + source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp" + project_id = local.project_id + service_account_id = "${local.name}-sa" + zone = local.zone + region = local.region } module "gcp_infrastructure" { @@ -81,7 +81,6 @@ module "gcp_infrastructure" { project = local.project_id internal_load_balancer = false cc_technology = local.cc_technology - iam_service_account_vm = module.gcp_iam.service_account_mail_vm } data "constellation_attestation" "foo" { diff --git a/terraform-provider-constellation/examples/full/stackit/main.tf b/terraform-provider-constellation/examples/full/stackit/main.tf index 403e57e02..500a8db5c 100644 --- a/terraform-provider-constellation/examples/full/stackit/main.tf +++ b/terraform-provider-constellation/examples/full/stackit/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform-provider-constellation/internal/provider/BUILD.bazel b/terraform-provider-constellation/internal/provider/BUILD.bazel index e60064603..8f6f573d1 100644 --- a/terraform-provider-constellation/internal/provider/BUILD.bazel +++ b/terraform-provider-constellation/internal/provider/BUILD.bazel @@ -110,6 +110,6 @@ go_test( "@com_github_hashicorp_terraform_plugin_testing//terraform", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", ], ) diff --git a/terraform-provider-constellation/internal/provider/cluster_resource.go b/terraform-provider-constellation/internal/provider/cluster_resource.go index d8921476c..978771e83 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource.go @@ -15,6 +15,7 @@ import ( "errors" "fmt" "io" + "net" "net/url" "regexp" "strings" @@ -549,7 +550,7 @@ func (r *ClusterResource) Configure(_ context.Context, req resource.ConfigureReq } newDialer := func(validator atls.Validator) *dialer.Dialer { - return dialer.New(nil, validator, nil) + return dialer.New(nil, validator, &net.Dialer{}) } r.newApplier = func(ctx context.Context, _ atls.Validator) *constellation.Applier { @@ -1093,7 +1094,6 @@ func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, DeployCSIDriver: microserviceCfg.CSIDriver, masterSecret: secrets.masterSecret, serviceAccURI: serviceAccURI, - serviceCIDR: networkCfg.IPCidrService.ValueString(), } if csp == cloudprovider.OpenStack { payload.openStackHelmValues = &helm.OpenStackValues{ @@ -1268,7 +1268,6 @@ type applyHelmChartsPayload struct { masterSecret uri.MasterSecret // master secret of the cluster. serviceAccURI string // URI of the service account used within the cluster. openStackHelmValues *helm.OpenStackValues // OpenStack-specific Helm values. - serviceCIDR string // CIDR used for k8s services - needed for CoreDNS chart. } // applyHelmCharts applies the Helm charts to the cluster. @@ -1290,7 +1289,6 @@ func (r *ClusterResource) applyHelmCharts(ctx context.Context, applier *constell // The user has previously been warned about this when planning a microservice version change. AllowDestructive: helm.AllowDestructive, OpenStackValues: payload.openStackHelmValues, - ServiceCIDR: payload.serviceCIDR, } if err := applier.AnnotateCoreDNSResources(ctx); err != nil { diff --git a/terraform-provider-constellation/internal/provider/cluster_resource_test.go b/terraform-provider-constellation/internal/provider/cluster_resource_test.go index f8cea33ef..fb1b5c4fc 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource_test.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only package provider import ( + "context" "fmt" "regexp" "testing" @@ -95,14 +96,14 @@ func TestViolatedImageConstraint(t *testing.T) { Version: tc.version, } - input, diags := basetypes.NewObjectValueFrom(t.Context(), map[string]attr.Type{ + input, diags := basetypes.NewObjectValueFrom(context.Background(), map[string]attr.Type{ "version": basetypes.StringType{}, "reference": basetypes.StringType{}, "short_path": basetypes.StringType{}, "marketplace_image": basetypes.BoolType{}, }, img) require.Equal(t, 0, diags.ErrorsCount()) - _, _, diags2 := sut.getImageVersion(t.Context(), &ClusterResourceModel{ + _, _, diags2 := sut.getImageVersion(context.Background(), &ClusterResourceModel{ Image: input, }) require.Equal(t, tc.expectedErrorCount, diags2.ErrorsCount()) diff --git a/terraform/infrastructure/aws/.terraform.lock.hcl b/terraform/infrastructure/aws/.terraform.lock.hcl index 4914aaf10..ec2b3204e 100644 --- a/terraform/infrastructure/aws/.terraform.lock.hcl +++ b/terraform/infrastructure/aws/.terraform.lock.hcl @@ -2,52 +2,61 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.98.0" - constraints = "5.98.0" + version = "5.78.0" + constraints = "5.78.0" hashes = [ - "h1:/RMObGCrfJlVoQCf9h88hFkSyLafDXnw6r0yi4gpO80=", - "h1:KgOCdSG6euSc2lquuFlISJU/CzQTRhAO7WoaASxLZRc=", - "h1:neMFK/kP1KT6cTGID+Tkkt8L7PsN9XqwrPDGXVw3WVY=", - "h1:tSqQC0adIJ0VWRrbChyEGjGuWKwibrz+/YJ2Q1ZOs2Y=", - "h1:tfWnOmzoWOvwOGlUx0HrxCfUZq3YHhlkeEbMccAYiec=", - "zh:23377bd90204b6203b904f48f53edcae3294eb072d8fc18a4531c0cde531a3a1", - "zh:2e55a6ea14cc43b08cf82d43063e96c5c2f58ee953c2628523d0ee918fe3b609", - "zh:4885a817c16fdaaeddc5031edc9594c1f300db0e5b23be7cd76a473e7dcc7b4f", - "zh:6ca7177ad4e5c9d93dee4be1ac0792b37107df04657fddfe0c976f36abdd18b5", - "zh:78bf8eb0a67bae5dede09666676c7a38c9fb8d1b80a90ba06cf36ae268257d6f", - "zh:874b5a99457a3f88e2915df8773120846b63d820868a8f43082193f3dc84adcb", - "zh:95e1e4cf587cde4537ac9dfee9e94270652c812ab31fce3a431778c053abf354", + "h1:/EKXECKi3XzLR0SwaEyQucvsQx2TdyIF2DYabr9DVqM=", + "h1:15pt02WPsTWUsLi37o791kSplIqEf2Ihl+zFdBOpKnY=", + "h1:3TLJUm+6523EtS8W8G4f22e0bp2MpZ72f9qptc31WD8=", + "h1:EGEcXHT4WdxUTRSPzjevCNXStQ+u2eeQB4EmOSp2nPc=", + "h1:GwVGbd+IHAq+qwGs2QKuxazKzrJhSWVicYyGBPftuG0=", + "h1:OUmta/bL/0S6g4K/Mn1LBkEnMWNCq4dLsfYrdrllcEo=", + "h1:cxjNJTMeoxw0csix1iWp4m2esNUOuFfVbIAacUGjYSQ=", + "h1:kB3dnSsazjI63RZdz2gldCkDFw8KI0IJd6RbhqxrE6I=", + "h1:o7jz+dFixEcwjfdubken5ldmDJm1tkvM2adPtNDei3g=", + "h1:vIzenE93tNUfA/hFcwB6wouenp59n9g2J6FNPfJAOpg=", + "h1:zA5P+U4hv2P52fwfLNjAIA2jS9xOn4xCmrXrOMKH8gs=", + "h1:zKNuYrqjerfmrU0bgKQtubN/NiMLRXP4HTThTm1WfJE=", + "h1:zYvhhpw56OF8ClJezKBdKV0+6elVM3FYEAjaNWAinjk=", + "h1:zel31ZX4jCQoeQXydOfcm4ncD9aj+437F9Cr1eoCumM=", + "zh:0ae7d41b96441d0cf7ce2e1337657bdb2e1e5c9f1c2227b0642e1dcec2f9dfba", + "zh:21f8f1edf477681ea3b095c02cad6b8e85262e45015de58e84e0c7b2bfe9a1f6", + "zh:2bdc335e341bf98445255549ae93d66cfb9bca706e62b949da98fe467c182cad", + "zh:2fe4096e260367a225a9faf4a424d62b87e5498f12cb43bdb6f4e713d11b82c3", + "zh:3c63bb7a7925d65118d17461f4691a22dbb55ea39a7404e4d71f6ccca8765f8b", + "zh:6609a28a1c638a1901d8007b5386868ccfd313b4df2e98b35d9fdef436974e3b", + "zh:7ae3aef43bc4b365824cca4659cf92459d766800656e354bdbf83feabab835e8", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a75145b58b241d64570803e6565c72467cd664633df32678755b51871f553e50", - "zh:aa31b13d0b0e8432940d6892a48b6268721fa54a02ed62ee42745186ee32f58d", - "zh:ae4565770f76672ce8e96528cbb66afdade1f91383123c079c7fdeafcb3d2877", - "zh:b99f042c45bf6aa69dd73f3f6d9cbe0b495b30442c526e0b3810089c059ba724", - "zh:bbb38e86d926ef101cefafe8fe090c57f2b1356eac9fc5ec81af310c50375897", - "zh:d03c89988ba4a0bd3cfc8659f951183ae7027aa8018a7ca1e53a300944af59cb", - "zh:d179ef28843fe663fc63169291a211898199009f0d3f63f0a6f65349e77727ec", + "zh:c314efe454adc6ca483261c6906e64315aeb9db0c0332818714e9b81e07df0f0", + "zh:cd3e30396b554bbc1d260252db8a0f344065d619038fe60ea870689cd32c6aa9", + "zh:d1ba48fd9d8a1cb1daa927fb9e8bb708b857f2792d796e110460c6fdcd896a47", + "zh:d31c8abe75cb9cdc1c59ad9d356a1c3ae1ba8cd29ac15eb7e01b6cd01221ab04", + "zh:dc27c5c2116b4d9b404753f73bccaa635bce21f3bfb4bb7bc8e63225c36c98fe", + "zh:de491f0d05408378413187475c815d8cb2ac6bfa63d0b42a30ad5ee492e51c07", + "zh:eb44b45a40f80a309dd5b0eb7d7fcb2cbfe588fe2f18b173ef5851346898a662", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/aws/main.tf b/terraform/infrastructure/aws/main.tf index 6c85d2817..65dff58e1 100644 --- a/terraform/infrastructure/aws/main.tf +++ b/terraform/infrastructure/aws/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -29,7 +29,6 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) target_group_arns = { control-plane : [ diff --git a/terraform/infrastructure/aws/modules/instance_group/main.tf b/terraform/infrastructure/aws/modules/instance_group/main.tf index 5a271c970..187917e45 100644 --- a/terraform/infrastructure/aws/modules/instance_group/main.tf +++ b/terraform/infrastructure/aws/modules/instance_group/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/infrastructure/aws/modules/jump_host/main.tf b/terraform/infrastructure/aws/modules/jump_host/main.tf index f2a34429e..d25115e89 100644 --- a/terraform/infrastructure/aws/modules/jump_host/main.tf +++ b/terraform/infrastructure/aws/modules/jump_host/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } } } diff --git a/terraform/infrastructure/aws/modules/load_balancer_target/main.tf b/terraform/infrastructure/aws/modules/load_balancer_target/main.tf index 798ec3511..993e6a9ef 100644 --- a/terraform/infrastructure/aws/modules/load_balancer_target/main.tf +++ b/terraform/infrastructure/aws/modules/load_balancer_target/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } } } diff --git a/terraform/infrastructure/aws/modules/public_private_subnet/main.tf b/terraform/infrastructure/aws/modules/public_private_subnet/main.tf index a749fe351..d34dcc9f3 100644 --- a/terraform/infrastructure/aws/modules/public_private_subnet/main.tf +++ b/terraform/infrastructure/aws/modules/public_private_subnet/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } } } diff --git a/terraform/infrastructure/aws/outputs.tf b/terraform/infrastructure/aws/outputs.tf index b362ff094..62f220619 100644 --- a/terraform/infrastructure/aws/outputs.tf +++ b/terraform/infrastructure/aws/outputs.tf @@ -45,8 +45,3 @@ output "ip_cidr_node" { value = local.cidr_vpc_subnet_nodes description = "CIDR block of the node network." } - -output "loadbalancer_address" { - value = aws_lb.front_end.dns_name - description = "Public loadbalancer address." -} diff --git a/terraform/infrastructure/aws/variables.tf b/terraform/infrastructure/aws/variables.tf index d55dedabb..67d0ec4d3 100644 --- a/terraform/infrastructure/aws/variables.tf +++ b/terraform/infrastructure/aws/variables.tf @@ -85,9 +85,3 @@ variable "additional_tags" { default = {} description = "Additional tags that should be applied to created resources." } - -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/azure/.terraform.lock.hcl b/terraform/infrastructure/azure/.terraform.lock.hcl index a4e090c0d..0e0fc1026 100644 --- a/terraform/infrastructure/azure/.terraform.lock.hcl +++ b/terraform/infrastructure/azure/.terraform.lock.hcl @@ -2,62 +2,62 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index 490c57cd0..c6383d82b 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -40,7 +40,6 @@ locals { { name = "recovery", port = "9999", health_check_protocol = "Tcp", path = null, priority = 104 }, { name = "join", port = "30090", health_check_protocol = "Tcp", path = null, priority = 105 }, var.debug ? [{ name = "debugd", port = "4000", health_check_protocol = "Tcp", path = null, priority = 106 }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check_protocol = "Tcp", path = null, priority = 107 }] : [], ]) // wildcard_lb_dns_name is the DNS name of the load balancer with a wildcard for the name. // example: given "name-1234567890.location.cloudapp.azure.com" it will return "*.location.cloudapp.azure.com" diff --git a/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf b/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf index 4b466bf65..52d5d4fd1 100644 --- a/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf +++ b/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } } } diff --git a/terraform/infrastructure/azure/modules/scale_set/main.tf b/terraform/infrastructure/azure/modules/scale_set/main.tf index d78b84c72..fd5ca1876 100644 --- a/terraform/infrastructure/azure/modules/scale_set/main.tf +++ b/terraform/infrastructure/azure/modules/scale_set/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/infrastructure/azure/outputs.tf b/terraform/infrastructure/azure/outputs.tf index b3e5d844b..945c793b8 100644 --- a/terraform/infrastructure/azure/outputs.tf +++ b/terraform/infrastructure/azure/outputs.tf @@ -47,11 +47,6 @@ output "ip_cidr_node" { description = "CIDR block of the node network." } -output "loadbalancer_address" { - value = azurerm_public_ip.loadbalancer_ip[0].fqdn - description = "Public loadbalancer address." -} - # Azure-specific outputs output "attestation_url" { diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf index 64a02a35d..a3ab1fd0b 100644 --- a/terraform/infrastructure/azure/variables.tf +++ b/terraform/infrastructure/azure/variables.tf @@ -101,9 +101,3 @@ variable "additional_tags" { default = {} description = "Additional tags that should be applied to created resources." } - -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/gcp/.terraform.lock.hcl b/terraform/infrastructure/gcp/.terraform.lock.hcl index 5e188a8ce..47ba3a7c5 100644 --- a/terraform/infrastructure/gcp/.terraform.lock.hcl +++ b/terraform/infrastructure/gcp/.terraform.lock.hcl @@ -2,61 +2,55 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "6.36.0" - constraints = "6.36.0" + version = "6.12.0" + constraints = "6.12.0" hashes = [ - "h1:7UUG6owE+FafOHh0JK8BTM0yOlO7/XbHiEDh087fd0E=", - "h1:80HOG2KFPy07zgflMevKhsKrU8tEFvVncVMZOiffqV0=", - "h1:8aaMc8jT1GL3I15Aiz9Lr6k8+u79Fo3D6KA4Np+JUI8=", - "h1:aQ8E+XveXDO6zbqO1upcKqkrWr+5dwxowmQgMZ/zgrM=", - "h1:e/3n+WKR/ikY8m/MIAHOvH1HFY1fng76SEpnvGStxMU=", - "h1:fcjI1cXeKYJDWcgUXL+UPD23HIN4IDJjlc7XVD3i3Bc=", - "h1:iQx5xJnQvBN2aUdQbWZQPmtuT0xjfaNpFJD3qzOvC7U=", - "h1:kRbYOLtROkOjc3XMgptzFWKdgRCjyf2FH0UTlCJXkg8=", - "h1:lxi5P8TBMfiKk88FI4xM2Lnwlk2+Q3r9oa4yrg83x1w=", - "h1:m085EpkXRmg1TqRbPP6RxdVmlwJJujvyfMtznvURS04=", - "h1:vvvbnteZLIMosgsxO6YXDgxGYdU5BuSxPD1w4f4LV6c=", - "zh:0a67432c04d4c74829632cc5669b8c5988f837259333307e07c2915a0529b3fb", - "zh:4559afe21bb59e8fb9e3e7414ea65b6be233e8f217e8683dd0e9c347ecadf910", - "zh:58a34fe3b28271deba9a44db1e704c2844f2e30e252ded5f200a8f9af170d52d", - "zh:6b07f388b4fb2189d9fe3a058831e5c755092f7bd5f7388a1c0d9583f8c43ef0", - "zh:6fae25f93bf4a6fd59ce0f9d05e8551b65b4be7084f5e6e5f528ab011dbbef6a", - "zh:73be19906c569f1d46b8f88d3e846bd8dabd6ed65d8ba9a91f67da5365b534dc", - "zh:7b047330342f600e92c02e248f72eefae1a2e01c16ef45cc533942eb73c49c06", - "zh:9fecf5cdf1a16b9b9c1e83dc6129a40bfbc9e640252d2afddd34dc61de213330", - "zh:c557ea7357880615af290452ff06bc23bd3821132783240bd7cd75aadf16a04a", - "zh:dc11ad9a0b595b70490326563ea5f77de9c69aba0ee959971392e46b10a3c246", - "zh:ed8dc5d5ce3d8e3c1648c3fc6f48a19da9ed38d0157c33019c74b7790480c29f", + "h1:D6eBvo6Qs3OXXMwB2vFBhKuiL/TMNu5bBtjznSPbBH0=", + "h1:JuVRL27b9/g/FdblPwGZEacECBZRIuHZ+nzRgpIDduo=", + "h1:MgQU4YOpoJQngarNuPfvNKF4r7YyqYii7DBOiiaKBEw=", + "h1:OQp1STR+bhXfBQKs02krIJuELZ2c4GmGhlBd4bSq128=", + "h1:OvpG2uAeuIc19TFOQrr+s7Ded6sVBripLWLIzeWn90U=", + "h1:PmkvZRF8v7SszpUP4l9gXfhlVwq3z+HrTE39qusLrBw=", + "h1:WZulOZ1tthsLm/w7t7yy3C7JZ8QIXfO+QMEEW1pjrAY=", + "h1:Yez7eMayTGGmX/LCIDD3Xgnktpv/701g2zotNmg6u2o=", + "h1:nQTLHstv9bSviqpeBRzCfUG1lD8j+3f6Daxuv32At8k=", + "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=", + "h1:zpwamvGGsck1qNunJeyfolgiBDOJpXVINPzLLSECpjY=", + "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c", + "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8", + "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8", + "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475", + "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688", + "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8", + "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f", + "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9", + "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3", + "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b", + "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/gcp/main.tf b/terraform/infrastructure/gcp/main.tf index 215c86a8c..b20b74d15 100644 --- a/terraform/infrastructure/gcp/main.tf +++ b/terraform/infrastructure/gcp/main.tf @@ -2,12 +2,12 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -40,7 +40,6 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) node_groups_by_role = { for name, node_group in var.node_groups : node_group.role => name... @@ -161,29 +160,28 @@ resource "google_compute_firewall" "firewall_internal_pods" { } module "instance_group" { - source = "./modules/instance_group" - for_each = var.node_groups - base_name = local.name - node_group_name = each.key - role = each.value.role - zone = each.value.zone - uid = local.uid - instance_type = each.value.instance_type - initial_count = each.value.initial_count - image_id = var.image_id - disk_size = each.value.disk_size - disk_type = each.value.disk_type - network = google_compute_network.vpc_network.id - subnetwork = google_compute_subnetwork.vpc_subnetwork.id - alias_ip_range_name = google_compute_subnetwork.vpc_subnetwork.secondary_ip_range[0].range_name - kube_env = local.kube_env - debug = var.debug - named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : [] - labels = local.labels - init_secret_hash = local.init_secret_hash - custom_endpoint = var.custom_endpoint - cc_technology = var.cc_technology - iam_service_account_vm = var.iam_service_account_vm + source = "./modules/instance_group" + for_each = var.node_groups + base_name = local.name + node_group_name = each.key + role = each.value.role + zone = each.value.zone + uid = local.uid + instance_type = each.value.instance_type + initial_count = each.value.initial_count + image_id = var.image_id + disk_size = each.value.disk_size + disk_type = each.value.disk_type + network = google_compute_network.vpc_network.id + subnetwork = google_compute_subnetwork.vpc_subnetwork.id + alias_ip_range_name = google_compute_subnetwork.vpc_subnetwork.secondary_ip_range[0].range_name + kube_env = local.kube_env + debug = var.debug + named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : [] + labels = local.labels + init_secret_hash = local.init_secret_hash + custom_endpoint = var.custom_endpoint + cc_technology = var.cc_technology } resource "google_compute_address" "loadbalancer_ip_internal" { diff --git a/terraform/infrastructure/gcp/modules/instance_group/main.tf b/terraform/infrastructure/gcp/modules/instance_group/main.tf index b24f5d61f..33eb47aea 100644 --- a/terraform/infrastructure/gcp/modules/instance_group/main.tf +++ b/terraform/infrastructure/gcp/modules/instance_group/main.tf @@ -2,12 +2,12 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -77,11 +77,17 @@ resource "google_compute_instance_template" "template" { on_host_maintenance = "TERMINATE" } - # Define all IAM access via the service account and not via scopes: - # See: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template#nested_service_account service_account { - email = var.iam_service_account_vm - scopes = ["cloud-platform"] + scopes = [ + "https://www.googleapis.com/auth/compute", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/trace.append", + "https://www.googleapis.com/auth/cloud-platform", + ] } shielded_instance_config { diff --git a/terraform/infrastructure/gcp/modules/instance_group/variables.tf b/terraform/infrastructure/gcp/modules/instance_group/variables.tf index e4d2cbe5c..5370ec7d1 100644 --- a/terraform/infrastructure/gcp/modules/instance_group/variables.tf +++ b/terraform/infrastructure/gcp/modules/instance_group/variables.tf @@ -108,9 +108,3 @@ variable "cc_technology" { error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'." } } - -variable "iam_service_account_vm" { - type = string - default = "" - description = "IAM service account used for the VMs" -} diff --git a/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf b/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf index 7c73433ce..49cd0eb90 100644 --- a/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf +++ b/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } diff --git a/terraform/infrastructure/gcp/modules/jump_host/main.tf b/terraform/infrastructure/gcp/modules/jump_host/main.tf index 3b5682526..864115228 100644 --- a/terraform/infrastructure/gcp/modules/jump_host/main.tf +++ b/terraform/infrastructure/gcp/modules/jump_host/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } diff --git a/terraform/infrastructure/gcp/modules/loadbalancer/main.tf b/terraform/infrastructure/gcp/modules/loadbalancer/main.tf index 0ee6bc477..e815d9dea 100644 --- a/terraform/infrastructure/gcp/modules/loadbalancer/main.tf +++ b/terraform/infrastructure/gcp/modules/loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } diff --git a/terraform/infrastructure/gcp/outputs.tf b/terraform/infrastructure/gcp/outputs.tf index 8525bdb13..cbdf9164a 100644 --- a/terraform/infrastructure/gcp/outputs.tf +++ b/terraform/infrastructure/gcp/outputs.tf @@ -45,11 +45,6 @@ output "ip_cidr_node" { description = "CIDR block of the node network." } -output "loadbalancer_address" { - value = var.internal_load_balancer ? google_compute_address.loadbalancer_ip_internal[0].address : google_compute_global_address.loadbalancer_ip[0].address - description = "Public loadbalancer address." -} - # GCP-specific outputs output "project" { diff --git a/terraform/infrastructure/gcp/variables.tf b/terraform/infrastructure/gcp/variables.tf index c29c24391..601394a55 100644 --- a/terraform/infrastructure/gcp/variables.tf +++ b/terraform/infrastructure/gcp/variables.tf @@ -75,14 +75,3 @@ variable "additional_labels" { default = {} description = "Additional labels that should be given to created recources." } - -variable "iam_service_account_vm" { - type = string - default = "" - description = "IAM service account used for the VMs" -} -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/iam/aws/.terraform.lock.hcl b/terraform/infrastructure/iam/aws/.terraform.lock.hcl index 4914aaf10..ec2b3204e 100644 --- a/terraform/infrastructure/iam/aws/.terraform.lock.hcl +++ b/terraform/infrastructure/iam/aws/.terraform.lock.hcl @@ -2,52 +2,61 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.98.0" - constraints = "5.98.0" + version = "5.78.0" + constraints = "5.78.0" hashes = [ - "h1:/RMObGCrfJlVoQCf9h88hFkSyLafDXnw6r0yi4gpO80=", - "h1:KgOCdSG6euSc2lquuFlISJU/CzQTRhAO7WoaASxLZRc=", - "h1:neMFK/kP1KT6cTGID+Tkkt8L7PsN9XqwrPDGXVw3WVY=", - "h1:tSqQC0adIJ0VWRrbChyEGjGuWKwibrz+/YJ2Q1ZOs2Y=", - "h1:tfWnOmzoWOvwOGlUx0HrxCfUZq3YHhlkeEbMccAYiec=", - "zh:23377bd90204b6203b904f48f53edcae3294eb072d8fc18a4531c0cde531a3a1", - "zh:2e55a6ea14cc43b08cf82d43063e96c5c2f58ee953c2628523d0ee918fe3b609", - "zh:4885a817c16fdaaeddc5031edc9594c1f300db0e5b23be7cd76a473e7dcc7b4f", - "zh:6ca7177ad4e5c9d93dee4be1ac0792b37107df04657fddfe0c976f36abdd18b5", - "zh:78bf8eb0a67bae5dede09666676c7a38c9fb8d1b80a90ba06cf36ae268257d6f", - "zh:874b5a99457a3f88e2915df8773120846b63d820868a8f43082193f3dc84adcb", - "zh:95e1e4cf587cde4537ac9dfee9e94270652c812ab31fce3a431778c053abf354", + "h1:/EKXECKi3XzLR0SwaEyQucvsQx2TdyIF2DYabr9DVqM=", + "h1:15pt02WPsTWUsLi37o791kSplIqEf2Ihl+zFdBOpKnY=", + "h1:3TLJUm+6523EtS8W8G4f22e0bp2MpZ72f9qptc31WD8=", + "h1:EGEcXHT4WdxUTRSPzjevCNXStQ+u2eeQB4EmOSp2nPc=", + "h1:GwVGbd+IHAq+qwGs2QKuxazKzrJhSWVicYyGBPftuG0=", + "h1:OUmta/bL/0S6g4K/Mn1LBkEnMWNCq4dLsfYrdrllcEo=", + "h1:cxjNJTMeoxw0csix1iWp4m2esNUOuFfVbIAacUGjYSQ=", + "h1:kB3dnSsazjI63RZdz2gldCkDFw8KI0IJd6RbhqxrE6I=", + "h1:o7jz+dFixEcwjfdubken5ldmDJm1tkvM2adPtNDei3g=", + "h1:vIzenE93tNUfA/hFcwB6wouenp59n9g2J6FNPfJAOpg=", + "h1:zA5P+U4hv2P52fwfLNjAIA2jS9xOn4xCmrXrOMKH8gs=", + "h1:zKNuYrqjerfmrU0bgKQtubN/NiMLRXP4HTThTm1WfJE=", + "h1:zYvhhpw56OF8ClJezKBdKV0+6elVM3FYEAjaNWAinjk=", + "h1:zel31ZX4jCQoeQXydOfcm4ncD9aj+437F9Cr1eoCumM=", + "zh:0ae7d41b96441d0cf7ce2e1337657bdb2e1e5c9f1c2227b0642e1dcec2f9dfba", + "zh:21f8f1edf477681ea3b095c02cad6b8e85262e45015de58e84e0c7b2bfe9a1f6", + "zh:2bdc335e341bf98445255549ae93d66cfb9bca706e62b949da98fe467c182cad", + "zh:2fe4096e260367a225a9faf4a424d62b87e5498f12cb43bdb6f4e713d11b82c3", + "zh:3c63bb7a7925d65118d17461f4691a22dbb55ea39a7404e4d71f6ccca8765f8b", + "zh:6609a28a1c638a1901d8007b5386868ccfd313b4df2e98b35d9fdef436974e3b", + "zh:7ae3aef43bc4b365824cca4659cf92459d766800656e354bdbf83feabab835e8", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a75145b58b241d64570803e6565c72467cd664633df32678755b51871f553e50", - "zh:aa31b13d0b0e8432940d6892a48b6268721fa54a02ed62ee42745186ee32f58d", - "zh:ae4565770f76672ce8e96528cbb66afdade1f91383123c079c7fdeafcb3d2877", - "zh:b99f042c45bf6aa69dd73f3f6d9cbe0b495b30442c526e0b3810089c059ba724", - "zh:bbb38e86d926ef101cefafe8fe090c57f2b1356eac9fc5ec81af310c50375897", - "zh:d03c89988ba4a0bd3cfc8659f951183ae7027aa8018a7ca1e53a300944af59cb", - "zh:d179ef28843fe663fc63169291a211898199009f0d3f63f0a6f65349e77727ec", + "zh:c314efe454adc6ca483261c6906e64315aeb9db0c0332818714e9b81e07df0f0", + "zh:cd3e30396b554bbc1d260252db8a0f344065d619038fe60ea870689cd32c6aa9", + "zh:d1ba48fd9d8a1cb1daa927fb9e8bb708b857f2792d796e110460c6fdcd896a47", + "zh:d31c8abe75cb9cdc1c59ad9d356a1c3ae1ba8cd29ac15eb7e01b6cd01221ab04", + "zh:dc27c5c2116b4d9b404753f73bccaa635bce21f3bfb4bb7bc8e63225c36c98fe", + "zh:de491f0d05408378413187475c815d8cb2ac6bfa63d0b42a30ad5ee492e51c07", + "zh:eb44b45a40f80a309dd5b0eb7d7fcb2cbfe588fe2f18b173ef5851346898a662", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/iam/aws/alb_policy.json b/terraform/infrastructure/iam/aws/alb_policy.json index fe1976170..e8a05f8e6 100644 --- a/terraform/infrastructure/iam/aws/alb_policy.json +++ b/terraform/infrastructure/iam/aws/alb_policy.json @@ -29,8 +29,6 @@ "ec2:DescribeTags", "ec2:GetCoipPoolUsage", "ec2:DescribeCoipPools", - "ec2:GetSecurityGroupsForVpc", - "ec2:DescribeIpamPools", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", @@ -41,9 +39,7 @@ "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTrustStores", - "elasticloadbalancing:DescribeListenerAttributes", - "elasticloadbalancing:DescribeCapacityReservation" + "elasticloadbalancing:DescribeTrustStores" ], "Resource": "*" }, @@ -192,10 +188,7 @@ "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:ModifyListenerAttributes", - "elasticloadbalancing:ModifyCapacityReservation", - "elasticloadbalancing:ModifyIpPools" + "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "*", "Condition": { @@ -241,8 +234,7 @@ "elasticloadbalancing:ModifyListener", "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule", - "elasticloadbalancing:SetRulePriorities" + "elasticloadbalancing:ModifyRule" ], "Resource": "*" } diff --git a/terraform/infrastructure/iam/aws/main.tf b/terraform/infrastructure/iam/aws/main.tf index c1298689e..bec0b5412 100644 --- a/terraform/infrastructure/iam/aws/main.tf +++ b/terraform/infrastructure/iam/aws/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/infrastructure/iam/azure/.terraform.lock.hcl b/terraform/infrastructure/iam/azure/.terraform.lock.hcl index 931a0a0fb..e1f335cd4 100644 --- a/terraform/infrastructure/iam/azure/.terraform.lock.hcl +++ b/terraform/infrastructure/iam/azure/.terraform.lock.hcl @@ -2,61 +2,61 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azuread" { - version = "3.4.0" - constraints = "3.4.0" + version = "3.0.2" + constraints = "3.0.2" hashes = [ - "h1:/+HxxFGciTGycNTDUPkcbALGsV+qcCPit8UyYX1Beho=", - "h1:2rAM1pT8sXeViTLMU7Tvd5sDSYuZeavFPVbe5xWgJ3A=", - "h1:CkN8DpmNYWU9mvlrmOpzFdPofGjKgrnL8leImrSL9Uk=", - "h1:D4wPDjiMNuWQcB1cYQIbS9M68QwQ2BQ8TdcamU3ig3k=", - "h1:ELINo/Jm4IDo5uZp1deObsOmcx3Lco1IEEowVVDzgtw=", - "h1:KeA9a60dssTVEFWkAuJ2lxztHyYB9bKmUfYanW2POSo=", - "h1:Rxzm2bElqWCmoNZvs/kjr4vPocw4v9Bw4HQHOtYWjzg=", - "h1:k4Gpl4uNxQgm8hDS3jjnzHEmp72Vrw6+bxNn4m4rxu0=", - "h1:mpZ2ZiLutwDNqOLoZwNKZgHSGn5vMvtA+00GKbaWb5U=", - "h1:qQNUA7kQIX30KkARDCpiZy1MFL/j9LiuSCzbOTHSsjo=", - "h1:rfO7hSYJLdpff/s2iuooHtxNacwKq5n03IwvVQ+xbSI=", - "zh:035a6d6e6aa7f117969702873c27344ec4ddd88f676cebc1088316fb26d5c95a", - "zh:11f86935174d8223699cae00b3a705ded1d75a4efb6d4723d3788f5446e1eaa5", - "zh:16d52b5bf8eefa98cd2793122be0c5a7b41767caedbd8a08786aeefb3d0c6856", + "h1:4HpBtur7h9Naz0BUhoJLVMQmmNABvpVDE/v/WC4LuHU=", + "h1:4ONsd+zmaW77NHdwY6tZ9f5Vk4uk5j4c6phuIAYd9c8=", + "h1:Ac2hOMzVtFxZL6U0znQB++O+AHsi47F4nZt0dGMAEJ4=", + "h1:HNrx7UJEDY5Kbx/r1LRQDWnziqvB6x3IU+pEA8Vq7dw=", + "h1:P807RV/+/XY1fylsKngmj2B5l2XOVTzqpd4ylZAwA+M=", + "h1:SDn/pi6q3CZyt9T8Bgobb91WziY2iE1teqr9Y8TlfJw=", + "h1:Sbb9HgPsFPsY3Jv8Kn+eoyYXoWHLWcODr7Okh/V001k=", + "h1:XUrQ/352oXVMh1ya8E7uMAmaC69zNICCIKqZ3kA4nXw=", + "h1:k0kPplqH7FWmnYeCXXrFIeCshgF1tC4LLhfk66bos3w=", + "h1:sYCyzbPpSYu2XDah8XqBUITQAfB0x4j4Twh6lw2C4CA=", + "h1:yQqvUtgtrYKGpIygdM8P6N+pvMWJJWIsVdPow29VE20=", + "zh:16e724b80a9004c7978c30f69a73c98ff63eb8a03937dd44c2a8f0ea0438b7a3", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2fe201c7a1c17279f7674c160861296015d9b9d120de598999d169398ce285c9", - "zh:37bb91dff5b751f0c86a02a12980bdb5935d2ca6cdd249d9eef7eca619f628c0", - "zh:7533a35300e411893a024f858e722e50107dfd7212236d396ebf2ca2b13b7bcc", - "zh:88a95b2cb606439ae2f60ebe63a800580e232e94bc1b02ac7d25d25be10cb511", - "zh:c7b138b6bc34d8a1eff91742b38bce1718d9c50c343393fdfc918bef022ed74f", - "zh:cab09fda45b8a9a9896aedb22f5829745b7e9a01abb8077696bccb170fb01b5f", - "zh:cc4a29f074f1cc25f3abd3a41444f68307f3eb08c4d5f79f60a012b632c1ea05", - "zh:e30e9fe8e04271431cb730a1a888b6da5afeae385e2e53ff7b4114066c1250db", + "zh:2bbbf13713ca4767267b889471c9fc14a56a8fdf5d1013da3ca78667e3caec64", + "zh:409ccb05431d643a079da082d89db2d95d6afed4769997ac537c8b7de3bff867", + "zh:53e4bca0f5d015380f7f524f36344afe6211ccaf614bfc69af73ca64a9f47d6c", + "zh:5780be2c1981d090604d7fa4cef675462f17f40e7f3dc501a031488e87a35b8f", + "zh:850e61a1b3e64c752c418526ccf48653514c861b36f5feb631619f906f7e99a0", + "zh:8c3565bfcea006a734149cc080452a9daf7d2a9d5362eb7e0a088b6c0d7f0f03", + "zh:908b9e6ad49d5d21173ecefc7924902047611be93bbf8e7d021aa9563358396f", + "zh:a2a79765c029bc58966eff61cb6e9b0ee14d2ac52b0a22fc7dfa35c9a49af669", + "zh:c7f56cbe8743e9ba81fce871bc97d9c07abe86770d9ee7ffefbf3882a61ba89a", + "zh:d4dba80e33421b30d81c62611fb7fc62ad39afecc6484436e635913cd8553e67", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } diff --git a/terraform/infrastructure/iam/azure/main.tf b/terraform/infrastructure/iam/azure/main.tf index fe1672165..56b77fb63 100644 --- a/terraform/infrastructure/iam/azure/main.tf +++ b/terraform/infrastructure/iam/azure/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } azuread = { source = "hashicorp/azuread" - version = "3.4.0" + version = "3.0.2" } } } diff --git a/terraform/infrastructure/iam/gcp/.terraform.lock.hcl b/terraform/infrastructure/iam/gcp/.terraform.lock.hcl index 2fbbe32c2..2f295aaac 100644 --- a/terraform/infrastructure/iam/gcp/.terraform.lock.hcl +++ b/terraform/infrastructure/iam/gcp/.terraform.lock.hcl @@ -2,31 +2,31 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "6.36.0" - constraints = "6.36.0" + version = "6.12.0" + constraints = "6.12.0" hashes = [ - "h1:7UUG6owE+FafOHh0JK8BTM0yOlO7/XbHiEDh087fd0E=", - "h1:80HOG2KFPy07zgflMevKhsKrU8tEFvVncVMZOiffqV0=", - "h1:8aaMc8jT1GL3I15Aiz9Lr6k8+u79Fo3D6KA4Np+JUI8=", - "h1:aQ8E+XveXDO6zbqO1upcKqkrWr+5dwxowmQgMZ/zgrM=", - "h1:e/3n+WKR/ikY8m/MIAHOvH1HFY1fng76SEpnvGStxMU=", - "h1:fcjI1cXeKYJDWcgUXL+UPD23HIN4IDJjlc7XVD3i3Bc=", - "h1:iQx5xJnQvBN2aUdQbWZQPmtuT0xjfaNpFJD3qzOvC7U=", - "h1:kRbYOLtROkOjc3XMgptzFWKdgRCjyf2FH0UTlCJXkg8=", - "h1:lxi5P8TBMfiKk88FI4xM2Lnwlk2+Q3r9oa4yrg83x1w=", - "h1:m085EpkXRmg1TqRbPP6RxdVmlwJJujvyfMtznvURS04=", - "h1:vvvbnteZLIMosgsxO6YXDgxGYdU5BuSxPD1w4f4LV6c=", - "zh:0a67432c04d4c74829632cc5669b8c5988f837259333307e07c2915a0529b3fb", - "zh:4559afe21bb59e8fb9e3e7414ea65b6be233e8f217e8683dd0e9c347ecadf910", - "zh:58a34fe3b28271deba9a44db1e704c2844f2e30e252ded5f200a8f9af170d52d", - "zh:6b07f388b4fb2189d9fe3a058831e5c755092f7bd5f7388a1c0d9583f8c43ef0", - "zh:6fae25f93bf4a6fd59ce0f9d05e8551b65b4be7084f5e6e5f528ab011dbbef6a", - "zh:73be19906c569f1d46b8f88d3e846bd8dabd6ed65d8ba9a91f67da5365b534dc", - "zh:7b047330342f600e92c02e248f72eefae1a2e01c16ef45cc533942eb73c49c06", - "zh:9fecf5cdf1a16b9b9c1e83dc6129a40bfbc9e640252d2afddd34dc61de213330", - "zh:c557ea7357880615af290452ff06bc23bd3821132783240bd7cd75aadf16a04a", - "zh:dc11ad9a0b595b70490326563ea5f77de9c69aba0ee959971392e46b10a3c246", - "zh:ed8dc5d5ce3d8e3c1648c3fc6f48a19da9ed38d0157c33019c74b7790480c29f", + "h1:D6eBvo6Qs3OXXMwB2vFBhKuiL/TMNu5bBtjznSPbBH0=", + "h1:JuVRL27b9/g/FdblPwGZEacECBZRIuHZ+nzRgpIDduo=", + "h1:MgQU4YOpoJQngarNuPfvNKF4r7YyqYii7DBOiiaKBEw=", + "h1:OQp1STR+bhXfBQKs02krIJuELZ2c4GmGhlBd4bSq128=", + "h1:OvpG2uAeuIc19TFOQrr+s7Ded6sVBripLWLIzeWn90U=", + "h1:PmkvZRF8v7SszpUP4l9gXfhlVwq3z+HrTE39qusLrBw=", + "h1:WZulOZ1tthsLm/w7t7yy3C7JZ8QIXfO+QMEEW1pjrAY=", + "h1:Yez7eMayTGGmX/LCIDD3Xgnktpv/701g2zotNmg6u2o=", + "h1:nQTLHstv9bSviqpeBRzCfUG1lD8j+3f6Daxuv32At8k=", + "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=", + "h1:zpwamvGGsck1qNunJeyfolgiBDOJpXVINPzLLSECpjY=", + "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c", + "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8", + "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8", + "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475", + "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688", + "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8", + "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f", + "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9", + "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3", + "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b", + "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/terraform/infrastructure/iam/gcp/main.tf b/terraform/infrastructure/iam/gcp/main.tf index 3c45be09e..b105aee22 100644 --- a/terraform/infrastructure/iam/gcp/main.tf +++ b/terraform/infrastructure/iam/gcp/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } @@ -13,19 +13,8 @@ provider "google" { zone = var.zone } -locals { - sa_name = var.name_prefix == "" ? var.service_account_id : "${var.name_prefix}-sa" - sa_vm_name = var.name_prefix == "" ? "${var.service_account_id}-vm" : "${var.name_prefix}-sa-vm" -} - -resource "google_service_account" "vm" { - account_id = local.sa_vm_name - display_name = "Constellation service account for VMs" - description = "Service account used by the VMs" -} - resource "google_service_account" "service_account" { - account_id = local.sa_name + account_id = var.service_account_id display_name = "Constellation service account" description = "Service account used inside Constellation" } @@ -76,31 +65,6 @@ resource "google_project_iam_member" "iam_service_account_user_role" { depends_on = [null_resource.delay] } -resource "google_project_iam_custom_role" "vm" { - # role_id must not contain dashes - role_id = replace("${local.sa_vm_name}-role", "-", "_") - title = "Constellation IAM role for VMs" - description = "Constellation IAM role for VMs" - permissions = [ - "compute.instances.get", - "compute.instances.list", - "compute.subnetworks.get", - "compute.globalForwardingRules.list", - "compute.zones.list", - "compute.forwardingRules.list", - ] -} - -resource "google_project_iam_binding" "custom_role_vm_to_service_account_vm" { - project = var.project_id - role = "projects/${var.project_id}/roles/${google_project_iam_custom_role.vm.role_id}" - - members = [ - "serviceAccount:${google_service_account.vm.email}", - ] - depends_on = [null_resource.delay] -} - resource "google_service_account_key" "service_account_key" { service_account_id = google_service_account.service_account.name depends_on = [null_resource.delay] diff --git a/terraform/infrastructure/iam/gcp/outputs.tf b/terraform/infrastructure/iam/gcp/outputs.tf index 45d586de6..437261bb8 100644 --- a/terraform/infrastructure/iam/gcp/outputs.tf +++ b/terraform/infrastructure/iam/gcp/outputs.tf @@ -3,9 +3,3 @@ output "service_account_key" { description = "Private key of the service account." sensitive = true } - -output "service_account_mail_vm" { - value = google_service_account.vm.email - description = "Mail address of the service account to be attached to the VMs" - sensitive = false -} diff --git a/terraform/infrastructure/iam/gcp/variables.tf b/terraform/infrastructure/iam/gcp/variables.tf index 37dc35144..19c25d787 100644 --- a/terraform/infrastructure/iam/gcp/variables.tf +++ b/terraform/infrastructure/iam/gcp/variables.tf @@ -5,13 +5,7 @@ variable "project_id" { variable "service_account_id" { type = string - default = null - description = "[DEPRECATED use var.name_prefix] ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$." -} - -variable "name_prefix" { - type = string - description = "Prefix to be used for all resources created by this module." + description = "ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$." } variable "region" { diff --git a/terraform/infrastructure/openstack/.terraform.lock.hcl b/terraform/infrastructure/openstack/.terraform.lock.hcl index 292f31c77..73faa0ec0 100644 --- a/terraform/infrastructure/openstack/.terraform.lock.hcl +++ b/terraform/infrastructure/openstack/.terraform.lock.hcl @@ -2,93 +2,87 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } provider "registry.terraform.io/stackitcloud/stackit" { - version = "0.53.0" - constraints = "0.53.0" + version = "0.35.0" + constraints = "0.35.0" hashes = [ - "h1:BVPETE48KhoqyKYClDhUBstmFzRiAcuxe27hQZwDK+Q=", - "h1:FcdIzdfUZY6BPCCng9WImmsfJcRH+iAr8DgRI4Fia04=", - "h1:KhLsCQC08QvAiBFb1LhfpfNSTPUes1JJUOuTPmDbn2c=", - "h1:KpyF8wGtsxPKJjDla/r93FftL7qFCe/MtiN+1ug1+No=", - "h1:P6OSZsAasyZIgC2xllDldPv4Bvg6uXPPNzxkicTwuq0=", - "h1:P7uxrCcb0itwa44WmUpAfb/bpg74lT+yDiAcveM0aa8=", - "h1:QPX1BtGEBa51bKpsGPPqV0Ssuhn64xJcEohBtyEY3Pg=", - "h1:RmmMw2xkNYRFyuI3qqL1JpnIWSXLV51DSSZeil8Ec6w=", - "h1:RwiKzxuiJ+dOvaFQ/A92zLGz5JLN+0fA7riYFrNKZ9Y=", - "h1:To9R3LyIlT+S/6d/tcgQgxaKB3UWoaaNBAhbWs5wYGM=", - "h1:UQpT+MqZyPRX5usq1u77GUDTW5UFVcvh+fkDItGZfzM=", - "h1:bLlVOzfu3fje3M81Whny1yQiOC89r4x4Akw6JNzy2fk=", - "h1:hQasTcIA5yfYrgbelOcceatBDj8//shVvNfUAZyOOAc=", - "h1:xXlBF8c3btnkAIgBiipcpsvbMK6n2+/8OqNAGxBhni8=", + "h1:Cc+HFJYbY2X9KsgMvLhikdjz/bN671/osUkXFT+H1AI=", + "h1:GnJ+gbhhJ+ZdH5L5QS4eMi638nafDqxcRsrZQLJPHnU=", + "h1:V/ayYinMV9pGGLg7OBPeG0XONnSkmDbWDH3deWtTmM0=", + "h1:Ws8n3pe5/cStjDF6VnRdax9ledzUja2nUNPYTEzdEAs=", + "h1:XwLQ50fsxJ5MGUlJEs7dWIdErbrGgEExSqj22BHwykM=", + "h1:ZIays0MW9HD++OUktDQlrBhADXsseUhXI9LNXiV7R0I=", + "h1:a544QqVZaDj2QjSddFynSKjdlbw+cXw+wImF4XbKPW4=", + "h1:kQ7j2jRkEai4Id5BRXnky2ZcytrLP8JMrkVL0vsZJnE=", + "h1:s1s8GBkKD0buf48bKMcj0bQG3cR5Xfyt1MMRik46sTs=", + "h1:srQRAu7VfVWcKaeypDJg4Bvo2AxzZO/cwefxIt+Uduw=", + "h1:tKEqWCG0wcOiYHaWgsqAqF4LOKHU5lahM4t9zpMsBR8=", + "h1:ulAmt5tk9bBD0HjN4c8Cy4Aai7gEbbo6K38Duly7jyE=", + "h1:wPPCGyWv6rjaZ7dcMXNsAK6x+AjVlWClHVC1ctt4lLY=", + "h1:zJozfYwxty/4meQ65hh6fHMqeT2LA7xTvOX3yGB2HPs=", + "zh:0c5ff45f9d8785cf39189908c70ce989423b823f468d5664794aa1352838560f", "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f", - "zh:27df5dd8cd7af79080e071d8c3ef81d792ee7665b569255ec4c931fa5595b7b5", - "zh:452f8ee8dabc0bdf8ec623d186061750a527bb02225c9810f412c46d142bb73a", - "zh:48512ed6362d537687a74f5ddd36ed288e36b8f47ad6ead78c71f5152912c777", - "zh:4e4b2be9cda9f866b47bf4c9b3a9d3c9c8a0c6006d66e9a33f54317694ea48a1", - "zh:5239ec2377e1d186b465b07bd1c71793d7a142a1bfe155abdf84d60d8189b1bc", - "zh:5e506b9e423ff1c65482bd8dcee629cef0789b0879d1b2d61c1e478c4506b2eb", - "zh:705762fa6bfc02ccab39a8b544f9090f63d6e49364c09ac4a2f29878ff53235f", - "zh:882ceb507151aff47ec57808adb2a7104686be46ee34963eecb0fabfd771caf8", - "zh:ab2ba4430a0eb433ee6d0b99c738c6addbcab6bd921b7ed660d55fc979515c29", - "zh:b26b03356b44e6eacaa84aa4170aee4b9afe78f18c48ec209a6a1c0bfe7f4d47", - "zh:b77ddbc99c4a77b1c2410ba7526498be6ee723bb3b42c5dd4e712408119224bf", - "zh:c808c34807aeb34aa0e66ee9c25b523b398925682fa7c0f6b0115dd0e91b2c33", - "zh:d76c00fddbc80140825757f71b22d1c3a64978a4792b52bfde3747ee93f8e7fa", - "zh:fb03cb807d9817693a001bed3334c5636fd61fb745d611b14b013bfdcf066068", + "zh:51c0fee775b63d96a6a95e4022960628d8b5257b744deb8705fc90d8763ebf42", + "zh:7e7a2186713d260911e56b2b5c3adf064cbbca6762b12e7bfe244d7044b3661b", + "zh:859b785d74ab91173738bef0d7f25efc4db21918c3b9a599273b99dcafc6e1cb", + "zh:86b8797678f908c048f4ae0795edde199de2335f5b56a9c6d66cb5c8e88b08e1", + "zh:8f12189510b6ec166f2fb8b251c95afb28cf0b5b58733487b4e8bf3da31c68b8", + "zh:a70ab1bd728aacefd7da38f1e8c0634c5b9b8d37ac892adadafc9f5da8965373", + "zh:b5c7dd74c47155d95891b83d8755fc3c6d60c854207a5ba3cb1d4bd82d2ed10f", + "zh:bf5af8348a80b62030b539c963dbe2605954622059468b69487758fa40e276e2", + "zh:d246e353614a76235e834ce4fb26228bd70a6cb14eca60171d12cfb54e9a833c", + "zh:d29e53cedab668531be90745c359a4d4b461a06e867331ba13141adc1b78282d", + "zh:dac9be6f3333389c2d2ea3b206554b397909b413d5bfc10e7054646a96906f0b", + "zh:def772fb3965b36ec684f2d25d9f27ce5cf7905753806d449732cbbf3d3b09e4", + "zh:e2eccc14ce98d05be2d87f1c82e8ea47020598faf14ce9e7c2ee928922530ce1", ] } provider "registry.terraform.io/terraform-provider-openstack/openstack" { - version = "3.0.0" - constraints = "3.0.0" + version = "1.54.1" + constraints = "1.54.1" hashes = [ - "h1:5LLYtkab+Vdg8CE9pI1O8ufh3sTXqWlY3uKxko/y3X8=", - "h1:9/pRGncPl05UJquv3mXwSMU0NVa3ilwPtilcZcNgdys=", - "h1:K/LldMyf/FKaGOWUPAdpkMvKqE7tH+cmxLLhHKHjseQ=", - "h1:i7sj9flNOPDNraNq3QztV+cQ1JeqSQF30xQrY6Vi2Yk=", - "h1:sxq+0vFl4SfV9dlut5liwaH4FejyNIf4ClAjRgowxv8=", - "zh:01718f229597b34ed430236a230a407dacd6289543556d33910e151462e8cb8a", - "zh:2424c5347d35fe0de778d1c40dbe8d9b1278309c4d65cce31709e6fcbec139df", - "zh:2a785f9efd6d8c979031803dd78411a583bc0d9a572ddf5fb9e539cbbfc1ce43", - "zh:8ab18c7eb1fd04b34be75fcecfc461888bd37ff017973f46745abeabd21b3fda", - "zh:98e805318292b58d9692bfe6d3d82e0db0f8044e588a38b239309221198aa92d", - "zh:9a99c9801f96dc69e7c76c5ddc0e2800b77a333becacae530d7a3acd18855347", - "zh:c5aa6690c094be211d2700d7ea44ffe937763e4dd566506c87eb99d6d8330b52", - "zh:d06fc3a148a49aab059a1f08ceadbfe1a5c82c7b80b960169987603dddaaaf58", - "zh:d079da24a9f2cc0d6fec9616e7ebe994245a3d98da629f012069c26d650edb05", - "zh:d1d2b63dba9045a4ff3869c65ddcaf2703d993254b58b2a0230d067f5c036de2", - "zh:d2b9d09c47e7eca08091da825cdf0982dc30089ee401888ce8704b79c7636e95", - "zh:dd6be78f98772bfc1ebf022fc36e5d68ef0f165f9e87476430d4e0dc3f1cc57f", - "zh:e7743c11dd0c83a5c1905f04ffd490b4471941218b4c841b760223fcf416affd", - "zh:f234aefac77f4e9a2b05877a00d322ee165009713d79a8d8e19039c6c6f7cf1b", + "h1:Cqk18+r4bJF/sIusEK9lM0gc841RwsJ8AMhWyiU7lig=", + "h1:Cs9sP2V0MssWIQo+gur9soaNAAQleRaWdnvFP61s0Y0=", + "h1:JC0mScAPBs1MlHeEIPMZTQGhTA5aIG3iEuKMSPpR31E=", + "h1:jx2WdbttenKA2gWZDil6ffQT2CcY/TZ46pG0FlbNPuY=", + "h1:xt7LbO3lAXcDUjDxPHrQtgv4mO2GKvSOFMF1uPsK4vE=", + "zh:45ba84df17f94b15af7aab7007241e035dde8a5b46aeb761259d937058a80f71", + "zh:493b1deb7be9b600e5b1f5da2a9dfd3bce5df0c6d38090614dbe4ed05ade8441", + "zh:53551401fba8c1d5b27a08ee307552b84b1d0c1218f3717a4b766ec701b3e016", + "zh:53629bebb48ce5220f7601d776c2ac1485b6c860cb695f150fb716f5be8aa86d", + "zh:5a20f32cca767bef70b79bc8ecbd10fec3dc8696183e2d29631aa510947cb70d", + "zh:653693f630777e4aa3f410976a5169cf0f2a301516a820b3860de116054ae30a", + "zh:70f2d7bd5f5940f4fc3f023a01468890fbd9d704d0256bc65f7c64fb2cbcd4e4", + "zh:9cc22af51e5124dd5c2e0f1adefb1b08dcff3138aba9c92961cef36b1641d7aa", + "zh:9df45e893f215266159733dbc120809bc3d313188e121532dc6e2d10165e9899", + "zh:cb3e240992069cd6160f5b5cbbd50b70948f25bb337a75e780a0648461505d3f", + "zh:cb8343c0cf1bf5ca4d060826a8b68e3e5935b4a65974c76ac9c071c5a510e67e", + "zh:cc2060f93c66276dff6366b48e3a0e619874e3d939e0d2a39fc6ce10ca91232d", + "zh:d495b3051977018696113eded89c2cddfae0570f2adbdf7e9097c189ba41903e", + "zh:dfad1be943769780d5e948c06db957ce45f98b057a774964da0b82130c22f139", ] } diff --git a/terraform/infrastructure/openstack/main.tf b/terraform/infrastructure/openstack/main.tf index 325279818..ed650ccd1 100644 --- a/terraform/infrastructure/openstack/main.tf +++ b/terraform/infrastructure/openstack/main.tf @@ -2,17 +2,17 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "3.0.0" + version = "1.54.1" } stackit = { source = "stackitcloud/stackit" - version = "0.53.0" + version = "0.35.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -22,7 +22,7 @@ provider "openstack" { } provider "stackit" { - default_region = "eu01" + region = "eu01" } @@ -43,7 +43,6 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) cidr_vpc_subnet_nodes = "192.168.178.0/24" cidr_vpc_subnet_lbs = "192.168.177.0/24" diff --git a/terraform/infrastructure/openstack/modules/instance_group/main.tf b/terraform/infrastructure/openstack/modules/instance_group/main.tf index 5f027fdfa..b2feecb5f 100644 --- a/terraform/infrastructure/openstack/modules/instance_group/main.tf +++ b/terraform/infrastructure/openstack/modules/instance_group/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "3.0.0" + version = "1.54.1" } } } diff --git a/terraform/infrastructure/openstack/modules/loadbalancer/main.tf b/terraform/infrastructure/openstack/modules/loadbalancer/main.tf index f86399612..a10a43d8f 100644 --- a/terraform/infrastructure/openstack/modules/loadbalancer/main.tf +++ b/terraform/infrastructure/openstack/modules/loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "3.0.0" + version = "1.54.1" } } } diff --git a/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf b/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf index 50179a534..cbe4e4d0d 100644 --- a/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf +++ b/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { stackit = { source = "stackitcloud/stackit" - version = "0.53.0" + version = "0.35.0" } } } diff --git a/terraform/infrastructure/openstack/outputs.tf b/terraform/infrastructure/openstack/outputs.tf index 810b11977..be45ec065 100644 --- a/terraform/infrastructure/openstack/outputs.tf +++ b/terraform/infrastructure/openstack/outputs.tf @@ -36,11 +36,6 @@ output "ip_cidr_node" { description = "CIDR block of the node network." } -output "loadbalancer_address" { - value = openstack_networking_floatingip_v2.public_ip.address - description = "Public loadbalancer address." -} - # OpenStack-specific outputs output "network_id" { diff --git a/terraform/infrastructure/openstack/variables.tf b/terraform/infrastructure/openstack/variables.tf index 3afa8c97a..12242f08b 100644 --- a/terraform/infrastructure/openstack/variables.tf +++ b/terraform/infrastructure/openstack/variables.tf @@ -71,9 +71,3 @@ variable "stackit_project_id" { type = string description = "STACKIT project ID." } - -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/qemu/.terraform.lock.hcl b/terraform/infrastructure/qemu/.terraform.lock.hcl index 1796c477f..f5ecba7ec 100644 --- a/terraform/infrastructure/qemu/.terraform.lock.hcl +++ b/terraform/infrastructure/qemu/.terraform.lock.hcl @@ -2,99 +2,92 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/dmacvicar/libvirt" { - version = "0.8.3" - constraints = "0.8.3" + version = "0.8.1" + constraints = "0.8.1" hashes = [ - "h1:4R2L9SlbXt5VVZtQ0vPe1s65UygQT3aKTWpsGKqTnvM=", - "h1:AGOjd7NzTBQAiOjjlUdq5JjuYdWBL6jfrNf+qO7Z+cg=", - "h1:HuCu3y7gzhI1YLYWY7L9c3f5lhJyo5/Peozd50hoj4w=", - "h1:SE2o8WY/6vqSTow2nds6P2+IoJln0TvuF794xBjDIeE=", - "h1:Tttxr3E9O75MM+dDmq5sYHQEw29PwtIj+XDj/5drdfE=", - "h1:Wqa218+IMxnn4psH5r4FlvEL2/LKZRHc4tFm63uOrVc=", - "h1:Z+uoKz1rZ/z0xwEvycBhuDGDwQDKhHUDxlAfKkoGCko=", - "h1:bKZooqVcZ2vCovziB23j4exHuGg8s/FyxjoZ0NIY36Y=", - "h1:dSnCr6ib3qdJot4gXPMe8DW9pHwRPTkN+jkCbG/w4uI=", - "h1:fg6FmBx96CV7M1osSsZ215N47M3TGFeaoy2XVSmh2/Y=", - "h1:h7F4ON38TMmy+8fAoYBaKDOFWv7ZVUnI0J+h7jSL2T8=", - "h1:mymyoJNy7FTe3lkYzgt2Gqgrehn1m1EiqNLrpx5nerk=", - "h1:x44dqohhlnP6MxVsv0c07CcjOERfOBt79QCaoPgtFic=", - "h1:zEKrqI+ape4+ySL7RAZf2PFQ5jBqgfr239zdkyr6U+U=", - "zh:06ff0169beafd1891dc5a30616983abd32004a4f570d1d3dbb5851d84bd1c007", - "zh:2dbdd726d0987cda73b56ecdfbcb98a67485e86a7a44aec976c0081b7239d89d", - "zh:2e195a7bbdfcc13c45460571a5ba848a5c1e746b477c8381058767560f0ac93b", - "zh:3952da13080018c5aec498b73e343c4c22ad884afb8c983138fb7255617aa991", - "zh:478841bcf57df938726ddb90f55c7953fad09db4f6348747519afe7fc84b403b", - "zh:53bce78b03a82c4782acfe1f32c2b46a68fa5fb2fb90d4a5392c90b436b44244", - "zh:5c157f23e9768c67cddf9e847a571adca441607cb5adfb96dbfdd626ceadf92c", - "zh:6bc78d631959fb695664966851308e140c38f3f5cf648dd89756320c2d91765d", - "zh:8605d7d6915190836802654920a8eea3d751ae437273c4f4476dc0ebb9167a1d", - "zh:8b66a22b97331c2a56aed092fd39152d06ad957fd4810aa3f0c4ade0f9b15755", - "zh:92586a47a04082f70bb33f722672127a287caeed109beaaca2668e2e1d6a9caf", - "zh:99a9ee414f5c4268e287660ce8edec2efcba1f79351f83791b64c7e5ab04f569", - "zh:b7cff09fe74b0eb63b5b9aa94de5b33dadbd006d6d5b9578ac476039ea20b062", - "zh:d4188a343ff32c0e03ff28c7e84abce0f43cad2fdbcd9046eaafc247429039ff", + "h1:5FeCYHMRIdyECDTNoFsAj8ImUjcJdeyGvLr8Ja1w+EY=", + "h1:7O8wfEcqhW1bvWOUcrxL7cbCrdvXeD6nkXRSbr4KUZA=", + "h1:9PKhle3FeywAgnuJU1qzP1pmv8SSOWKhtVszkt+5+PM=", + "h1:E05LPgJfl9hkZ4q42rQThDy6S9nLajwFF3dPUMJOzIM=", + "h1:EvrKlA6d+0OjWFPy7p15U+suA5deQdgHo7V8x3d1/MM=", + "h1:IKy4tvKIxwGjzvLwVp/gfm9Ce8Iegqx0u3tuPXlwYLM=", + "h1:IxpbyFtBCvMVZVufdITj5SLyYQZSIRTUTRs7b8Pr+tQ=", + "h1:KUGB3qu7THug9hwg+Witf8PInTeMarpT1VnjeHIPE9Y=", + "h1:P89mPLLTUwyEvyUnHNW+m2QIXvjfJ9hTY8xtTl3D29o=", + "h1:PYgdRe26T85VCqUPjCpwWTnq1AN90IlOXf6zMD7rjbk=", + "h1:RcwrppqfAbj9po935/q7SQkEu4LpLcjU34VB8GCDauk=", + "h1:VdVOp9wkDQlo4FE9s1qrjOLDBZT/wWJ13TnasQEMnXw=", + "h1:fsZ4cwYgn7XdtEo/eSoyDlgbO5yycX8Mm5myTp0PGFU=", + "h1:zMNA/zoL1CY5Vdj91hkFhI9bddu5wTEdioeKVaTqxss=", + "zh:126b9c265f5c2c4faf9b6ea6abfd3f86639d6301ba99d11cb87caae65e91eca4", + "zh:282527a99f75468fe20a59e207ccc71f5de545548f1b0c6a4d235cc3664ff095", + "zh:3b44aba6825ef5c909607ac5ec7e2f286de4e8ecc36cc00e3a0780bba372f248", + "zh:41dfed618ef200061d2b7c991fbda7dd8c9c3a919d5952a4ce26315fa2f698e0", + "zh:43e628f793bef68892eefbd9afc571d2314df225c7dd78485a75fbc9e2869442", + "zh:478bb7bd04df95b8d71a33c1bc0d0f8b5ff2fc807c118ca3129ba6b3507fdb70", + "zh:65a5b3c1497e1b12b6d6b9feab2174fc58e861c164c08cdecf2bca10e4612fd4", + "zh:6f07753897cc9e3e9031597548e8716e39bfe7b348d7f271f67a477e1f5c9c22", + "zh:72282261a35e81895d002d6ec2b799404183803f55f5a4ecdb85ab2925196f5d", + "zh:7a7853515f4b9a30f76c10f3c38df4d7562b6b55332a9c07477364a49d2b462f", + "zh:a14dbc814c8aa5ba26b7a4195c28c4822f5024767a10f643de3822b0e32f7be1", + "zh:baa396ad19bb486ac356a89ec759b9355c4fb0a94fd67e49980a2e57fc243960", + "zh:ec626cc9e0e30321313c0ce80aea0dcca9f468da0530ee66beb217526fe8f8ea", + "zh:f4ee4844f3b8ef3d2c13fea620cc816f725daccb596cea0a2f6b18301b9f1d1a", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } provider "registry.terraform.io/kreuzwerker/docker" { - version = "3.5.0" - constraints = "3.5.0" + version = "3.0.2" + constraints = "3.0.2" hashes = [ - "h1:2m9zj6qkquTHzwXFp+8NpA6e7n6RgckdzvLcBfCCaX4=", - "h1:5fbzStQvS4Ec+/QKefUVDf/pabuwGBpVgLYeigOpMe8=", - "h1:5ykMfyIfMooAmowvmPXc7sVdkhkATrOSkq98Ca0T4ZQ=", - "h1:CIiLFn0SJ+1b2ArewLFjDThJ6rxFf54u9FATgZD9Kac=", - "h1:GSPQAzIJs+b3Ypy9YUTvF4/RrA8Uawx+liA+cQ7RaP4=", - "h1:TYbKlCFkOOI9hh63nbWT6yvd/0PfBONtMO4jkGvu8Us=", - "h1:TzYSjwiML0arIOHzYWD7dLMZZEg0jLHTiSNNNB9c0H8=", - "h1:bU1vBUeUoyaGMkforubnY6O1udOLwYWReXTnneZ8sDk=", - "h1:d+4qP/GCkGnPyfzSa19M49n+6FkIe1BmuEl+HXSDYXs=", - "h1:f7cuN7GkUm4ucgZzr0DwzdbbXrRUmKvmUHkKL40Zg7U=", - "h1:j0REIQY6zq1P0iDUdo5pGZQZy85/EK5ckvRqqzYMMLQ=", - "h1:q00T95a38TRhPJ90y8okMMGQtbOQPROMr+sCbU/mP8Y=", - "h1:qXkfTd57rY0sp++8oU+qSeSMLRLLOZu7jWEJONOkwek=", - "zh:01fa6b2f9c44fc0f286f27941d3866adb749e34235f25b9d731b4f45f9c8a601", - "zh:0f945042448360b3f44662db4dceb7287236a950cf936bc973735acc7cded206", - "zh:44f1e6b5b451d072e84dffe61dbf2c3fbbb4a9f8e98f921a99025ac19c6adbb6", - "zh:5724f8af7c2bbd0f019114421dd46e7c8983ec7ea9444a03fc3a770510b47f03", - "zh:790d0b9bc941d1953a739da5426b6a5efa4db97a9c4bb30c52019536abc40661", - "zh:7b89c7cf131a33604a9b8c3fd7a94b28446beba633bbf52e6e37ea3fef643421", - "zh:7e59eb91e253a3f04b40e1e0b45b027fed0e69fed78cd996788a23d92f02137d", - "zh:9caf1c13d1c6ed6a3b7aa11a61b56623b6bd30a6a1e396558c3dbe82370f34f5", - "zh:ba5b46ae242953fbec32f9f93dc5a81fd2e6962df68f17c670c0533040c74b42", - "zh:cae081982d5931ad265223c09824f2b3cd58a1fe307ccc701188d688ad217e6e", - "zh:cda2545056b6028d84505b18aaf20e7c769f6665fe27e16d2c52e35d23840689", - "zh:e41f2b9901202cb2cf7929005340ffc498ab1ca813005e364af4016a85634b5e", - "zh:e84272077a0287bc68523134292d9b12af54e200e413a89ae37f5788c063de5d", + "h1:DcRxJArfX6EiATluWeCBW7HoD6usz9fMoTK2U3dmyPk=", + "h1:XjdpVL61KtTsuPE8swok3GY8A+Bu3TZs8T2DOEpyiXo=", + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", + "h1:os8pBi4rbtFJJtzNWlcGhOVsz5V9UPJvo+L0wNQFYE8=", + "h1:tMiDR/3WQYAwE4Z7Xr1iqJN23z2GNr1ARis9yutVgjw=", + "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", + "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", + "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", + "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da", + "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2", + "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06", + "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1", + "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710", + "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005", + "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d", + "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792", + "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387", + "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62", + "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d", ] } diff --git a/terraform/infrastructure/qemu/main.tf b/terraform/infrastructure/qemu/main.tf index 3c01a07a9..62c283183 100644 --- a/terraform/infrastructure/qemu/main.tf +++ b/terraform/infrastructure/qemu/main.tf @@ -2,15 +2,15 @@ terraform { required_providers { libvirt = { source = "dmacvicar/libvirt" - version = "0.8.3" + version = "0.8.1" } docker = { source = "kreuzwerker/docker" - version = "3.5.0" + version = "3.0.2" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/infrastructure/qemu/modules/instance_group/main.tf b/terraform/infrastructure/qemu/modules/instance_group/main.tf index 00c83c6df..cd4f43b7d 100644 --- a/terraform/infrastructure/qemu/modules/instance_group/main.tf +++ b/terraform/infrastructure/qemu/modules/instance_group/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { libvirt = { source = "dmacvicar/libvirt" - version = "0.8.3" + version = "0.8.1" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/legacy-module/README.md b/terraform/legacy-module/README.md new file mode 100644 index 000000000..c755b0a54 --- /dev/null +++ b/terraform/legacy-module/README.md @@ -0,0 +1,6 @@ +## Constellation Terraform Modules + +> [!WARNING] +> The Constellation Terraform modules are deprecated, and support will be discontinued in v2.15.0. +> To continue managing Constellation clusters through Terraform, you can use the [Constellation Terraform provider](https://docs.edgeless.systems/constellation/workflows/terraform-provider). +> Clusters created through the Constellation Terraform modules can also be [imported](https://registry.terraform.io/providers/edgelesssys/constellation/latest/docs/resources/cluster#import) to the Constellation Terraform provider. diff --git a/terraform/legacy-module/aws-constellation/main.tf b/terraform/legacy-module/aws-constellation/main.tf new file mode 100644 index 000000000..83c92528a --- /dev/null +++ b/terraform/legacy-module/aws-constellation/main.tf @@ -0,0 +1,68 @@ +locals { + region = substr(var.zone, 0, length(var.zone) - 1) +} + +module "aws_iam" { + source = "../../infrastructure/iam/aws" + name_prefix = var.name_prefix + region = local.region +} + +resource "null_resource" "ensure_yq" { + provisioner "local-exec" { + command = < "image.txt" + + if [ '${var.csp}' = 'azure' ]; then + sed -i 's/CommunityGalleries/communityGalleries/g' image.txt + sed -i 's/Images/images/g' image.txt + sed -i 's/Versions/versions/g' image.txt + fi + EOT +} + + +resource "null_resource" "fetch_image" { + provisioner "local-exec" { + command = local.fetch_image_command + + environment = { + attestation_variant = var.attestation_variant + } + } + provisioner "local-exec" { + when = destroy + command = "rm image.txt" + } + triggers = { + always_run = "${timestamp()}" + } +} + +data "local_file" "image" { + filename = "image.txt" + depends_on = [null_resource.fetch_image] +} diff --git a/terraform/legacy-module/common/fetch-image/output.tf b/terraform/legacy-module/common/fetch-image/output.tf new file mode 100644 index 000000000..8fcdc030f --- /dev/null +++ b/terraform/legacy-module/common/fetch-image/output.tf @@ -0,0 +1,4 @@ +output "image" { + description = "The resolved image ID of the CSP." + value = data.local_file.image.content +} diff --git a/terraform/legacy-module/common/fetch-image/variables.tf b/terraform/legacy-module/common/fetch-image/variables.tf new file mode 100644 index 000000000..25b88bd1b --- /dev/null +++ b/terraform/legacy-module/common/fetch-image/variables.tf @@ -0,0 +1,20 @@ +variable "csp" { + description = "The cloud service provider to fetch image data for." + type = string +} + +variable "attestation_variant" { + description = "The attestation variant to fetch image data for." + type = string +} + +variable "region" { + description = "The region to fetch image data for." + type = string + default = "" +} + +variable "image" { + description = "The image reference or semantical release version to fetch image data for." + type = string +} diff --git a/terraform/legacy-module/common/install-yq.sh b/terraform/legacy-module/common/install-yq.sh new file mode 100755 index 000000000..14c375fd9 --- /dev/null +++ b/terraform/legacy-module/common/install-yq.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +version="v4.35.2" +if [[ -f ./yq ]] && ./yq --version | grep -q "${version}"; then + echo "yq is already available and up to date." + exit 0 +fi +if [[ -f ./yq ]]; then + echo "yq is already available but not at the required version. Replacing with ${version}." + rm -f yq +fi + +echo "Fetching yq ${version}" +os=$(uname -s) +arch=$(uname -m) +url="" + +if [[ ${os} == "Darwin" ]]; then + if [[ ${arch} == "arm64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_arm64" + elif [[ ${arch} == "x86_64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_amd64" + fi +elif [[ ${os} == "Linux" ]]; then + if [[ ${arch} == "x86_64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_amd64" + elif [[ ${arch} == "arm64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_arm64" + fi +fi + +if [[ -z ${url} ]]; then + echo "os \"${os}\" and/or architecture \"${arch}\" is not supported." + exit 1 +else + echo "Downloading yq from ${url}" + curl -o yq -L "${url}" + chmod +x ./yq + ./yq --version + if ! ./yq --version | grep -q "${version}"; then # check that yq was installed correctly + echo "Version is incorrect" + exit 1 + fi +fi diff --git a/terraform/legacy-module/constellation-cluster/install-constellation.sh b/terraform/legacy-module/constellation-cluster/install-constellation.sh new file mode 100755 index 000000000..b056db21a --- /dev/null +++ b/terraform/legacy-module/constellation-cluster/install-constellation.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +if [[ -f ./constellation ]]; then + echo "constellation CLI is already available." + exit 0 +fi + +os=$(uname -s) +arch=$(uname -m) +version=$1 +url="" + +echo "Fetching constellation ${version}" + +if [[ ${os} == "Darwin" ]]; then + if [[ ${arch} == "arm64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-arm64" + elif [[ ${arch} == "x86_64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-amd64" + fi +elif [[ ${os} == "Linux" ]]; then + if [[ ${arch} == "x86_64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-amd64" + elif [[ ${arch} == "arm64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-arm64" + fi +fi + +if [[ -z ${url} ]]; then + echo "os \"${os}\" and/or architecture \"${arch}\" is not supported." + exit 1 +else + curl -o constellation -L "${url}" + chmod +x constellation +fi diff --git a/terraform/legacy-module/constellation-cluster/main.tf b/terraform/legacy-module/constellation-cluster/main.tf new file mode 100644 index 000000000..f84406f16 --- /dev/null +++ b/terraform/legacy-module/constellation-cluster/main.tf @@ -0,0 +1,191 @@ +locals { + yq_node_groups = join("\n", flatten([ + for name, group in var.node_groups : [ + "./yq eval '.nodeGroups.${name}.role = \"${group.role}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.zone = \"${group.zone}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.instanceType = \"${group.instance_type}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.stateDiskSizeGB = ${group.disk_size}' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.stateDiskType = \"${group.disk_type}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.initialCount = ${group.initial_count}' -i constellation-conf.yaml" + ] + ])) + gcp_sa_file_path = "service_account_file.json" +} + +resource "null_resource" "ensure_cli" { + provisioner "local-exec" { + command = < "${local.gcp_sa_file_path}" + EOT + } + provisioner "local-exec" { + when = destroy + command = "rm ${self.triggers.file_path}" + } + triggers = { + always_run = timestamp() + file_path = local.gcp_sa_file_path + } +} + +resource "null_resource" "gcp_config" { + count = var.gcp_config != null ? 1 : 0 + provisioner "local-exec" { + command = <