diff --git a/.bazelversion b/.bazelversion index 93c8ddab9..eab246c06 100644 --- a/.bazelversion +++ b/.bazelversion @@ -1 +1 @@ -7.6.0 +7.3.2 diff --git a/.github/actions/artifact_download/action.yml b/.github/actions/artifact_download/action.yml index e3cf3d1f8..148adc258 100644 --- a/.github/actions/artifact_download/action.yml +++ b/.github/actions/artifact_download/action.yml @@ -28,7 +28,7 @@ runs: run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT" - name: Download the artifact - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ inputs.name }} path: ${{ steps.tempdir.outputs.directory }} diff --git a/.github/actions/artifact_upload/action.yml b/.github/actions/artifact_upload/action.yml index 2ef3e85a8..50974a9fd 100644 --- a/.github/actions/artifact_upload/action.yml +++ b/.github/actions/artifact_upload/action.yml @@ -69,7 +69,7 @@ runs: done - name: Upload archive as artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.name }} path: ${{ steps.tempdir.outputs.directory }}/archive.7z diff --git a/.github/actions/build_cli/action.yml b/.github/actions/build_cli/action.yml index b74b67456..87fd1d055 100644 --- a/.github/actions/build_cli/action.yml +++ b/.github/actions/build_cli/action.yml @@ -75,9 +75,11 @@ runs: shell: bash run: bazel run //bazel/release:push + # TODO(3u13r): Replace with https://github.com/sigstore/sigstore-installer/tree/initial + # once it has the functionality - name: Install Cosign if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Install Rekor if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' diff --git a/.github/actions/build_micro_service/action.yml b/.github/actions/build_micro_service/action.yml index 7fecf16a2..e7da91e77 100644 --- a/.github/actions/build_micro_service/action.yml +++ b/.github/actions/build_micro_service/action.yml @@ -42,7 +42,7 @@ runs: - name: Docker metadata id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository }}/${{ inputs.name }} @@ -62,7 +62,7 @@ runs: - name: Build and push container image id: build-micro-service - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: . file: ${{ inputs.dockerfile }} diff --git a/.github/actions/cdbg_deploy/action.yml b/.github/actions/cdbg_deploy/action.yml index a51c54b6a..b82a67226 100644 --- a/.github/actions/cdbg_deploy/action.yml +++ b/.github/actions/cdbg_deploy/action.yml @@ -61,7 +61,7 @@ runs: - name: Login to AWS (IAM service principal) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM aws-region: eu-central-1 @@ -80,7 +80,7 @@ runs: - name: Login to AWS (Cluster service principal) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster aws-region: eu-central-1 diff --git a/.github/actions/check_measurements_reproducibility/action.yml b/.github/actions/check_measurements_reproducibility/action.yml deleted file mode 100644 index 184e1221f..000000000 --- a/.github/actions/check_measurements_reproducibility/action.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Check measurements reproducibility -description: Check if the measurements of a given release are reproducible. - -inputs: - version: - type: string - description: The version of the measurements that are downloaded from the CDN. - required: true - ref: - type: string - description: The git ref to check out. You probably want this to be the tag of the release you are testing. - required: true - -runs: - using: "composite" - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ inputs.ref }} - path: ./release - - - name: Set up bazel - uses: ./.github/actions/setup_bazel_nix - with: - useCache: "false" - nixTools: | - systemdUkify - jq - jd-diff-patch - moreutils - - - name: Allow unrestricted user namespaces - shell: bash - run: | - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0 - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0 - - - name: Build images - id: build-images - shell: bash - run: | - set -euo pipefail - - # Build required binaries - pushd release - bazel build //image/system:stable - echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT" - popd - - - name: Download measurements - shell: bash - run: | - curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json - - - name: Cleanup release measurements and generate our own - shell: bash - run: | - ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}" - - - name: Compare measurements - shell: bash - run: | - ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}" diff --git a/.github/actions/check_measurements_reproducibility/compare_measurements.sh b/.github/actions/check_measurements_reproducibility/compare_measurements.sh deleted file mode 100755 index 5077a05f2..000000000 --- a/.github/actions/check_measurements_reproducibility/compare_measurements.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash -# no -e since we need to collect errors later -# no -u since it interferes with checking associative arrays -set -o pipefail -shopt -s extglob - -declare -A errors - -for directory in "$1"/system/!(mkosi_wrapper.sh); do - dirname="$(basename "$directory")" - attestationVariant="$(echo "$dirname" | cut -d_ -f2)" - - echo "Their measurements for $attestationVariant:" - ts " " < "$attestationVariant"_their-measurements.json - echo "Own measurements for $attestationVariant:" - ts " " < "$attestationVariant"_own-measurements.json - - diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)" - if [[ -n $diff ]]; then - errors["$attestationVariant"]="$diff" - fi -done - -for attestationVariant in "${!errors[@]}"; do - echo "Failed to reproduce measurements for $attestationVariant:" - echo "${errors["$attestationVariant"]}" | ts " " -done - -if [[ ${#errors[@]} -ne 0 ]]; then - exit 1 -fi diff --git a/.github/actions/check_measurements_reproducibility/create_measurements.sh b/.github/actions/check_measurements_reproducibility/create_measurements.sh deleted file mode 100755 index 4cabd5df0..000000000 --- a/.github/actions/check_measurements_reproducibility/create_measurements.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail -shopt -s extglob - -for directory in "$1"/system/!(mkosi_wrapper.sh); do - dirname="$(basename "$directory")" - csp="$(echo "$dirname" | cut -d_ -f1)" - attestationVariant="$(echo "$dirname" | cut -d_ -f2)" - - # This jq filter selects the measurements for the correct CSP and attestation variant - # and then removes all `warnOnly: true` measurements. - jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \ - ' - .list.[] - | select( - .attestationVariant == $attestation_variant - and (.csp | ascii_downcase) == $csp - ) - | .measurements - | to_entries - | map(select(.value.warnOnly | not)) - | from_entries - | del(.[] .warnOnly) - ' \ - measurements.json > "$attestationVariant"_their-measurements.json - - bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json -done diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index caec827d6..63cddf9d8 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -257,9 +257,9 @@ runs: continue-on-error: true uses: ./.github/actions/artifact_upload with: - name: debug-logs-${{ inputs.artifactNameSuffix }} - path: | - *.log + name: serial-logs-${{ inputs.artifactNameSuffix }} + path: > + !(terraform).log encryptionSecret: ${{ inputs.encryptionSecret }} - name: Prepare terraform state folders @@ -268,12 +268,9 @@ runs: run: | mkdir to-zip cp -r constellation-terraform to-zip - # constellation-iam-terraform is optional - if [ -d constellation-iam-terraform ]; then - cp -r constellation-iam-terraform to-zip - fi + cp -r constellation-iam-terraform to-zip rm -f to-zip/constellation-terraform/plan.zip - rm -rf to-zip/*/.terraform + rm -rf to-zip/constellation-terraform/.terraform to-zip/constellation-iam-terraform/.terraform - name: Upload terraform state if: always() diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index c09148efa..9ae79efd2 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -67,7 +67,7 @@ runs: - name: Login to AWS (Cluster role) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster aws-region: eu-central-1 diff --git a/.github/actions/constellation_iam_create/action.yml b/.github/actions/constellation_iam_create/action.yml index 46c5ef939..a6607d982 100644 --- a/.github/actions/constellation_iam_create/action.yml +++ b/.github/actions/constellation_iam_create/action.yml @@ -42,15 +42,6 @@ inputs: gcpZone: description: "The GCP zone to deploy Constellation in." required: false - # - # STACKIT specific inputs - # - stackitZone: - description: "The STACKIT zone to deploy Constellation in." - required: false - stackitProjectID: - description: "The STACKIT project ID to deploy Constellation in." - required: false runs: using: "composite" @@ -102,7 +93,6 @@ runs: --tf-log=DEBUG \ --yes ${extraFlags} - # TODO: Replace deprecated --serviceAccountID with --prefix - name: Constellation iam create gcp shell: bash if: inputs.cloudProvider == 'gcp' @@ -114,13 +104,3 @@ runs: --update-config \ --tf-log=DEBUG \ --yes - - - name: Set STACKIT-specific configuration - shell: bash - if: inputs.cloudProvider == 'stackit' - env: - STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }} - run: | - yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml - yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml - yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml diff --git a/.github/actions/constellation_iam_destroy/action.yml b/.github/actions/constellation_iam_destroy/action.yml index 98109d740..e89dd7c5d 100644 --- a/.github/actions/constellation_iam_destroy/action.yml +++ b/.github/actions/constellation_iam_destroy/action.yml @@ -23,7 +23,7 @@ runs: - name: Login to AWS (IAM role) if: inputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM aws-region: eu-central-1 diff --git a/.github/actions/container_registry_login/action.yml b/.github/actions/container_registry_login/action.yml index 929af6361..1c0e5d50f 100644 --- a/.github/actions/container_registry_login/action.yml +++ b/.github/actions/container_registry_login/action.yml @@ -17,7 +17,7 @@ runs: steps: - name: Use docker for logging in if: runner.os != 'macOS' - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ inputs.registry }} username: ${{ inputs.username }} diff --git a/.github/actions/container_sbom/action.yml b/.github/actions/container_sbom/action.yml index 0d259003d..a100f3f6e 100644 --- a/.github/actions/container_sbom/action.yml +++ b/.github/actions/container_sbom/action.yml @@ -19,7 +19,7 @@ runs: steps: - name: Install Cosign if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download Syft & Grype uses: ./.github/actions/install_syft_grype @@ -36,7 +36,7 @@ runs: syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type "https://cyclonedx.org/bom" > container-image.att.json cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json - # TODO: type should be auto-discovered after issue is resolved: + # TODO(3u13r): type should be auto-discovered after issue is resolved: # https://github.com/sigstore/cosign/issues/2264 cosign verify-attestation ${{ inputs.containerReference }} --type "https://cyclonedx.org/bom" --key env://COSIGN_PUBLIC_KEY grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml index 78abb5146..294367dbf 100644 --- a/.github/actions/deploy_logcollection/action.yml +++ b/.github/actions/deploy_logcollection/action.yml @@ -67,7 +67,7 @@ runs: # Make sure that helm is installed # This is not always the case, e.g. on MacOS runners - name: Install Helm - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: v3.9.0 diff --git a/.github/actions/download_release_binaries/action.yml b/.github/actions/download_release_binaries/action.yml index 6b5604c24..a336a5e43 100644 --- a/.github/actions/download_release_binaries/action.yml +++ b/.github/actions/download_release_binaries/action.yml @@ -5,51 +5,51 @@ runs: using: "composite" steps: - name: Download CLI binaries darwin-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-darwin-amd64 - name: Download CLI binaries darwin-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-darwin-arm64 - name: Download CLI binaries linux-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-linux-amd64 - name: Download CLI binaries linux-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-linux-arm64 - name: Download CLI binaries windows-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-windows-amd64 - name: Download Terraform module - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-module - name: Download Terraform provider binary darwin-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-darwin-amd64 - name: Download Terraform provider binary darwin-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-darwin-arm64 - name: Download Terraform provider binary linux-amd64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-linux-amd64 - name: Download Terraform provider binary linux-arm64 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: terraform-provider-constellation-linux-arm64 diff --git a/.github/actions/e2e_attestationconfigapi/action.yml b/.github/actions/e2e_attestationconfigapi/action.yml index 9ffad3040..02ec28084 100644 --- a/.github/actions/e2e_attestationconfigapi/action.yml +++ b/.github/actions/e2e_attestationconfigapi/action.yml @@ -19,7 +19,7 @@ runs: uses: ./.github/actions/setup_bazel_nix - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI aws-region: eu-west-1 diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml index ee741c19f..d55a4c214 100644 --- a/.github/actions/e2e_benchmark/action.yml +++ b/.github/actions/e2e_benchmark/action.yml @@ -32,9 +32,9 @@ runs: steps: - name: Setup python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: - python-version: "3.13" + python-version: "3.10" - name: Install kubestr shell: bash @@ -166,7 +166,7 @@ runs: encryptionSecret: ${{ inputs.encryptionSecret }} - name: Assume AWS role to retrieve and update benchmarks in S3 - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks aws-region: us-east-2 diff --git a/.github/actions/e2e_benchmark/evaluate/requirements.txt b/.github/actions/e2e_benchmark/evaluate/requirements.txt index c2208b0c2..ea9316757 100644 --- a/.github/actions/e2e_benchmark/evaluate/requirements.txt +++ b/.github/actions/e2e_benchmark/evaluate/requirements.txt @@ -1,3 +1,3 @@ -numpy ==2.3.0 -matplotlib ==3.10.3 -Pillow ==11.3.0 \ No newline at end of file +numpy ==1.26.4 +matplotlib ==3.8.3 +Pillow ==10.3.0 \ No newline at end of file diff --git a/.github/actions/e2e_cleanup_timeframe/action.yml b/.github/actions/e2e_cleanup_timeframe/action.yml index c77be2431..bfe40cbf3 100644 --- a/.github/actions/e2e_cleanup_timeframe/action.yml +++ b/.github/actions/e2e_cleanup_timeframe/action.yml @@ -11,18 +11,12 @@ inputs: azure_credentials: description: "Credentials authorized to create Constellation on Azure." required: true - openStackCloudsYaml: - description: "The contents of ~/.config/openstack/clouds.yaml" - required: false - stackitUat: - description: "The UAT for STACKIT" - required: false runs: using: "composite" steps: - name: Authenticate AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy aws-region: eu-central-1 @@ -37,16 +31,6 @@ runs: with: service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com" - - name: Login to OpenStack - uses: ./.github/actions/login_openstack - with: - clouds_yaml: ${{ inputs.openStackCloudsYaml }} - - - name: Login to STACKIT - uses: ./.github/actions/login_stackit - with: - serviceAccountToken: ${{ inputs.stackitUat }} - - name: Install tools uses: ./.github/actions/setup_bazel_nix with: diff --git a/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh b/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh index 0796ae1a0..a88e714c5 100755 --- a/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh +++ b/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh @@ -2,7 +2,7 @@ # get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date. function get_e2e_test_ids_on_date { - ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | (contains("e2e") or contains("Release")) and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)" + ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)" echo "${ids}" } @@ -11,23 +11,24 @@ function download_tfstate_artifact { gh run download "$1" -p "terraform-state-*" -R edgelesssys/constellation > /dev/null } -# delete_terraform_resources runs terraform destroy on the given folder. -function delete_terraform_resources { - delete_err=0 - if pushd "${1}/${2}"; then - # Workaround for cleaning up Azure resources - # We include a data source that is only used to generate output - # If this data source is deleted before we call terraform destroy, - # terraform will first try to evaluate the data source and fail, - # causing the destroy to fail as well. - sed -i '/data "azurerm_user_assigned_identity" "uaid" {/,/}/d' main.tf - sed -i '/output "user_assigned_identity_client_id" {/,/}/d' outputs.tf - - terraform init > /dev/null || delete_err=1 # first, install plugins - terraform destroy -auto-approve || delete_err=1 - popd || exit 1 +# delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder. +function delete_resources { + if [[ -d "$1/constellation-terraform" ]]; then + cd "$1/constellation-terraform" || exit 1 + terraform init > /dev/null || exit 1 # first, install plugins + terraform destroy -auto-approve || exit 1 + cd ../../ || exit 1 + fi +} + +# delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder. +function delete_iam_config { + if [[ -d "$1/constellation-iam-terraform" ]]; then + cd "$1/constellation-iam-terraform" || exit 1 + terraform init > /dev/null || exit 1 # first, install plugins + terraform destroy -auto-approve || exit 1 + cd ../../ || exit 1 fi - return "${delete_err}" } # check if the password for artifact decryption was given @@ -41,7 +42,7 @@ artifact_pwd=${ENCRYPTION_SECRET} shopt -s nullglob start_date=$(date "+%Y-%m-%d") -end_date=$(date --date "-4 day" "+%Y-%m-%d") +end_date=$(date --date "-7 day" "+%Y-%m-%d") dates_to_clean=() # get all dates of the last week @@ -84,25 +85,13 @@ export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache" echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}" echo "[*] deleting resources" -error_occurred=0 for directory in ./terraform-state-*; do echo " deleting resources in ${directory}" - if ! delete_terraform_resources "${directory}" "constellation-terraform"; then - echo "[!] deleting resources failed" - error_occurred=1 - fi + delete_resources "${directory}" echo " deleting IAM configuration in ${directory}" - if ! delete_terraform_resources "${directory}" "constellation-iam-terraform"; then - echo "[!] deleting IAM resources failed" - error_occurred=1 - fi + delete_iam_config "${directory}" echo " deleting directory ${directory}" rm -rf "${directory}" done -if [[ ${error_occurred} -ne 0 ]]; then - echo "[!] Errors occurred during resource deletion." - exit 1 -fi - exit 0 diff --git a/.github/actions/e2e_emergency_ssh/action.yml b/.github/actions/e2e_emergency_ssh/action.yml deleted file mode 100644 index 27b3e8b13..000000000 --- a/.github/actions/e2e_emergency_ssh/action.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Emergency ssh -description: "Verify that an emergency ssh connection can be established." - -inputs: - kubeconfig: - description: "The kubeconfig file for the cluster." - required: true - -runs: - using: "composite" - steps: - - name: Test emergency ssh - shell: bash - env: - KUBECONFIG: ${{ inputs.kubeconfig }} - run: | - set -euo pipefail - - # Activate emergency ssh access to the cluster - pushd ./constellation-terraform - echo "emergency_ssh = true" >> terraform.tfvars - terraform apply -auto-approve - lb="$(terraform output -raw loadbalancer_address)" - popd - - lb_ip="$(gethostip $lb | awk '{print $2}')" - echo "Resolved ip of load balancer: $lb_ip" - - # write ssh config - cat > ssh_config < ~/.stackit/credentials.json diff --git a/.github/actions/notify_stackit/action.yml b/.github/actions/notify_stackit/action.yml deleted file mode 100644 index 2e64fdac5..000000000 --- a/.github/actions/notify_stackit/action.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Notify STACKIT -description: "Notify STACKIT about test failure" -inputs: - slackToken: - description: "Slack access token." - required: true -runs: - using: "composite" - steps: - - name: Notify STACKIT - env: - SLACK_TOKEN: ${{ inputs.slackToken }} - shell: bash - run: | - curl -X POST \ - -H "Authorization: Bearer $SLACK_TOKEN" \ - -H "Content-type: application/json; charset=utf-8" \ - -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \ - https://slack.com/api/chat.postMessage diff --git a/.github/actions/notify_teams/teams_payload_template.json b/.github/actions/notify_teams/teams_payload_template.json index 0354bc07b..fbef4d36e 100644 --- a/.github/actions/notify_teams/teams_payload_template.json +++ b/.github/actions/notify_teams/teams_payload_template.json @@ -11,6 +11,14 @@ "msteams": { "width": "Full", "entities": [ + { + "type": "mention", + "text": "elchead", + "mentioned": { + "id": "3931943b-8d4b-4300-ac7e-bbb06c4da27f", + "name": "Adrian Stobbe" + } + }, { "type": "mention", "text": "msanft", @@ -19,6 +27,14 @@ "name": "Moritz Sanft" } }, + { + "type": "mention", + "text": "3u13r", + "mentioned": { + "id": "26869b29-b0d6-48f8-a9ed-7a6374410a53", + "name": "Leonard Cohnen" + } + }, { "type": "mention", "text": "daniel-weisse", @@ -35,6 +51,14 @@ "name": "Paul Meyer" } }, + { + "type": "mention", + "text": "derpsteb", + "mentioned": { + "id": "a9a34611-9a38-4c00-a8a2-f87d94c2bf7d", + "name": "Otto Bittner" + } + }, { "type": "mention", "text": "burgerdev", diff --git a/.github/actions/pick_assignee/action.yml b/.github/actions/pick_assignee/action.yml index ed9607e77..e6838c89e 100644 --- a/.github/actions/pick_assignee/action.yml +++ b/.github/actions/pick_assignee/action.yml @@ -14,6 +14,7 @@ runs: shell: bash run: | possibleAssignees=( + "elchead" "daniel-weisse" "msanft" "burgerdev" diff --git a/.github/actions/publish_helmchart/action.yml b/.github/actions/publish_helmchart/action.yml index 3c26fbad7..6e8a9f762 100644 --- a/.github/actions/publish_helmchart/action.yml +++ b/.github/actions/publish_helmchart/action.yml @@ -29,7 +29,7 @@ runs: echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT - name: Create pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: path: helm branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}" diff --git a/.github/actions/select_image/action.yml b/.github/actions/select_image/action.yml index 6af36480d..e36e145ed 100644 --- a/.github/actions/select_image/action.yml +++ b/.github/actions/select_image/action.yml @@ -18,7 +18,7 @@ runs: using: "composite" steps: - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 diff --git a/.github/actions/setup_bazel_nix/action.yml b/.github/actions/setup_bazel_nix/action.yml index b560ac8f6..87a2d1802 100644 --- a/.github/actions/setup_bazel_nix/action.yml +++ b/.github/actions/setup_bazel_nix/action.yml @@ -75,7 +75,6 @@ runs: echo "$RUNNER_ARCH not supported" exit 1 fi - echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT" echo "::endgroup::" - name: Install current Bash on macOS @@ -114,9 +113,9 @@ runs: - name: Install nix if: steps.check_inputs.outputs.nixPreinstalled == 'false' - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31 + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: - install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install" + install_url: "https://releases.nixos.org/nix/nix-2.25.2/install" - name: Set $USER if not set shell: bash @@ -221,7 +220,7 @@ runs: { tools, repository, rev }: let repoFlake = builtins.getFlake ("github:" + repository + "/" + rev); - nixpkgs = repoFlake.inputs.nixpkgs; + nixpkgs = repoFlake.inputs.nixpkgsUnstable; pkgs = import nixpkgs { system = builtins.currentSystem; }; toolPkgs = map (p: pkgs.${p}) tools; in diff --git a/.github/actions/terraform_apply/action.yml b/.github/actions/terraform_apply/action.yml index edf4fb26f..ffb893934 100644 --- a/.github/actions/terraform_apply/action.yml +++ b/.github/actions/terraform_apply/action.yml @@ -29,9 +29,6 @@ runs: "gcpSEVSNP") attestationVariant="gcp-sev-snp" ;; - "qemuVTPM") - attestationVariant="qemu-vtpm" - ;; *) echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)" exit 1 @@ -47,7 +44,7 @@ runs: } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -109,16 +106,6 @@ runs: project_id = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)" service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)") } - openstack = { - cloud = "stackit" - clouds_yaml_path = "~/.config/openstack/clouds.yaml" - floating_ip_pool_id = "970ace5c-458f-484a-a660-0903bcfd91ad" - deploy_yawol_load_balancer = true - yawol_image_id = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be" - yawol_flavor_id = "3b11b27e-6c73-470d-b595-1d85b95a8cdf" - network_id = "$(yq '.infrastructure.networkID' constellation-state.yaml)" - subnet_id = "$(yq '.infrastructure.subnetID' constellation-state.yaml)" - } network_config = { ip_cidr_node = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)" ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)" diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml index 140844fdd..18dd61280 100644 --- a/.github/actions/upload_terraform_module/action.yml +++ b/.github/actions/upload_terraform_module/action.yml @@ -15,7 +15,7 @@ runs: zip -r terraform-module.zip terraform-module - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: terraform-module path: terraform-module.zip diff --git a/.github/workflows/aws-snp-launchmeasurement.yml b/.github/workflows/aws-snp-launchmeasurement.yml index d2483d71c..1c2c981a2 100644 --- a/.github/workflows/aws-snp-launchmeasurement.yml +++ b/.github/workflows/aws-snp-launchmeasurement.yml @@ -17,11 +17,11 @@ jobs: path: constellation - name: Install Nix - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31 + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - name: Download Firmware release id: download-firmware - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 + uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11 with: repository: aws/uefi latest: true diff --git a/.github/workflows/build-ccm-gcp.yml b/.github/workflows/build-ccm-gcp.yml index b84514a1c..75e8ce0a7 100644 --- a/.github/workflows/build-ccm-gcp.yml +++ b/.github/workflows/build-ccm-gcp.yml @@ -29,9 +29,9 @@ jobs: fetch-depth: 0 - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: false - name: Install Crane @@ -76,7 +76,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/edgelesssys/cloud-provider-gcp @@ -113,7 +113,7 @@ jobs: - name: Build and push container image id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: ./cloud-provider-gcp push: ${{ github.ref_name == 'main' }} diff --git a/.github/workflows/build-gcp-guest-agent.yml b/.github/workflows/build-gcp-guest-agent.yml index 4fab1d2c4..f5b734f00 100644 --- a/.github/workflows/build-gcp-guest-agent.yml +++ b/.github/workflows/build-gcp-guest-agent.yml @@ -85,7 +85,7 @@ jobs: - name: Docker meta id: meta if: steps.needs-build.outputs.out == 'true' - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent @@ -114,7 +114,7 @@ jobs: - name: Build and push container image if: steps.needs-build.outputs.out == 'true' id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: ./guest-agent file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile diff --git a/.github/workflows/build-os-image-scheduled.yml b/.github/workflows/build-os-image-scheduled.yml index e42c2ebfa..b4376d67b 100644 --- a/.github/workflows/build-os-image-scheduled.yml +++ b/.github/workflows/build-os-image-scheduled.yml @@ -65,9 +65,9 @@ jobs: token: ${{ secrets.CI_COMMIT_PUSH_PR }} - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: false - name: Determine version @@ -97,7 +97,7 @@ jobs: run: rm -f internal/attestation/measurements/measurement-generator/generate - name: Create pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: "image/automated/update-measurements-${{ github.run_number }}" base: main diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 50783089a..f19419ead 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -147,7 +147,7 @@ jobs: useCache: "false" - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 @@ -167,12 +167,6 @@ jobs: with: clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }} - - name: Allow unrestricted user namespaces - shell: bash - run: | - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0 - sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0 - - name: Build and upload id: build shell: bash diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml index 598a64445..d9f97cfaa 100644 --- a/.github/workflows/check-links.yml +++ b/.github/workflows/check-links.yml @@ -25,7 +25,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Link Checker - uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1 + uses: lycheeverse/lychee-action@f81112d0d2814ded911bd23e3beaa9dda9093915 # v2.1.0 with: args: "--config ./.lychee.toml './**/*.md' './**/*.html'" fail: true diff --git a/.github/workflows/check-measurements-reproducibility.yml b/.github/workflows/check-measurements-reproducibility.yml deleted file mode 100644 index 3a91eda81..000000000 --- a/.github/workflows/check-measurements-reproducibility.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Check measurements reproducibility -on: - workflow_dispatch: - inputs: - version: - type: string - description: The version of the measurements that are downloaded from the CDN. - required: true - ref: - type: string - description: The git ref to check out. You probably want this to be the tag of the release you are testing. - required: true - -jobs: - check-reproducibility: - runs-on: ubuntu-24.04 - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ inputs.ref || github.ref }} - - - name: Check reproducibility - uses: ./.github/actions/check_measurements_reproducibility - with: - version: ${{ github.event.inputs.version }} - ref: ${{ github.event.inputs.ref }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8c77ddacb..5ffd4cd78 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,13 +38,13 @@ jobs: - name: Setup Go environment if: matrix.language == 'go' - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: false - name: Initialize CodeQL - uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: languages: ${{ matrix.language }} @@ -63,6 +63,6 @@ jobs: echo "::endgroup::" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/docs-vale.yml b/.github/workflows/docs-vale.yml index bb6331ce5..a9f58cc04 100644 --- a/.github/workflows/docs-vale.yml +++ b/.github/workflows/docs-vale.yml @@ -29,4 +29,3 @@ jobs: with: files: docs/docs fail_on_error: true - version: 3.9.3 diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 84b696afb..c77719367 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -92,8 +92,8 @@ jobs: cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} - name: Upload CLI as artifact (unix) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os != 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os != 'windows' }} with: name: constellation-${{ matrix.os }}-${{ matrix.arch }} path: | @@ -101,8 +101,8 @@ jobs: build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig - name: Upload CLI as artifact (windows) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os == 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os == 'windows' }} with: name: constellation-${{ matrix.os }}-${{ matrix.arch }} path: | @@ -149,16 +149,16 @@ jobs: targetArch: ${{ matrix.arch }} - name: Upload Terraform Provider Binary as artifact (unix) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os != 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os != 'windows' }} with: name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} path: | build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} - name: Upload Terraform Provider Binary as artifact (windows) - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: ${{ matrix.os == 'windows' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if : ${{ matrix.os == 'windows' }} with: name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} path: | @@ -227,7 +227,7 @@ jobs: uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom @@ -261,7 +261,7 @@ jobs: ref: ${{ inputs.ref || github.head_ref }} - name: Install Cosign - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download Syft & Grype uses: ./.github/actions/install_syft_grype @@ -296,13 +296,13 @@ jobs: COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} - name: Upload Constellation CLI SBOM - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: constellation.spdx.sbom path: constellation.spdx.sbom - name: Upload Constellation CLI SBOM's signature - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: constellation.spdx.sbom.sig path: constellation.spdx.sbom.sig @@ -316,14 +316,14 @@ jobs: - provenance-subjects # This must not be pinned to digest. See: # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}" provenance-verify: runs-on: ubuntu-24.04 env: - SLSA_VERIFIER_VERSION: "2.7.0" + SLSA_VERIFIER_VERSION: "2.5.1" needs: - build-cli - provenance @@ -340,12 +340,12 @@ jobs: uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom - name: Download provenance - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.provenance.outputs.provenance-name }} @@ -418,17 +418,17 @@ jobs: uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom - name: Download Constellation CLI SBOM's signature - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation.spdx.sbom.sig - name: Download Constellation provenance - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.provenance.outputs.provenance-name }} @@ -472,7 +472,7 @@ jobs: - name: Create release with artifacts id: create-release # GitHub endorsed release project. See: https://github.com/actions/create-release - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: draft: true generate_release_notes: true @@ -487,7 +487,7 @@ jobs: terraform-module.zip - name: Create Terraform provider release with artifcats - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: draft: true generate_release_notes: false diff --git a/.github/workflows/e2e-cleanup.yml b/.github/workflows/e2e-cleanup-weekly.yml similarity index 74% rename from .github/workflows/e2e-cleanup.yml rename to .github/workflows/e2e-cleanup-weekly.yml index 67e5bf0ff..e8e5ffa92 100644 --- a/.github/workflows/e2e-cleanup.yml +++ b/.github/workflows/e2e-cleanup-weekly.yml @@ -1,10 +1,10 @@ -name: e2e cleanup +name: e2e weekly cleanup on: schedule: - - cron: "0 0 * * *" # At 00:00 every day + - cron: "0 0 * * 0" # At 00:00 every Sunday UTC workflow_dispatch: - + jobs: cleanup: @@ -22,5 +22,3 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }} - openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }} - stackitUat: ${{ secrets.STACKIT_CI_UAT }} diff --git a/.github/workflows/e2e-mini.yml b/.github/workflows/e2e-mini.yml index bf0cf1cad..7e03ffd53 100644 --- a/.github/workflows/e2e-mini.yml +++ b/.github/workflows/e2e-mini.yml @@ -34,7 +34,7 @@ jobs: ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }} - name: Azure login OIDC - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 644fc6d95..5e36add52 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -45,7 +45,7 @@ jobs: fail-fast: false max-parallel: 5 matrix: - kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor. + kubernetesVersion: ["1.28"] # should be default attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"] test: ["sonobuoy quick"] @@ -164,7 +164,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Azure login OIDC - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/e2e-test-internal-lb.yml b/.github/workflows/e2e-test-internal-lb.yml index ab36cec4a..cee93f7eb 100644 --- a/.github/workflows/e2e-test-internal-lb.yml +++ b/.github/workflows/e2e-test-internal-lb.yml @@ -23,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run." @@ -41,6 +41,7 @@ on: required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." + default: "1.28" required: true cliVersion: description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." diff --git a/.github/workflows/e2e-test-marketplace-image.yml b/.github/workflows/e2e-test-marketplace-image.yml index 28e8e9310..760df932b 100644 --- a/.github/workflows/e2e-test-marketplace-image.yml +++ b/.github/workflows/e2e-test-marketplace-image.yml @@ -23,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run." @@ -41,6 +41,7 @@ on: required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." + default: "1.28" required: true cliVersion: description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." diff --git a/.github/workflows/e2e-test-provider-example.yml b/.github/workflows/e2e-test-provider-example.yml index 43eacd005..df52b2341 100644 --- a/.github/workflows/e2e-test-provider-example.yml +++ b/.github/workflows/e2e-test-provider-example.yml @@ -154,7 +154,7 @@ jobs: - name: Login to AWS (IAM + Cluster role) if: steps.determine.outputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform aws-region: eu-central-1 diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index 782b744a1..dce7c9913 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -39,25 +39,11 @@ jobs: fail-fast: false max-parallel: 9 matrix: - test: - - "sonobuoy full" - - "verify" - - "recover" - - "lb" - - "autoscaling" - - "perf-bench" - - "malicious join" - - attestationVariant: - - "gcp-sev-es" - - "gcp-sev-snp" - - "azure-sev-snp" - - "azure-tdx" - - "aws-sev-snp" - kubernetes-version: ["v1.31"] - clusterCreation: ["cli"] - runner: ["ubuntu-24.04"] include: + # + # Tests on ubuntu runner + # + # sonobuoy full test on all k8s versions - test: "sonobuoy full" attestationVariant: "gcp-sev-es" @@ -111,26 +97,220 @@ jobs: runner: "ubuntu-24.04" clusterCreation: "cli" - # s3proxy test on latest k8s version - - test: "s3proxy" + - test: "sonobuoy full" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.31" + kubernetes-version: "v1.28" runner: "ubuntu-24.04" clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.28" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # verify test on latest k8s version + - test: "verify" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # recover test on latest k8s version + - test: "recover" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # lb test on latest k8s version + - test: "lb" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # autoscaling test on latest k8s version + - test: "autoscaling" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # perf-bench test on latest k8s version + - test: "perf-bench" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + - test: "perf-bench" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # s3proxy test on latest k8s version + - test: "s3proxy" + refStream: "ref/main/stream/debug/?" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + runner: "ubuntu-24.04" + clusterCreation: "cli" + + # malicious join test on latest k8s version + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "gcp-sev-es" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "gcp-sev-snp" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "azure-sev-snp" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" + kubernetes-version: "v1.30" + clusterCreation: "cli" + runner: "ubuntu-24.04" # # Tests on macOS runner # # Skipping verify test on MacOS since the runner uses a different version of sed - # TODO: Update verify test to work on MacOS runners + # TODO(3u13r): Update verify test to work on MacOS runners # - test: "verify" # attestationVariant: "azure-sev-snp" - # kubernetes-version: "v1.31" - # runner: "macos-latest" + # kubernetes-version: "v1.30" + # runner: "macos-12" - test: "recover" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.31" - runner: "macos-latest" + kubernetes-version: "v1.30" + runner: "macos-12" clusterCreation: "cli" runs-on: ${{ matrix.runner }} permissions: @@ -162,7 +342,7 @@ jobs: - name: Set up gcloud CLI (macOS) if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS' - uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4 + uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 - name: Run E2E test id: e2e_test @@ -229,7 +409,7 @@ jobs: fail-fast: false max-parallel: 1 matrix: - fromVersion: ["v2.23.1"] + fromVersion: ["v2.19.3"] attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] name: Run upgrade tests secrets: inherit diff --git a/.github/workflows/e2e-test-stackit.yml b/.github/workflows/e2e-test-stackit.yml deleted file mode 100644 index 1977d09cc..000000000 --- a/.github/workflows/e2e-test-stackit.yml +++ /dev/null @@ -1,153 +0,0 @@ -name: e2e test STACKIT - -on: - workflow_dispatch: - schedule: - - cron: "0 0 * * *" # Every day at midnight. - -jobs: - find-latest-image: - name: Find latest image - runs-on: ubuntu-24.04 - permissions: - id-token: write - contents: read - outputs: - image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }} - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Select relevant image - id: select-image-action - uses: ./.github/actions/select_image - with: - osImage: "ref/release/stream/stable/?" - - - name: Relabel output - id: relabel-output - shell: bash - run: | - ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2) - stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4) - - echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT" - - e2e-stackit: - strategy: - fail-fast: false - max-parallel: 6 - matrix: - kubernetesVersion: [ "1.29", "1.30", "1.31" ] - clusterCreation: [ "cli", "terraform" ] - test: [ "sonobuoy quick" ] - runs-on: ubuntu-24.04 - permissions: - id-token: write - checks: write - contents: read - packages: write - actions: write - needs: [find-latest-image] - steps: - - name: Check out repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Setup bazel - uses: ./.github/actions/setup_bazel_nix - with: - nixTools: terraform - - - name: Run E2E test - id: e2e_test - uses: ./.github/actions/e2e_test - with: - workerNodesCount: "1" - controlNodesCount: "1" - cloudProvider: stackit - attestationVariant: qemu-vtpm - osImage: ${{ needs.find-latest-image.outputs.image-release-stable }} - isDebugImage: false - cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }} - kubernetesVersion: ${{ matrix.kubernetesVersion }} - awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} - awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} - awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} - gcpProject: constellation-e2e - gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" - gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" - test: ${{ matrix.test }} - azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} - azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} - registry: ghcr.io - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPassword: ${{ secrets.COSIGN_PASSWORD }} - cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} - fetchMeasurements: false - clusterCreation: ${{ matrix.clusterCreation }} - s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} - s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} - encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }} - stackitUat: ${{ secrets.STACKIT_CI_UAT }} - stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }} - - - name: Always terminate cluster - if: always() - uses: ./.github/actions/constellation_destroy - with: - kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - clusterCreation: ${{ matrix.clusterCreation }} - cloudProvider: stackit - azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} - gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" - - - name: Always delete IAM configuration - if: always() - uses: ./.github/actions/constellation_iam_destroy - with: - cloudProvider: stackit - azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} - gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" - - - name: Update tfstate - if: always() - env: - GH_TOKEN: ${{ github.token }} - uses: ./.github/actions/update_tfstate - with: - name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }} - runID: ${{ github.run_id }} - encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - - - name: Notify about failure - if: | - failure() && - github.ref == 'refs/heads/main' && - github.event_name == 'schedule' - continue-on-error: true - uses: ./.github/actions/notify_e2e_failure - with: - projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }} - refStream: "ref/release/stream/stable/?" - test: ${{ matrix.test }} - kubernetesVersion: ${{ matrix.kubernetesVersion }} - provider: stackit - attestationVariant: qemu-vtpm - clusterCreation: ${{ matrix.clusterCreation }} - - - name: Notify STACKIT - if: | - failure() && - github.ref == 'refs/heads/main' && - github.event_name == 'schedule' - continue-on-error: true - uses: ./.github/actions/notify_stackit - with: - slackToken: ${{ secrets.SLACK_TOKEN }} diff --git a/.github/workflows/e2e-test-terraform-provider.yml b/.github/workflows/e2e-test-terraform-provider.yml index c7aa5a0e5..3c465ab97 100644 --- a/.github/workflows/e2e-test-terraform-provider.yml +++ b/.github/workflows/e2e-test-terraform-provider.yml @@ -23,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run." @@ -41,6 +41,7 @@ on: required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." + default: "1.28" required: true releaseVersion: description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref." diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 1b6deb5fb..587abd129 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -10,7 +10,7 @@ jobs: strategy: fail-fast: false matrix: - refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"] + refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"] name: Find latest image runs-on: ubuntu-24.04 permissions: @@ -51,33 +51,6 @@ jobs: # Tests on main-debug refStream # - # Emergency SSH test on latest k8s version - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "azure-tdx" - kubernetes-version: "v1.30" - clusterCreation: "cli" - - test: "emergency ssh" - refStream: "ref/main/stream/debug/?" - attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.30" - clusterCreation: "cli" - # Sonobuoy full test on latest k8s version - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" @@ -116,55 +89,56 @@ jobs: - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.29" + kubernetes-version: "v1.28" clusterCreation: "cli" + # verify test on latest k8s version - test: "verify" refStream: "ref/main/stream/debug/?" @@ -316,27 +290,27 @@ jobs: - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "gcp-sev-es" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "gcp-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "azure-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "azure-tdx" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "aws-sev-snp" - kubernetes-version: "v1.30" + kubernetes-version: "v1.29" clusterCreation: "cli" runs-on: ubuntu-24.04 @@ -446,7 +420,7 @@ jobs: fail-fast: false max-parallel: 1 matrix: - fromVersion: ["v2.23.1"] + fromVersion: ["v2.19.3"] attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] name: Run upgrade tests secrets: inherit @@ -479,7 +453,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Azure login OIDC - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 46efa290d..6efdd03b5 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -16,7 +16,6 @@ on: - "azure-sev-snp" - "azure-tdx" - "aws-sev-snp" - - "stackit-qemu-vtpm" default: "azure-sev-snp" required: true runner: @@ -24,7 +23,7 @@ on: type: choice options: - "ubuntu-24.04" - - "macos-latest" + - "macos-12" default: "ubuntu-24.04" test: description: "The test to run. The conformance test is only supported for clusterCreation=cli." @@ -40,12 +39,11 @@ on: - "recover" - "malicious join" - "s3proxy" - - "emergency ssh" - "nop" required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." - default: "1.30" + default: "1.29" required: true cliVersion: description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." @@ -139,7 +137,6 @@ jobs: workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }} controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }} cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} - attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }} steps: - name: Split nodeCount id: split-nodeCount @@ -164,12 +161,6 @@ jobs: attestationVariant="${{ inputs.attestationVariant }}" cloudProvider="${attestationVariant%%-*}" - # special case for STACKIT, as there's no special attestation variant for it - if [[ "${cloudProvider}" == "stackit" ]]; then - attestationVariant="qemu-vtpm" - fi - - echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT" echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" find-latest-image: @@ -233,7 +224,7 @@ jobs: - name: Set up gcloud CLI (macOS) if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS' - uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4 + uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 - name: Run manual E2E test id: e2e_test @@ -242,7 +233,7 @@ jobs: workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }} controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }} cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} - attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }} + attestationVariant: ${{ inputs.attestationVariant }} machineType: ${{ inputs.machineType }} regionZone: ${{ inputs.regionZone }} gcpProject: constellation-e2e @@ -271,9 +262,6 @@ jobs: marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }} - stackitUat: ${{ secrets.STACKIT_CI_UAT }} - stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }} - name: Always terminate cluster if: always() diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index cd7c6bc1b..5e50ec87e 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -268,13 +268,13 @@ jobs: push: true - name: Upload CLI binary # is needed for the cleanup step - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: constellation-upgrade-${{ inputs.attestationVariant }} path: build/constellation - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 @@ -296,7 +296,7 @@ jobs: - name: Login to AWS (IAM role) if: needs.generate-input-parameters.outputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM aws-region: eu-central-1 @@ -347,7 +347,7 @@ jobs: - name: Login to AWS (Cluster role) if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster aws-region: eu-central-1 @@ -424,7 +424,7 @@ jobs: ref: ${{ inputs.gitRef }} - name: Download CLI - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: constellation-upgrade-${{ inputs.attestationVariant }} path: build diff --git a/.github/workflows/e2e-windows.yml b/.github/workflows/e2e-windows.yml index ad4acb877..26ee8833b 100644 --- a/.github/workflows/e2e-windows.yml +++ b/.github/workflows/e2e-windows.yml @@ -45,14 +45,14 @@ jobs: push: true - name: Upload CLI artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: path: build/constellation.exe name: "constell-exe" e2e-test: name: E2E Test Windows - runs-on: windows-2025 + runs-on: windows-2022 needs: build-cli steps: - name: Checkout @@ -61,7 +61,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download CLI artifact - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: "constell-exe" diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml index 73fe2c3b1..1d46df5c9 100644 --- a/.github/workflows/on-release.yml +++ b/.github/workflows/on-release.yml @@ -142,7 +142,7 @@ jobs: - uses: ./.github/actions/setup_bazel_nix - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 diff --git a/.github/workflows/purge-main.yml b/.github/workflows/purge-main.yml index 5a64705c4..b2d9403c9 100644 --- a/.github/workflows/purge-main.yml +++ b/.github/workflows/purge-main.yml @@ -23,7 +23,7 @@ jobs: ref: ${{ github.head_ref }} - name: Login to AWS - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 08e09da18..2db0f9eee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -118,7 +118,7 @@ jobs: sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml - name: Create docs pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: ${{ env.BRANCH }} base: main @@ -239,22 +239,6 @@ jobs: stream: "stable" ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - check-measurements-reproducibility: - name: Check measurements reproducibility - needs: [verify-inputs, os-image] - runs-on: ubuntu-24.04 - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - - - name: Check reproducibility - uses: ./.github/actions/check_measurements_reproducibility - with: - version: ${{ inputs.version }} - ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - update-hardcoded-measurements: name: Update hardcoded measurements (in the CLI) needs: [verify-inputs, os-image] @@ -271,9 +255,9 @@ jobs: ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: true - name: Build generateMeasurements tool diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index 41aca0ac3..d0faa32b7 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -13,9 +13,6 @@ on: workflow_dispatch: schedule: - cron: "45 06 * * 1" # Every Monday at 6:45am - pull_request: - paths: - - .github/workflows/reproducible-builds.yml jobs: build-binaries: @@ -51,16 +48,15 @@ jobs: - name: Setup dependencies (eccentric) if: matrix.deps == 'eccentric' run: | - bazelVersion=$(cat .bazelversion) + version=$(cat .bazelversion) mkdir -p "$HOME/.local/bin" - curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64" + curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$version/bazel-$version-linux-x86_64" chmod a+x "$HOME/.local/bin/bazel" echo "$HOME/.local/bin" >> "$GITHUB_PATH" - curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.4.2/nix-installer-x86_64-linux # renovate:github-release - nixVersion=$(cat .nixversion) + curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v0.26.3/nix-installer-x86_64-linux # renovate:github-release chmod a+x "$HOME/.local/bin/nix-installer" - "$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz" + "$HOME/.local/bin/nix-installer" install --no-confirm - name: Build shell: bash @@ -81,13 +77,13 @@ jobs: run: shasum -a 256 "${binary}" | tee "${binary}.sha256" - name: Upload binary artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}" path: "${{ env.binary }}" - name: Upload hash artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}" path: "${{ env.binary }}.sha256" @@ -146,13 +142,13 @@ jobs: run: shasum -a 256 "${binary}" | tee "${binary}.sha256" - name: Upload binary artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "osimages-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}" - name: Upload hash artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}.sha256" @@ -175,7 +171,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download binaries - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: "binaries-${{ matrix.target }}-*" merge-multiple: true @@ -209,7 +205,7 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download os images - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: "osimages-${{ matrix.target }}-*" merge-multiple: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 08a7faeac..f5c996507 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -23,20 +23,20 @@ jobs: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: results.sarif diff --git a/.github/workflows/sync-terraform-docs.yml b/.github/workflows/sync-terraform-docs.yml index 9bc2aac07..6b9be623d 100644 --- a/.github/workflows/sync-terraform-docs.yml +++ b/.github/workflows/sync-terraform-docs.yml @@ -40,7 +40,7 @@ jobs: - name: Create pull request id: create-pull-request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: path: terraform-provider-constellation branch: "feat/docs/update" diff --git a/.github/workflows/test-operator-codegen.yml b/.github/workflows/test-operator-codegen.yml index b2f92ba7f..06a7129d9 100644 --- a/.github/workflows/test-operator-codegen.yml +++ b/.github/workflows/test-operator-codegen.yml @@ -26,9 +26,9 @@ jobs: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Setup Go environment - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.24.3" + go-version: "1.23.2" cache: true - name: Run code generation diff --git a/.github/workflows/test-tidy.yml b/.github/workflows/test-tidy.yml index 25f06e174..99585ddaf 100644 --- a/.github/workflows/test-tidy.yml +++ b/.github/workflows/test-tidy.yml @@ -37,7 +37,7 @@ jobs: - name: Assume AWS role to upload Bazel dependencies to S3 if: startsWith(github.head_ref, 'renovate/') - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite aws-region: eu-central-1 diff --git a/.github/workflows/test-unittest.yml b/.github/workflows/test-unittest.yml index 7b64254dd..b676e7dca 100644 --- a/.github/workflows/test-unittest.yml +++ b/.github/workflows/test-unittest.yml @@ -49,7 +49,7 @@ jobs: rm -rf awscliv2.zip aws - name: Login to AWS (IAM role) - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage aws-region: eu-central-1 @@ -69,7 +69,7 @@ jobs: - name: Comment coverage if: steps.coverage.outputs.uploadable == 'true' && github.event_name == 'pull_request' - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2 + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 with: header: coverage path: coverage_diff.md diff --git a/.github/workflows/update-rpms.yml b/.github/workflows/update-rpms.yml index c7146607e..bd30519ef 100644 --- a/.github/workflows/update-rpms.yml +++ b/.github/workflows/update-rpms.yml @@ -18,7 +18,7 @@ jobs: token: ${{ secrets.CI_COMMIT_PUSH_PR }} - name: Assume AWS role to upload Bazel dependencies to S3 - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite aws-region: eu-central-1 @@ -39,7 +39,7 @@ jobs: fi - name: Create pull request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: "image/automated/update-rpms-${{ github.run_number }}" base: main diff --git a/.github/workflows/versionsapi.yml b/.github/workflows/versionsapi.yml index 27acd9287..c4e62d412 100644 --- a/.github/workflows/versionsapi.yml +++ b/.github/workflows/versionsapi.yml @@ -149,21 +149,21 @@ jobs: - name: Login to AWS without write access if: steps.check-rights.outputs.write == 'false' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead aws-region: eu-central-1 - name: Login to AWS with write access if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite aws-region: eu-central-1 - name: Login to AWS with write and image remove access if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true' - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove aws-region: eu-central-1 diff --git a/.golangci.yml b/.golangci.yml index 2e5cd2d5c..9a03b837e 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,65 +1,53 @@ -version: "2" run: + timeout: 10m build-tags: - integration - e2e modules-download-mode: readonly + output: formats: - tab: + - format: tab path: stdout - colors: false + sort-results: true + linters: enable: + # Default linters + - errcheck + - gosimple + - govet + - ineffassign + - staticcheck + - typecheck + - unused + # Additional linters - bodyclose - - copyloopvar - errname + - copyloopvar - godot + - gofmt + - gofumpt - misspell - noctx - revive + - tenv - unconvert - unparam - - usetesting - settings: - errcheck: - exclude-functions: - - (*go.uber.org/zap.Logger).Sync - - (*google.golang.org/grpc.Server).Serve - exclusions: - generated: lax - presets: - - common-false-positives - - legacy - - std-error-handling - paths: - - 3rdparty/node-maintenance-operator - rules: - # TODO(burgerdev): these exclusions have been added to ease migration to v2 and should eventually be addressed. - - linters: ["staticcheck"] - text: "QF1008: could remove embedded field" - - linters: ["staticcheck"] - text: "QF1001: could apply De Morgan's law" - - linters: ["staticcheck"] - text: "ST1005: error strings should not be capitalized" - - linters: ["revive"] - text: "package-comments: package comment should be of the form" - - linters: ["revive"] - text: "package-comments: should have a package comment" - - linters: ["staticcheck"] - text: "QF1012: Use fmt.Fprintf" - - linters: ["staticcheck"] - text: "ST1019" - issues: max-issues-per-linter: 0 max-same-issues: 20 -formatters: - enable: - - gofmt - - gofumpt - exclusions: - generated: lax - paths: - - 3rdparty/node-maintenance-operator + exclude-dirs: + - 3rdparty/node-maintenance-operator + include: + - EXC0012 + - EXC0014 + +linters-settings: + errcheck: + # List of functions to exclude from checking, where each entry is a single function to exclude. + # See https://github.com/kisielk/errcheck#excluding-functions for details. + exclude-functions: + - (*go.uber.org/zap.Logger).Sync + - (*google.golang.org/grpc.Server).Serve diff --git a/.nixversion b/.nixversion deleted file mode 100644 index 40a8d7f12..000000000 --- a/.nixversion +++ /dev/null @@ -1 +0,0 @@ -2.25.2 diff --git a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel deleted file mode 100644 index 9aa7e3f64..000000000 --- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel +++ /dev/null @@ -1,13 +0,0 @@ -load("//bazel/sh:def.bzl", "sh_template") - -sh_template( - name = "pull_files", - data = [ - "@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy", - ], - substitutions = { - "@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)", - }, - template = "pull_files.sh", - visibility = ["//visibility:public"], -) diff --git a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh deleted file mode 100644 index 10a224890..000000000 --- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash - -###### script header ###### - -lib=$(realpath @@BASE_LIB@@) || exit 1 -stat "${lib}" >> /dev/null || exit 1 - -# shellcheck source=../../../bazel/sh/lib.bash -if ! source "${lib}"; then - echo "Error: could not find import" - exit 1 -fi - -controller_policy_source="@@POLICY_SRC@@" - -###### script body ###### - -controller_policy_real_source=$(realpath "${controller_policy_source}") - -cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath - -targetDir="terraform/infrastructure/iam/aws/alb_policy.json" - -cp "${controller_policy_real_source}" "${targetDir}" diff --git a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl deleted file mode 100644 index e2c1e8034..000000000 --- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl +++ /dev/null @@ -1,22 +0,0 @@ -"""A module defining the source of the AWS load balancer controller.""" - -load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") - -def aws_load_balancer_controller_deps(): - http_archive( - name = "com_github_kubernetes_sigs_aws_load_balancer_controller", - urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1", - "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz", - ], - strip_prefix = "aws-load-balancer-controller-2.12.0", - build_file_content = """ -filegroup( - srcs = ["docs/install/iam_policy.json"], - name = "lb_policy", - visibility = ["//visibility:public"], -) - """, - type = "tar.gz", - sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1", - ) diff --git a/3rdparty/gcp-guest-agent/Dockerfile b/3rdparty/gcp-guest-agent/Dockerfile index d985595db..0276f8259 100644 --- a/3rdparty/gcp-guest-agent/Dockerfile +++ b/3rdparty/gcp-guest-agent/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04@sha256:b59d21599a2b151e23eea5f6602f4af4d7d31c4e236d22bf0b62b86d2e386b8f as build +FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 as build # Install packages RUN apt-get update && apt-get install -y \ @@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \ git # Install Go -ARG GO_VER=1.24.4 +ARG GO_VER=1.22.3 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ rm go${GO_VER}.linux-amd64.tar.gz diff --git a/CODEOWNERS b/CODEOWNERS index 0172574b9..fd7e2d8a0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,64 +1,66 @@ # keep-sorted start -.golangci.yml @daniel-weisse -/3rdparty/gcp-guest-agent @msanft +.golangci.yml @katexochen +/3rdparty/gcp-guest-agent @3u13r /bazel @burgerdev -/bootstrapper @msanft +/bazel/ci @katexochen +/bazel/sh @katexochen +/bootstrapper @3u13r /cli/internal/cloudcmd @daniel-weisse -/cli/internal/cmd/upgrade* @daniel-weisse +/cli/internal/cmd/upgrade* @derpsteb /cli/internal/libvirt @daniel-weisse -/cli/internal/terraform @daniel-weisse +/cli/internal/terraform @elchead /csi @daniel-weisse /debugd @daniel-weisse /disk-mapper @daniel-weisse /docs @thomasten -/e2e @msanft -/hack/azure-snp-report-verify @msanft +/e2e @3u13r +/hack/azure-snp-report-verify @derpsteb /hack/bazel-deps-mirror @burgerdev -/hack/cli-k8s-compatibility @burgerdev +/hack/cli-k8s-compatibility @derpsteb /hack/clidocgen @thomasten -/hack/fetch-broken-e2e @msanft -/hack/gocoverage @msanft +/hack/fetch-broken-e2e @katexochen +/hack/gocoverage @katexochen /hack/oci-pin @burgerdev /hack/qemu-metadata-api @daniel-weisse -/hack/remove-tf-providers @msanft -/hack/terraform @msanft -/hack/tools @msanft +/hack/remove-tf-providers @katexochen +/hack/terraform @3u13r +/hack/tools @katexochen /hack/versioninfogen @daniel-weisse /image @msanft -/internal/api @daniel-weisse +/internal/api @derpsteb /internal/atls @thomasten /internal/attestation @daniel-weisse -/internal/cloud @msanft -/internal/compatibility @daniel-weisse -/internal/config @msanft +/internal/cloud @3u13r +/internal/compatibility @derpsteb +/internal/config @derpsteb /internal/constellation/featureset @thomasten /internal/constellation/helm @burgerdev /internal/constellation/kubecmd @daniel-weisse -/internal/constellation/state @msanft +/internal/constellation/state @elchead /internal/containerimage @burgerdev /internal/crypto @thomasten /internal/cryptsetup @daniel-weisse /internal/file @daniel-weisse /internal/grpc @thomasten /internal/imagefetcher @msanft -/internal/installer @msanft +/internal/installer @3u13r /internal/kms @daniel-weisse -/internal/kubernetes @msanft +/internal/kubernetes @3u13r /internal/license @thomasten /internal/logger @daniel-weisse /internal/nodestate @daniel-weisse /internal/osimage @msanft -/internal/retry @msanft -/internal/semver @daniel-weisse -/internal/sigstore @burgerdev +/internal/retry @katexochen +/internal/semver @derpsteb +/internal/sigstore @elchead /internal/staticupload @msanft -/internal/versions @msanft +/internal/versions @3u13r /joinservice @daniel-weisse /keyservice @daniel-weisse /measurement-reader @daniel-weisse -/operators @msanft -/terraform-provider-constellation @msanft +/operators @3u13r +/terraform-provider-constellation @msanft @elchead /tools @burgerdev -/upgrade-agent @msanft +/upgrade-agent @3u13r /verify @daniel-weisse # keep-sorted end diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a123a5d58..9ee09c7ea 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -12,7 +12,7 @@ If you want to support our development: * Share our projects on social media * Join the [Confidential Computing Discord](https://discord.gg/rH8QTH56JN) -Constellation is licensed under the [BUSL](LICENSE). When contributing, you also need to agree to our [Contributor License Agreement](https://cla-assistant.io/edgelesssys/constellation). +Constellation is licensed under the [AGPLv3](LICENSE). When contributing, you also need to agree to our [Contributor License Agreement](https://cla-assistant.io/edgelesssys/constellation). ## Reporting issues and bugs, asking questions diff --git a/LICENSE b/LICENSE index 42435e491..be3f7b28e 100644 --- a/LICENSE +++ b/LICENSE @@ -1,91 +1,661 @@ -Business Source License 1.1 + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 -Parameters + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. -Licensor: Edgeless Systems GmbH -Licensed Work: Constellation - The Licensed Work is (c) Edgeless Systems GmbH -Additional Use Grant: None + Preamble -Change Date: Four years from the date a MINOR version (SemVer) is published. + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. -Change License: GNU Affero General Public License Version 3 (AGPL-3.0-only) + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. -For information about alternative licensing arrangements for the Software, -please visit: https://www.edgeless.systems/enterprise-support + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. -Notice + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. -License text copyright (c) 2023 MariaDB plc, All Rights Reserved. -“Business Source License” is a trademark of MariaDB plc. + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. ------------------------------------------------------------------------------ + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. -Business Source License 1.1 + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. -Terms + The precise terms and conditions for copying, distribution and +modification follow. -The Licensor hereby grants you the right to copy, modify, create derivative -works, redistribute, and make non-production use of the Licensed Work. The -Licensor may make an Additional Use Grant, above, permitting limited -production use. + TERMS AND CONDITIONS -Effective on the Change Date, or the fourth anniversary of the first publicly -available distribution of a specific version of the Licensed Work under this -License, whichever comes first, the Licensor hereby grants you rights under -the terms of the Change License, and the rights granted in the paragraph -above terminate. + 0. Definitions. -If your use of the Licensed Work does not comply with the requirements -currently in effect as described in this License, you must purchase a -commercial license from the Licensor, its affiliated entities, or authorized -resellers, or you must refrain from using the Licensed Work. + "This License" refers to version 3 of the GNU Affero General Public License. -All copies of the original and modified Licensed Work, and derivative works -of the Licensed Work, are subject to this License. This License applies -separately for each version of the Licensed Work and the Change Date may vary -for each version of the Licensed Work released by Licensor. + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. -You must conspicuously display this License on each original or modified copy -of the Licensed Work. If you receive the Licensed Work in original or -modified form from a third party, the terms and conditions set forth in this -License apply to your use of that work. + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. -Any use of the Licensed Work in violation of this License will automatically -terminate your rights under this License for the current and all other -versions of the Licensed Work. + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. -This License does not grant you any right in any trademark or logo of -Licensor or its affiliates (provided that you may use a trademark or logo of -Licensor as expressly required by this License). + A "covered work" means either the unmodified Program or a work based +on the Program. -TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON -AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, -EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND -TITLE. + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. -MariaDB hereby grants you permission to use this License’s text to license -your works, and to refer to it using the trademark “Business Source License”, -as long as you comply with the Covenants of Licensor below. + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. -Covenants of Licensor + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. -In consideration of the right to use this License’s text and the “Business -Source License” name and trademark, Licensor covenants to MariaDB, and to all -other recipients of the licensed work to be provided by Licensor: + 1. Source Code. -1. To specify as the Change License the GPL Version 2.0 or any later version, - or a license that is compatible with GPL Version 2.0 or a later version, - where “compatible” means that software provided under the Change License can - be included in a program with software provided under GPL Version 2.0 or a - later version. Licensor may specify additional Change Licenses without - limitation. + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. -2. To either: (a) specify an additional grant of rights to use that does not - impose any additional restriction on the right granted in this License, as - the Additional Use Grant; or (b) insert the text “None”. + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. -3. To specify a Change Date. + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. -4. Not to modify this License in any other way. + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/MODULE.bazel b/MODULE.bazel index 013e0d776..111a0f6ad 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -1,6 +1,6 @@ module(name = "constellation") -bazel_dep(name = "aspect_bazel_lib", version = "2.19.4") +bazel_dep(name = "aspect_bazel_lib", version = "2.9.4") bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains") bazel_lib.yq() @@ -8,22 +8,21 @@ use_repo(bazel_lib, "jq_toolchains") use_repo(bazel_lib, "yq_toolchains") bazel_dep(name = "bazel_skylib", version = "1.7.1") -bazel_dep(name = "gazelle", version = "0.43.0") -bazel_dep(name = "hermetic_cc_toolchain", version = "3.2.0") -bazel_dep(name = "rules_cc", version = "0.1.2") -bazel_dep(name = "rules_go", version = "0.54.0", repo_name = "io_bazel_rules_go") -bazel_dep(name = "rules_pkg", version = "1.1.0") -bazel_dep(name = "rules_proto", version = "7.1.0") -bazel_dep(name = "rules_python", version = "1.4.1") -bazel_dep(name = "rules_shell", version = "0.5.0") +bazel_dep(name = "gazelle", version = "0.39.1") +bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1") +bazel_dep(name = "rules_cc", version = "0.1.0") +bazel_dep(name = "rules_go", version = "0.50.1", repo_name = "io_bazel_rules_go") +bazel_dep(name = "rules_pkg", version = "0.10.1") +bazel_dep(name = "rules_proto", version = "6.0.2") +bazel_dep(name = "rules_python", version = "0.40.0") -bazel_dep(name = "buildifier_prebuilt", version = "8.2.0.2", dev_dependency = True) +bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True) go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk") go_sdk.download( name = "go_sdk", patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"], - version = "1.24.4", + version = "1.23.2", ) python = use_extension("@rules_python//python/extensions:python.bzl", "python") diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock index bfc4a242d..4782a3045 100644 --- a/MODULE.bazel.lock +++ b/MODULE.bazel.lock @@ -1,5 +1,5 @@ { - "lockFileVersion": 13, + "lockFileVersion": 11, "registryFileHashes": { "https://bcr.bazel.build/bazel_registry.json": "8a28e4aff06ee60aed2a8c281907fb8bcbf3b753c91fb5a5c57da3215d5b3497", "https://bcr.bazel.build/modules/abseil-cpp/20210324.2/MODULE.bazel": "7cd0312e064fde87c8d1cd79ba06c876bd23630c83466e9500321be55c96ace2", @@ -12,10 +12,8 @@ "https://bcr.bazel.build/modules/abseil-cpp/20240116.1/source.json": "9be551b8d4e3ef76875c0d744b5d6a504a27e3ae67bc6b28f46415fd2d2957da", "https://bcr.bazel.build/modules/apple_support/1.5.0/MODULE.bazel": "50341a62efbc483e8a2a6aec30994a58749bd7b885e18dd96aa8c33031e558ef", "https://bcr.bazel.build/modules/apple_support/1.5.0/source.json": "eb98a7627c0bc486b57f598ad8da50f6625d974c8f723e9ea71bd39f709c9862", - "https://bcr.bazel.build/modules/aspect_bazel_lib/2.14.0/MODULE.bazel": "2b31ffcc9bdc8295b2167e07a757dbbc9ac8906e7028e5170a3708cecaac119f", - "https://bcr.bazel.build/modules/aspect_bazel_lib/2.19.4/MODULE.bazel": "d39e4b18e594d81c526d7cfc513e7ecfa8ca9eb5b61488d1d790faa94b34f2d9", - "https://bcr.bazel.build/modules/aspect_bazel_lib/2.19.4/source.json": "506fa924e19fd8a33d617e33a17e4fce845f9ff9acb3a2aa7cf7300650698705", - "https://bcr.bazel.build/modules/aspect_bazel_lib/2.8.1/MODULE.bazel": "812d2dd42f65dca362152101fbec418029cc8fd34cbad1a2fde905383d705838", + "https://bcr.bazel.build/modules/aspect_bazel_lib/2.9.4/MODULE.bazel": "ccc41028429f894b02fde7ef67d416cba3ba5084ed9ddb9bb6107aa82d118776", + "https://bcr.bazel.build/modules/aspect_bazel_lib/2.9.4/source.json": "9e20ebe57de2e7657a188af6e132a9562fa26c201b2d999bc0a8981e8f3b6c36", "https://bcr.bazel.build/modules/bazel_features/1.1.0/MODULE.bazel": "cfd42ff3b815a5f39554d97182657f8c4b9719568eb7fded2b9135f084bf760b", "https://bcr.bazel.build/modules/bazel_features/1.1.1/MODULE.bazel": "27b8c79ef57efe08efccbd9dd6ef70d61b4798320b8d3c134fd571f78963dbcd", "https://bcr.bazel.build/modules/bazel_features/1.11.0/MODULE.bazel": "f9382337dd5a474c3b7d334c2f83e50b6eaedc284253334cf823044a26de03e8", @@ -23,12 +21,8 @@ "https://bcr.bazel.build/modules/bazel_features/1.17.0/MODULE.bazel": "039de32d21b816b47bd42c778e0454217e9c9caac4a3cf8e15c7231ee3ddee4d", "https://bcr.bazel.build/modules/bazel_features/1.18.0/MODULE.bazel": "1be0ae2557ab3a72a57aeb31b29be347bcdc5d2b1eb1e70f39e3851a7e97041a", "https://bcr.bazel.build/modules/bazel_features/1.19.0/MODULE.bazel": "59adcdf28230d220f0067b1f435b8537dd033bfff8db21335ef9217919c7fb58", - "https://bcr.bazel.build/modules/bazel_features/1.20.0/MODULE.bazel": "8b85300b9c8594752e0721a37210e34879d23adc219ed9dc8f4104a4a1750920", - "https://bcr.bazel.build/modules/bazel_features/1.21.0/MODULE.bazel": "675642261665d8eea09989aa3b8afb5c37627f1be178382c320d1b46afba5e3b", - "https://bcr.bazel.build/modules/bazel_features/1.28.0/MODULE.bazel": "4b4200e6cbf8fa335b2c3f43e1d6ef3e240319c33d43d60cc0fbd4b87ece299d", - "https://bcr.bazel.build/modules/bazel_features/1.28.0/source.json": "16a3fc5b4483cb307643791f5a4b7365fa98d2e70da7c378cdbde55f0c0b32cf", + "https://bcr.bazel.build/modules/bazel_features/1.19.0/source.json": "d7bf14517c1b25b9d9c580b0f8795fceeae08a7590f507b76aace528e941375d", "https://bcr.bazel.build/modules/bazel_features/1.4.1/MODULE.bazel": "e45b6bb2350aff3e442ae1111c555e27eac1d915e77775f6fdc4b351b758b5d7", - "https://bcr.bazel.build/modules/bazel_features/1.9.0/MODULE.bazel": "885151d58d90d8d9c811eb75e3288c11f850e1d6b481a8c9f766adee4712358b", "https://bcr.bazel.build/modules/bazel_features/1.9.1/MODULE.bazel": "8f679097876a9b609ad1f60249c49d68bfab783dd9be012faf9d82547b14815a", "https://bcr.bazel.build/modules/bazel_skylib/1.0.3/MODULE.bazel": "bcb0fd896384802d1ad283b4e4eb4d718eebd8cb820b0a2c3a347fb971afd9d8", "https://bcr.bazel.build/modules/bazel_skylib/1.1.1/MODULE.bazel": "1add3e7d93ff2e6998f9e118022c84d163917d912f5afafb3058e3d2f1545b5e", @@ -42,33 +36,28 @@ "https://bcr.bazel.build/modules/bazel_skylib/1.7.0/MODULE.bazel": "0db596f4563de7938de764cc8deeabec291f55e8ec15299718b93c4423e9796d", "https://bcr.bazel.build/modules/bazel_skylib/1.7.1/MODULE.bazel": "3120d80c5861aa616222ec015332e5f8d3171e062e3e804a2a0253e1be26e59b", "https://bcr.bazel.build/modules/bazel_skylib/1.7.1/source.json": "f121b43eeefc7c29efbd51b83d08631e2347297c95aac9764a701f2a6a2bb953", - "https://bcr.bazel.build/modules/buildifier_prebuilt/8.2.0.2/MODULE.bazel": "a9b689711d5b69f9db741649b218c119b9fdf82924ba390415037e09798edd03", - "https://bcr.bazel.build/modules/buildifier_prebuilt/8.2.0.2/source.json": "51eb0a4b38aaaeab7fa64361576d616c4d8bfd0f17a0a10184aeab7084d79f8e", + "https://bcr.bazel.build/modules/buildifier_prebuilt/6.4.0/MODULE.bazel": "37389c6b5a40c59410b4226d3bb54b08637f393d66e2fa57925c6fcf68e64bf4", + "https://bcr.bazel.build/modules/buildifier_prebuilt/6.4.0/source.json": "83eb01b197ed0b392f797860c9da5ed1bf95f4d0ded994d694a3d44731275916", "https://bcr.bazel.build/modules/buildozer/7.1.2/MODULE.bazel": "2e8dd40ede9c454042645fd8d8d0cd1527966aa5c919de86661e62953cd73d84", "https://bcr.bazel.build/modules/buildozer/7.1.2/source.json": "c9028a501d2db85793a6996205c8de120944f50a0d570438fcae0457a5f9d1f8", "https://bcr.bazel.build/modules/gazelle/0.32.0/MODULE.bazel": "b499f58a5d0d3537f3cf5b76d8ada18242f64ec474d8391247438bf04f58c7b8", "https://bcr.bazel.build/modules/gazelle/0.33.0/MODULE.bazel": "a13a0f279b462b784fb8dd52a4074526c4a2afe70e114c7d09066097a46b3350", "https://bcr.bazel.build/modules/gazelle/0.34.0/MODULE.bazel": "abdd8ce4d70978933209db92e436deb3a8b737859e9354fb5fd11fb5c2004c8a", "https://bcr.bazel.build/modules/gazelle/0.36.0/MODULE.bazel": "e375d5d6e9a6ca59b0cb38b0540bc9a05b6aa926d322f2de268ad267a2ee74c0", - "https://bcr.bazel.build/modules/gazelle/0.43.0/MODULE.bazel": "846e1fe396eefc0f9ddad2b33e9bd364dd993fc2f42a88e31590fe0b0eefa3f0", - "https://bcr.bazel.build/modules/gazelle/0.43.0/source.json": "021a77f6625906d9d176e2fa351175e842622a5d45989312f2ad4924aab72df6", + "https://bcr.bazel.build/modules/gazelle/0.39.1/MODULE.bazel": "1fa3fefad240e535066fd0e6950dfccd627d36dc699ee0034645e51dbde3980f", + "https://bcr.bazel.build/modules/gazelle/0.39.1/source.json": "f2facfa8c8c9a4d2ebf613754023054c2eb793b88675082216c6be0419eb20a1", "https://bcr.bazel.build/modules/google_benchmark/1.8.2/MODULE.bazel": "a70cf1bba851000ba93b58ae2f6d76490a9feb74192e57ab8e8ff13c34ec50cb", "https://bcr.bazel.build/modules/googletest/1.11.0/MODULE.bazel": "3a83f095183f66345ca86aa13c58b59f9f94a2f81999c093d4eeaa2d262d12f4", "https://bcr.bazel.build/modules/googletest/1.14.0.bcr.1/MODULE.bazel": "22c31a561553727960057361aa33bf20fb2e98584bc4fec007906e27053f80c6", "https://bcr.bazel.build/modules/googletest/1.14.0.bcr.1/source.json": "41e9e129f80d8c8bf103a7acc337b76e54fad1214ac0a7084bf24f4cd924b8b4", "https://bcr.bazel.build/modules/googletest/1.14.0/MODULE.bazel": "cfbcbf3e6eac06ef9d85900f64424708cc08687d1b527f0ef65aa7517af8118f", - "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.2.0/MODULE.bazel": "8e7faec81c1f0fb65fe277ecfc75ea3636ce7bf848f88037fedd58e6eeacc28f", - "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.2.0/source.json": "67c2b76edff27c3ec449a935fc9468996d1a730b52a9a6f97c40c8a06d381630", - "https://bcr.bazel.build/modules/jq.bzl/0.1.0/MODULE.bazel": "2ce69b1af49952cd4121a9c3055faa679e748ce774c7f1fda9657f936cae902f", - "https://bcr.bazel.build/modules/jq.bzl/0.1.0/source.json": "746bf13cac0860f091df5e4911d0c593971cd8796b5ad4e809b2f8e133eee3d5", + "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.1.1/MODULE.bazel": "164331a6e73093376a19eaa1eae45a94aad3245e9e79d8f31237f4a8eb6c1c41", + "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.1.1/source.json": "a2f67694b91ae575e2715fa2c5745c8c9879e7132852ef45c05b4e25a0d3b423", "https://bcr.bazel.build/modules/jsoncpp/1.9.5/MODULE.bazel": "31271aedc59e815656f5736f282bb7509a97c7ecb43e927ac1a37966e0578075", "https://bcr.bazel.build/modules/jsoncpp/1.9.5/source.json": "4108ee5085dd2885a341c7fab149429db457b3169b86eb081fa245eadf69169d", "https://bcr.bazel.build/modules/libpfm/4.11.0/MODULE.bazel": "45061ff025b301940f1e30d2c16bea596c25b176c8b6b3087e92615adbd52902", - "https://bcr.bazel.build/modules/package_metadata/0.0.2/MODULE.bazel": "fb8d25550742674d63d7b250063d4580ca530499f045d70748b1b142081ebb92", - "https://bcr.bazel.build/modules/package_metadata/0.0.2/source.json": "e53a759a72488d2c0576f57491ef2da0cf4aab05ac0997314012495935531b73", "https://bcr.bazel.build/modules/platforms/0.0.10/MODULE.bazel": "8cb8efaf200bdeb2150d93e162c40f388529a25852b332cec879373771e48ed5", - "https://bcr.bazel.build/modules/platforms/0.0.11/MODULE.bazel": "0daefc49732e227caa8bfa834d65dc52e8cc18a2faf80df25e8caea151a9413f", - "https://bcr.bazel.build/modules/platforms/0.0.11/source.json": "f7e188b79ebedebfe75e9e1d098b8845226c7992b307e28e1496f23112e8fc29", + "https://bcr.bazel.build/modules/platforms/0.0.10/source.json": "f22828ff4cf021a6b577f1bf6341cb9dcd7965092a439f64fc1bb3b7a5ae4bd5", "https://bcr.bazel.build/modules/platforms/0.0.4/MODULE.bazel": "9b328e31ee156f53f3c416a64f8491f7eb731742655a47c9eec4703a71644aee", "https://bcr.bazel.build/modules/platforms/0.0.5/MODULE.bazel": "5733b54ea419d5eaf7997054bb55f6a1d0b5ff8aedf0176fef9eea44f3acda37", "https://bcr.bazel.build/modules/platforms/0.0.6/MODULE.bazel": "ad6eeef431dc52aefd2d77ed20a4b353f8ebf0f4ecdd26a807d2da5aa8cd0615", @@ -79,9 +68,7 @@ "https://bcr.bazel.build/modules/protobuf/27.0/MODULE.bazel": "7873b60be88844a0a1d8f80b9d5d20cfbd8495a689b8763e76c6372998d3f64c", "https://bcr.bazel.build/modules/protobuf/27.1/MODULE.bazel": "703a7b614728bb06647f965264967a8ef1c39e09e8f167b3ca0bb1fd80449c0d", "https://bcr.bazel.build/modules/protobuf/29.0-rc2/MODULE.bazel": "6241d35983510143049943fc0d57937937122baf1b287862f9dc8590fc4c37df", - "https://bcr.bazel.build/modules/protobuf/29.0-rc3/MODULE.bazel": "33c2dfa286578573afc55a7acaea3cada4122b9631007c594bf0729f41c8de92", - "https://bcr.bazel.build/modules/protobuf/29.1/MODULE.bazel": "557c3457560ff49e122ed76c0bc3397a64af9574691cb8201b4e46d4ab2ecb95", - "https://bcr.bazel.build/modules/protobuf/29.1/source.json": "04cca85dce26b895ed037d98336d860367fe09919208f2ad383f0df1aff63199", + "https://bcr.bazel.build/modules/protobuf/29.0-rc2/source.json": "52101bfd37e38f0d159dee47b71ccbd1f22f7a32192cef5ef2533bb6212f410f", "https://bcr.bazel.build/modules/protobuf/3.19.0/MODULE.bazel": "6b5fbb433f760a99a22b18b6850ed5784ef0e9928a72668b66e4d7ccd47db9b0", "https://bcr.bazel.build/modules/protobuf/3.19.2/MODULE.bazel": "532ffe5f2186b69fdde039efe6df13ba726ff338c6bc82275ad433013fa10573", "https://bcr.bazel.build/modules/protobuf/3.19.6/MODULE.bazel": "9233edc5e1f2ee276a60de3eaa47ac4132302ef9643238f23128fea53ea12858", @@ -94,14 +81,14 @@ "https://bcr.bazel.build/modules/rules_cc/0.0.1/MODULE.bazel": "cb2aa0747f84c6c3a78dad4e2049c154f08ab9d166b1273835a8174940365647", "https://bcr.bazel.build/modules/rules_cc/0.0.10/MODULE.bazel": "ec1705118f7eaedd6e118508d3d26deba2a4e76476ada7e0e3965211be012002", "https://bcr.bazel.build/modules/rules_cc/0.0.13/MODULE.bazel": "0e8529ed7b323dad0775ff924d2ae5af7640b23553dfcd4d34344c7e7a867191", + "https://bcr.bazel.build/modules/rules_cc/0.0.14/MODULE.bazel": "5e343a3aac88b8d7af3b1b6d2093b55c347b8eefc2e7d1442f7a02dc8fea48ac", "https://bcr.bazel.build/modules/rules_cc/0.0.15/MODULE.bazel": "6704c35f7b4a72502ee81f61bf88706b54f06b3cbe5558ac17e2e14666cd5dcc", - "https://bcr.bazel.build/modules/rules_cc/0.0.16/MODULE.bazel": "7661303b8fc1b4d7f532e54e9d6565771fea666fbdf839e0a86affcd02defe87", "https://bcr.bazel.build/modules/rules_cc/0.0.2/MODULE.bazel": "6915987c90970493ab97393024c156ea8fb9f3bea953b2f3ec05c34f19b5695c", "https://bcr.bazel.build/modules/rules_cc/0.0.6/MODULE.bazel": "abf360251023dfe3efcef65ab9d56beefa8394d4176dd29529750e1c57eaa33f", "https://bcr.bazel.build/modules/rules_cc/0.0.8/MODULE.bazel": "964c85c82cfeb6f3855e6a07054fdb159aced38e99a5eecf7bce9d53990afa3e", "https://bcr.bazel.build/modules/rules_cc/0.0.9/MODULE.bazel": "836e76439f354b89afe6a911a7adf59a6b2518fafb174483ad78a2a2fde7b1c5", - "https://bcr.bazel.build/modules/rules_cc/0.1.2/MODULE.bazel": "557ddc3a96858ec0d465a87c0a931054d7dcfd6583af2c7ed3baf494407fd8d0", - "https://bcr.bazel.build/modules/rules_cc/0.1.2/source.json": "53fcb09b5816c83ca60d9d7493faf3bfaf410dfc2f15deb52d6ddd146b8d43f0", + "https://bcr.bazel.build/modules/rules_cc/0.1.0/MODULE.bazel": "2fef03775b9ba995ec543868840041cc69e8bc705eb0cb6604a36eee18c87d8b", + "https://bcr.bazel.build/modules/rules_cc/0.1.0/source.json": "8a4e832d75e073ab56c74dd77008cf7a81e107dec4544019eb1eefc1320d55be", "https://bcr.bazel.build/modules/rules_foreign_cc/0.9.0/MODULE.bazel": "c9e8c682bf75b0e7c704166d79b599f93b72cfca5ad7477df596947891feeef6", "https://bcr.bazel.build/modules/rules_fuzzing/0.5.2/MODULE.bazel": "40c97d1144356f52905566c55811f13b299453a14ac7769dfba2ac38192337a8", "https://bcr.bazel.build/modules/rules_fuzzing/0.5.2/source.json": "c8b1e2c717646f1702290959a3302a178fb639d987ab61d548105019f11e527e", @@ -109,68 +96,65 @@ "https://bcr.bazel.build/modules/rules_go/0.42.0/MODULE.bazel": "8cfa875b9aa8c6fce2b2e5925e73c1388173ea3c32a0db4d2b4804b453c14270", "https://bcr.bazel.build/modules/rules_go/0.46.0/MODULE.bazel": "3477df8bdcc49e698b9d25f734c4f3a9f5931ff34ee48a2c662be168f5f2d3fd", "https://bcr.bazel.build/modules/rules_go/0.50.1/MODULE.bazel": "b91a308dc5782bb0a8021ad4330c81fea5bda77f96b9e4c117b9b9c8f6665ee0", - "https://bcr.bazel.build/modules/rules_go/0.54.0/MODULE.bazel": "ebec39ed510d0d4122b60764623dda92ca7f175479b511bf7cd5de7f38e86747", - "https://bcr.bazel.build/modules/rules_go/0.54.0/source.json": "6eb9b4f4fc27ab5be79d84dcfcf971beea6caa91a1b02088a9ee314c88915cf3", + "https://bcr.bazel.build/modules/rules_go/0.50.1/source.json": "205765fd30216c70321f84c9a967267684bdc74350af3f3c46c857d9f80a4fa2", "https://bcr.bazel.build/modules/rules_java/4.0.0/MODULE.bazel": "5a78a7ae82cd1a33cef56dc578c7d2a46ed0dca12643ee45edbb8417899e6f74", "https://bcr.bazel.build/modules/rules_java/5.3.5/MODULE.bazel": "a4ec4f2db570171e3e5eb753276ee4b389bae16b96207e9d3230895c99644b86", + "https://bcr.bazel.build/modules/rules_java/6.0.0/MODULE.bazel": "8a43b7df601a7ec1af61d79345c17b31ea1fedc6711fd4abfd013ea612978e39", "https://bcr.bazel.build/modules/rules_java/6.3.0/MODULE.bazel": "a97c7678c19f236a956ad260d59c86e10a463badb7eb2eda787490f4c969b963", + "https://bcr.bazel.build/modules/rules_java/6.4.0/MODULE.bazel": "e986a9fe25aeaa84ac17ca093ef13a4637f6107375f64667a15999f77db6c8f6", "https://bcr.bazel.build/modules/rules_java/6.5.2/MODULE.bazel": "1d440d262d0e08453fa0c4d8f699ba81609ed0e9a9a0f02cd10b3e7942e61e31", "https://bcr.bazel.build/modules/rules_java/7.10.0/MODULE.bazel": "530c3beb3067e870561739f1144329a21c851ff771cd752a49e06e3dc9c2e71a", "https://bcr.bazel.build/modules/rules_java/7.12.2/MODULE.bazel": "579c505165ee757a4280ef83cda0150eea193eed3bef50b1004ba88b99da6de6", + "https://bcr.bazel.build/modules/rules_java/7.12.2/source.json": "b0890f9cda8ff1b8e691a3ac6037b5c14b7fd4134765a3946b89f31ea02e5884", "https://bcr.bazel.build/modules/rules_java/7.2.0/MODULE.bazel": "06c0334c9be61e6cef2c8c84a7800cef502063269a5af25ceb100b192453d4ab", + "https://bcr.bazel.build/modules/rules_java/7.3.2/MODULE.bazel": "50dece891cfdf1741ea230d001aa9c14398062f2b7c066470accace78e412bc2", "https://bcr.bazel.build/modules/rules_java/7.6.1/MODULE.bazel": "2f14b7e8a1aa2f67ae92bc69d1ec0fa8d9f827c4e17ff5e5f02e91caa3b2d0fe", "https://bcr.bazel.build/modules/rules_java/7.6.5/MODULE.bazel": "481164be5e02e4cab6e77a36927683263be56b7e36fef918b458d7a8a1ebadb1", - "https://bcr.bazel.build/modules/rules_java/8.3.2/MODULE.bazel": "7336d5511ad5af0b8615fdc7477535a2e4e723a357b6713af439fe8cf0195017", - "https://bcr.bazel.build/modules/rules_java/8.5.1/MODULE.bazel": "d8a9e38cc5228881f7055a6079f6f7821a073df3744d441978e7a43e20226939", - "https://bcr.bazel.build/modules/rules_java/8.5.1/source.json": "db1a77d81b059e0f84985db67a22f3f579a529a86b7997605be3d214a0abe38e", "https://bcr.bazel.build/modules/rules_jvm_external/4.4.2/MODULE.bazel": "a56b85e418c83eb1839819f0b515c431010160383306d13ec21959ac412d2fe7", "https://bcr.bazel.build/modules/rules_jvm_external/5.1/MODULE.bazel": "33f6f999e03183f7d088c9be518a63467dfd0be94a11d0055fe2d210f89aa909", "https://bcr.bazel.build/modules/rules_jvm_external/5.2/MODULE.bazel": "d9351ba35217ad0de03816ef3ed63f89d411349353077348a45348b096615036", + "https://bcr.bazel.build/modules/rules_jvm_external/5.3/MODULE.bazel": "bf93870767689637164657731849fb887ad086739bd5d360d90007a581d5527d", + "https://bcr.bazel.build/modules/rules_jvm_external/6.1/MODULE.bazel": "75b5fec090dbd46cf9b7d8ea08cf84a0472d92ba3585b476f44c326eda8059c4", "https://bcr.bazel.build/modules/rules_jvm_external/6.3/MODULE.bazel": "c998e060b85f71e00de5ec552019347c8bca255062c990ac02d051bb80a38df0", "https://bcr.bazel.build/modules/rules_jvm_external/6.3/source.json": "6f5f5a5a4419ae4e37c35a5bb0a6ae657ed40b7abc5a5189111b47fcebe43197", + "https://bcr.bazel.build/modules/rules_kotlin/1.9.0/MODULE.bazel": "ef85697305025e5a61f395d4eaede272a5393cee479ace6686dba707de804d59", "https://bcr.bazel.build/modules/rules_kotlin/1.9.6/MODULE.bazel": "d269a01a18ee74d0335450b10f62c9ed81f2321d7958a2934e44272fe82dcef3", "https://bcr.bazel.build/modules/rules_kotlin/1.9.6/source.json": "2faa4794364282db7c06600b7e5e34867a564ae91bda7cae7c29c64e9466b7d5", "https://bcr.bazel.build/modules/rules_license/0.0.3/MODULE.bazel": "627e9ab0247f7d1e05736b59dbb1b6871373de5ad31c3011880b4133cafd4bd0", + "https://bcr.bazel.build/modules/rules_license/0.0.4/MODULE.bazel": "6a88dd22800cf1f9f79ba32cacad0d3a423ed28efa2c2ed5582eaa78dd3ac1e5", "https://bcr.bazel.build/modules/rules_license/0.0.7/MODULE.bazel": "088fbeb0b6a419005b89cf93fe62d9517c0a2b8bb56af3244af65ecfe37e7d5d", "https://bcr.bazel.build/modules/rules_license/1.0.0/MODULE.bazel": "a7fda60eefdf3d8c827262ba499957e4df06f659330bbe6cdbdb975b768bb65c", "https://bcr.bazel.build/modules/rules_license/1.0.0/source.json": "a52c89e54cc311196e478f8382df91c15f7a2bfdf4c6cd0e2675cc2ff0b56efb", + "https://bcr.bazel.build/modules/rules_pkg/0.10.1/MODULE.bazel": "d6e593e048db5f1028f1f05ceb64b123aa6f1c2d43cba049c036443ab2cc2044", "https://bcr.bazel.build/modules/rules_pkg/0.7.0/MODULE.bazel": "df99f03fc7934a4737122518bb87e667e62d780b610910f0447665a7e2be62dc", "https://bcr.bazel.build/modules/rules_pkg/1.0.1/MODULE.bazel": "5b1df97dbc29623bccdf2b0dcd0f5cb08e2f2c9050aab1092fd39a41e82686ff", - "https://bcr.bazel.build/modules/rules_pkg/1.1.0/MODULE.bazel": "9db8031e71b6ef32d1846106e10dd0ee2deac042bd9a2de22b4761b0c3036453", - "https://bcr.bazel.build/modules/rules_pkg/1.1.0/source.json": "fef768df13a92ce6067e1cd0cdc47560dace01354f1d921cfb1d632511f7d608", + "https://bcr.bazel.build/modules/rules_pkg/1.0.1/source.json": "bd82e5d7b9ce2d31e380dd9f50c111d678c3bdaca190cb76b0e1c71b05e1ba8a", "https://bcr.bazel.build/modules/rules_proto/4.0.0/MODULE.bazel": "a7a7b6ce9bee418c1a760b3d84f83a299ad6952f9903c67f19e4edd964894e06", "https://bcr.bazel.build/modules/rules_proto/5.3.0-21.7/MODULE.bazel": "e8dff86b0971688790ae75528fe1813f71809b5afd57facb44dad9e8eca631b7", "https://bcr.bazel.build/modules/rules_proto/6.0.0/MODULE.bazel": "b531d7f09f58dce456cd61b4579ce8c86b38544da75184eadaf0a7cb7966453f", "https://bcr.bazel.build/modules/rules_proto/6.0.2/MODULE.bazel": "ce916b775a62b90b61888052a416ccdda405212b6aaeb39522f7dc53431a5e73", "https://bcr.bazel.build/modules/rules_proto/7.0.2/MODULE.bazel": "bf81793bd6d2ad89a37a40693e56c61b0ee30f7a7fdbaf3eabbf5f39de47dea2", - "https://bcr.bazel.build/modules/rules_proto/7.1.0/MODULE.bazel": "002d62d9108f75bb807cd56245d45648f38275cb3a99dcd45dfb864c5d74cb96", - "https://bcr.bazel.build/modules/rules_proto/7.1.0/source.json": "39f89066c12c24097854e8f57ab8558929f9c8d474d34b2c00ac04630ad8940e", + "https://bcr.bazel.build/modules/rules_proto/7.0.2/source.json": "1e5e7260ae32ef4f2b52fd1d0de8d03b606a44c91b694d2f1afb1d3b28a48ce1", "https://bcr.bazel.build/modules/rules_python/0.10.2/MODULE.bazel": "cc82bc96f2997baa545ab3ce73f196d040ffb8756fd2d66125a530031cd90e5f", "https://bcr.bazel.build/modules/rules_python/0.22.1/MODULE.bazel": "26114f0c0b5e93018c0c066d6673f1a2c3737c7e90af95eff30cfee38d0bbac7", "https://bcr.bazel.build/modules/rules_python/0.23.1/MODULE.bazel": "49ffccf0511cb8414de28321f5fcf2a31312b47c40cc21577144b7447f2bf300", + "https://bcr.bazel.build/modules/rules_python/0.24.0/MODULE.bazel": "4bff7f583653d0762cda21303da0643cc4c545ddfd9593337f18dad8d1787801", "https://bcr.bazel.build/modules/rules_python/0.25.0/MODULE.bazel": "72f1506841c920a1afec76975b35312410eea3aa7b63267436bfb1dd91d2d382", "https://bcr.bazel.build/modules/rules_python/0.28.0/MODULE.bazel": "cba2573d870babc976664a912539b320cbaa7114cd3e8f053c720171cde331ed", "https://bcr.bazel.build/modules/rules_python/0.31.0/MODULE.bazel": "93a43dc47ee570e6ec9f5779b2e64c1476a6ce921c48cc9a1678a91dd5f8fd58", "https://bcr.bazel.build/modules/rules_python/0.4.0/MODULE.bazel": "9208ee05fd48bf09ac60ed269791cf17fb343db56c8226a720fbb1cdf467166c", - "https://bcr.bazel.build/modules/rules_python/1.0.0/MODULE.bazel": "898a3d999c22caa585eb062b600f88654bf92efb204fa346fb55f6f8edffca43", - "https://bcr.bazel.build/modules/rules_python/1.4.1/MODULE.bazel": "8991ad45bdc25018301d6b7e1d3626afc3c8af8aaf4bc04f23d0b99c938b73a6", - "https://bcr.bazel.build/modules/rules_python/1.4.1/source.json": "8ec8c90c70ccacc4de8ca1b97f599e756fb59173e898ee08b733006650057c07", + "https://bcr.bazel.build/modules/rules_python/0.40.0/MODULE.bazel": "9d1a3cd88ed7d8e39583d9ffe56ae8a244f67783ae89b60caafc9f5cf318ada7", + "https://bcr.bazel.build/modules/rules_python/0.40.0/source.json": "939d4bd2e3110f27bfb360292986bb79fd8dcefb874358ccd6cdaa7bda029320", "https://bcr.bazel.build/modules/rules_shell/0.2.0/MODULE.bazel": "fda8a652ab3c7d8fee214de05e7a9916d8b28082234e8d2c0094505c5268ed3c", - "https://bcr.bazel.build/modules/rules_shell/0.3.0/MODULE.bazel": "de4402cd12f4cc8fda2354fce179fdb068c0b9ca1ec2d2b17b3e21b24c1a937b", - "https://bcr.bazel.build/modules/rules_shell/0.4.1/MODULE.bazel": "00e501db01bbf4e3e1dd1595959092c2fadf2087b2852d3f553b5370f5633592", - "https://bcr.bazel.build/modules/rules_shell/0.5.0/MODULE.bazel": "8c8447370594d45539f66858b602b0bb2cb2d3401a4ebb9ad25830c59c0f366d", - "https://bcr.bazel.build/modules/rules_shell/0.5.0/source.json": "3038276f07cbbdd1c432d1f80a2767e34143ffbb03cfa043f017e66adbba324c", + "https://bcr.bazel.build/modules/rules_shell/0.2.0/source.json": "7f27af3c28037d9701487c4744b5448d26537cc66cdef0d8df7ae85411f8de95", "https://bcr.bazel.build/modules/stardoc/0.5.1/MODULE.bazel": "1a05d92974d0c122f5ccf09291442580317cdd859f07a8655f1db9a60374f9f8", "https://bcr.bazel.build/modules/stardoc/0.5.3/MODULE.bazel": "c7f6948dae6999bf0db32c1858ae345f112cacf98f174c7a8bb707e41b974f1c", + "https://bcr.bazel.build/modules/stardoc/0.5.6/MODULE.bazel": "c43dabc564990eeab55e25ed61c07a1aadafe9ece96a4efabb3f8bf9063b71ef", "https://bcr.bazel.build/modules/stardoc/0.6.2/MODULE.bazel": "7060193196395f5dd668eda046ccbeacebfd98efc77fed418dbe2b82ffaa39fd", "https://bcr.bazel.build/modules/stardoc/0.7.0/MODULE.bazel": "05e3d6d30c099b6770e97da986c53bd31844d7f13d41412480ea265ac9e8079c", - "https://bcr.bazel.build/modules/stardoc/0.7.2/MODULE.bazel": "fc152419aa2ea0f51c29583fab1e8c99ddefd5b3778421845606ee628629e0e5", - "https://bcr.bazel.build/modules/stardoc/0.7.2/source.json": "58b029e5e901d6802967754adf0a9056747e8176f017cfe3607c0851f4d42216", - "https://bcr.bazel.build/modules/tar.bzl/0.2.1/MODULE.bazel": "52d1c00a80a8cc67acbd01649e83d8dd6a9dc426a6c0b754a04fe8c219c76468", - "https://bcr.bazel.build/modules/tar.bzl/0.2.1/source.json": "600ac6ff61744667a439e7b814ae59c1f29632c3984fccf8000c64c9db8d7bb6", + "https://bcr.bazel.build/modules/stardoc/0.7.1/MODULE.bazel": "3548faea4ee5dda5580f9af150e79d0f6aea934fc60c1cc50f4efdd9420759e7", + "https://bcr.bazel.build/modules/stardoc/0.7.1/source.json": "b6500ffcd7b48cd72c29bb67bcac781e12701cc0d6d55d266a652583cfcdab01", "https://bcr.bazel.build/modules/upb/0.0.0-20220923-a547704/MODULE.bazel": "7298990c00040a0e2f121f6c32544bab27d4452f80d9ce51349b1a28f3005c43", - "https://bcr.bazel.build/modules/yq.bzl/0.1.1/MODULE.bazel": "9039681f9bcb8958ee2c87ffc74bdafba9f4369096a2b5634b88abc0eaefa072", - "https://bcr.bazel.build/modules/yq.bzl/0.1.1/source.json": "2d2bad780a9f2b9195a4a370314d2c17ae95eaa745cefc2e12fbc49759b15aa3", "https://bcr.bazel.build/modules/zlib/1.2.11/MODULE.bazel": "07b389abc85fdbca459b69e2ec656ae5622873af3f845e1c9d80fe179f3effa0", "https://bcr.bazel.build/modules/zlib/1.2.12/MODULE.bazel": "3b1a8834ada2a883674be8cbd36ede1b6ec481477ada359cd2d3ddc562340b27", "https://bcr.bazel.build/modules/zlib/1.3.1.bcr.3/MODULE.bazel": "af322bc08976524477c79d1e45e241b6efbeb918c497e8840b8ab116802dda79", @@ -182,20 +166,20 @@ "@@apple_support~//crosstool:setup.bzl%apple_cc_configure_extension": { "general": { "bzlTransitiveDigest": "PjIds3feoYE8SGbbIq2SFTZy3zmxeO2tQevJZNDo7iY=", - "usagesDigest": "+hz7IHWN6A1oVJJWNDB6yZRG+RYhF76wAYItpAeIUIg=", + "usagesDigest": "aLmqbvowmHkkBPve05yyDNGN7oh7QE9kBADr3QIZTZs=", "recordedFileInputs": {}, "recordedDirentsInputs": {}, "envVariables": {}, "generatedRepoSpecs": { - "local_config_apple_cc_toolchains": { - "bzlFile": "@@apple_support~//crosstool:setup.bzl", - "ruleClassName": "_apple_cc_autoconf_toolchains", - "attributes": {} - }, "local_config_apple_cc": { "bzlFile": "@@apple_support~//crosstool:setup.bzl", "ruleClassName": "_apple_cc_autoconf", "attributes": {} + }, + "local_config_apple_cc_toolchains": { + "bzlFile": "@@apple_support~//crosstool:setup.bzl", + "ruleClassName": "_apple_cc_autoconf_toolchains", + "attributes": {} } }, "recordedRepoMappingEntries": [ @@ -207,10 +191,693 @@ ] } }, + "@@aspect_bazel_lib~//lib:extensions.bzl%toolchains": { + "general": { + "bzlTransitiveDigest": "NQSsfq2SQcHqmSrdUz3fctBGq66C56eokoZzu0MOhBU=", + "usagesDigest": "E1/WNi/RvQIo2JMDoqkXAe3ImUnQhegOYDC/dY2DVAk=", + "recordedFileInputs": {}, + "recordedDirentsInputs": {}, + "envVariables": {}, + "generatedRepoSpecs": { + "expand_template_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "windows_amd64" + } + }, + "copy_to_directory_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "windows_amd64" + } + }, + "jq_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "darwin_amd64", + "version": "1.7" + } + }, + "copy_to_directory_freebsd_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "freebsd_amd64" + } + }, + "expand_template_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "jq_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "linux_arm64", + "version": "1.7" + } + }, + "coreutils_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "darwin_arm64", + "version": "0.0.27" + } + }, + "copy_to_directory_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "bsd_tar_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "copy_directory_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "coreutils_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "darwin_amd64", + "version": "0.0.27" + } + }, + "coreutils_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "linux_arm64", + "version": "0.0.27" + } + }, + "zstd_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "yq_linux_s390x": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_s390x", + "version": "4.25.2" + } + }, + "yq": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_host_alias_repo", + "attributes": {} + }, + "expand_template_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "copy_directory_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "jq_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "darwin_arm64", + "version": "1.7" + } + }, + "yq_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "darwin_amd64", + "version": "4.25.2" + } + }, + "copy_directory_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "expand_template_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_toolchains_repo", + "attributes": { + "user_repository_name": "expand_template" + } + }, + "bats_assert": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "98ca3b685f8b8993e48ec057565e6e2abcc541034ed5b0e81f191505682037fd", + "urls": [ + "https://github.com/bats-core/bats-assert/archive/v2.1.0.tar.gz" + ], + "strip_prefix": "bats-assert-2.1.0", + "build_file_content": "load(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"assert\",\n hardlink = \"on\",\n srcs = glob([\n \"src/**\",\n \"load.bash\",\n ]),\n out = \"bats-assert\",\n visibility = [\"//visibility:public\"]\n)\n" + } + }, + "copy_to_directory_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "zstd_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "bsd_tar_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "yq_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_toolchains_repo", + "attributes": { + "user_repository_name": "yq" + } + }, + "zstd_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "bats_support": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "7815237aafeb42ddcc1b8c698fc5808026d33317d8701d5ec2396e9634e2918f", + "urls": [ + "https://github.com/bats-core/bats-support/archive/v0.3.0.tar.gz" + ], + "strip_prefix": "bats-support-0.3.0", + "build_file_content": "load(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"support\",\n hardlink = \"on\",\n srcs = glob([\n \"src/**\",\n \"load.bash\",\n ]),\n out = \"bats-support\",\n visibility = [\"//visibility:public\"]\n)\n" + } + }, + "bsd_tar_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "windows_amd64" + } + }, + "jq": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_host_alias_repo", + "attributes": {} + }, + "expand_template_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "bsd_tar_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "copy_to_directory_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "linux_amd64" + } + }, + "coreutils_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "linux_amd64", + "version": "0.0.27" + } + }, + "copy_directory_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_toolchains_repo", + "attributes": { + "user_repository_name": "copy_directory" + } + }, + "yq_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_amd64", + "version": "4.25.2" + } + }, + "copy_to_directory_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_platform_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "coreutils_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_toolchains_repo", + "attributes": { + "user_repository_name": "coreutils" + } + }, + "copy_directory_freebsd_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "freebsd_amd64" + } + }, + "zstd_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_binary_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "zstd_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:zstd_toolchain.bzl", + "ruleClassName": "zstd_toolchains_repo", + "attributes": { + "user_repository_name": "zstd" + } + }, + "bats_file": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "9b69043241f3af1c2d251f89b4fcafa5df3f05e97b89db18d7c9bdf5731bb27a", + "urls": [ + "https://github.com/bats-core/bats-file/archive/v0.4.0.tar.gz" + ], + "strip_prefix": "bats-file-0.4.0", + "build_file_content": "load(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"file\",\n hardlink = \"on\",\n srcs = glob([\n \"src/**\",\n \"load.bash\",\n ]),\n out = \"bats-file\",\n visibility = [\"//visibility:public\"]\n)\n" + } + }, + "expand_template_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "linux_arm64" + } + }, + "jq_linux_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "linux_amd64", + "version": "1.7" + } + }, + "bsd_tar_darwin_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "bsdtar_binary_repo", + "attributes": { + "platform": "darwin_amd64" + } + }, + "bsd_tar_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:tar_toolchain.bzl", + "ruleClassName": "tar_toolchains_repo", + "attributes": { + "user_repository_name": "bsd_tar" + } + }, + "bats_toolchains": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", + "attributes": { + "sha256": "a1a9f7875aa4b6a9480ca384d5865f1ccf1b0b1faead6b47aa47d79709a5c5fd", + "urls": [ + "https://github.com/bats-core/bats-core/archive/v1.10.0.tar.gz" + ], + "strip_prefix": "bats-core-1.10.0", + "build_file_content": "load(\"@local_config_platform//:constraints.bzl\", \"HOST_CONSTRAINTS\")\nload(\"@aspect_bazel_lib//lib/private:bats_toolchain.bzl\", \"bats_toolchain\")\nload(\"@aspect_bazel_lib//lib:copy_to_directory.bzl\", \"copy_to_directory\")\n\ncopy_to_directory(\n name = \"core\",\n hardlink = \"on\",\n srcs = glob([\n \"lib/**\",\n \"libexec/**\"\n ]) + [\"bin/bats\"],\n out = \"bats-core\",\n)\n\nbats_toolchain(\n name = \"toolchain\",\n core = \":core\",\n libraries = [\"@bats_support//:support\", \"@bats_assert//:assert\", \"@bats_file//:file\"]\n)\n\ntoolchain(\n name = \"bats_toolchain\",\n exec_compatible_with = HOST_CONSTRAINTS,\n toolchain = \":toolchain\",\n toolchain_type = \"@aspect_bazel_lib//lib:bats_toolchain_type\",\n)\n" + } + }, + "yq_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "windows_amd64", + "version": "4.25.2" + } + }, + "jq_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_platform_repo", + "attributes": { + "platform": "windows_amd64", + "version": "1.7" + } + }, + "expand_template_freebsd_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:expand_template_toolchain.bzl", + "ruleClassName": "expand_template_platform_repo", + "attributes": { + "platform": "freebsd_amd64" + } + }, + "yq_linux_ppc64le": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_ppc64le", + "version": "4.25.2" + } + }, + "copy_to_directory_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_to_directory_toolchain.bzl", + "ruleClassName": "copy_to_directory_toolchains_repo", + "attributes": { + "user_repository_name": "copy_to_directory" + } + }, + "jq_toolchains": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:jq_toolchain.bzl", + "ruleClassName": "jq_toolchains_repo", + "attributes": { + "user_repository_name": "jq" + } + }, + "copy_directory_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "darwin_arm64" + } + }, + "copy_directory_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:copy_directory_toolchain.bzl", + "ruleClassName": "copy_directory_platform_repo", + "attributes": { + "platform": "windows_amd64" + } + }, + "yq_darwin_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "darwin_arm64", + "version": "4.25.2" + } + }, + "coreutils_windows_amd64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:coreutils_toolchain.bzl", + "ruleClassName": "coreutils_platform_repo", + "attributes": { + "platform": "windows_amd64", + "version": "0.0.27" + } + }, + "yq_linux_arm64": { + "bzlFile": "@@aspect_bazel_lib~//lib/private:yq_toolchain.bzl", + "ruleClassName": "yq_platform_repo", + "attributes": { + "platform": "linux_arm64", + "version": "4.25.2" + } + } + }, + "recordedRepoMappingEntries": [ + [ + "aspect_bazel_lib~", + "aspect_bazel_lib", + "aspect_bazel_lib~" + ], + [ + "aspect_bazel_lib~", + "bazel_skylib", + "bazel_skylib~" + ], + [ + "aspect_bazel_lib~", + "bazel_tools", + "bazel_tools" + ] + ] + } + }, + "@@buildifier_prebuilt~//:defs.bzl%buildifier_prebuilt_deps_extension": { + "general": { + "bzlTransitiveDigest": "eXBP0KrRexbBjR0KdxpnbWtfahy0r48xfQb4hBQ4Mcc=", + "usagesDigest": "nThSTPRdiQbhDFl8FRM2nsKJftWMtPBQHrp/mdk716w=", + "recordedFileInputs": {}, + "recordedDirentsInputs": {}, + "envVariables": {}, + "generatedRepoSpecs": { + "buildozer_darwin_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-darwin-amd64" + ], + "downloaded_file_path": "buildozer", + "executable": true, + "sha256": "d29e347ecd6b5673d72cb1a8de05bf1b06178dd229ff5eb67fad5100c840cc8e" + } + }, + "buildifier_linux_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-linux-amd64" + ], + "downloaded_file_path": "buildifier", + "executable": true, + "sha256": "be63db12899f48600bad94051123b1fd7b5251e7661b9168582ce52396132e92" + } + }, + "buildozer_darwin_arm64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-darwin-arm64" + ], + "downloaded_file_path": "buildozer", + "executable": true, + "sha256": "9b9e71bdbec5e7223871e913b65d12f6d8fa026684daf991f00e52ed36a6978d" + } + }, + "buildozer_linux_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-linux-amd64" + ], + "downloaded_file_path": "buildozer", + "executable": true, + "sha256": "8dfd6345da4e9042daa738d7fdf34f699c5dfce4632f7207956fceedd8494119" + } + }, + "buildozer_windows_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-windows-amd64.exe" + ], + "downloaded_file_path": "buildozer.exe", + "executable": true, + "sha256": "e7f05bf847f7c3689dd28926460ce6e1097ae97380ac8e6ae7147b7b706ba19b" + } + }, + "buildozer_linux_arm64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildozer-linux-arm64" + ], + "downloaded_file_path": "buildozer", + "executable": true, + "sha256": "6559558fded658c8fa7432a9d011f7c4dcbac6b738feae73d2d5c352e5f605fa" + } + }, + "buildifier_windows_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-windows-amd64.exe" + ], + "downloaded_file_path": "buildifier.exe", + "executable": true, + "sha256": "da8372f35e34b65fb6d997844d041013bb841e55f58b54d596d35e49680fe13c" + } + }, + "buildifier_prebuilt_toolchains": { + "bzlFile": "@@buildifier_prebuilt~//:defs.bzl", + "ruleClassName": "_buildifier_toolchain_setup", + "attributes": { + "assets_json": "[{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"darwin\",\"sha256\":\"eeb47b2de27f60efe549348b183fac24eae80f1479e8b06cac0799c486df5bed\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildifier\",\"platform\":\"darwin\",\"sha256\":\"fa07ba0d20165917ca4cc7609f9b19a8a4392898148b7babdf6bb2a7dd963f05\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"linux\",\"sha256\":\"be63db12899f48600bad94051123b1fd7b5251e7661b9168582ce52396132e92\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildifier\",\"platform\":\"linux\",\"sha256\":\"18540fc10f86190f87485eb86963e603e41fa022f88a2d1b0cf52ff252b5e1dd\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildifier\",\"platform\":\"windows\",\"sha256\":\"da8372f35e34b65fb6d997844d041013bb841e55f58b54d596d35e49680fe13c\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"darwin\",\"sha256\":\"d29e347ecd6b5673d72cb1a8de05bf1b06178dd229ff5eb67fad5100c840cc8e\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildozer\",\"platform\":\"darwin\",\"sha256\":\"9b9e71bdbec5e7223871e913b65d12f6d8fa026684daf991f00e52ed36a6978d\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"linux\",\"sha256\":\"8dfd6345da4e9042daa738d7fdf34f699c5dfce4632f7207956fceedd8494119\",\"version\":\"v6.4.0\"},{\"arch\":\"arm64\",\"name\":\"buildozer\",\"platform\":\"linux\",\"sha256\":\"6559558fded658c8fa7432a9d011f7c4dcbac6b738feae73d2d5c352e5f605fa\",\"version\":\"v6.4.0\"},{\"arch\":\"amd64\",\"name\":\"buildozer\",\"platform\":\"windows\",\"sha256\":\"e7f05bf847f7c3689dd28926460ce6e1097ae97380ac8e6ae7147b7b706ba19b\",\"version\":\"v6.4.0\"}]" + } + }, + "buildifier_darwin_amd64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-darwin-amd64" + ], + "downloaded_file_path": "buildifier", + "executable": true, + "sha256": "eeb47b2de27f60efe549348b183fac24eae80f1479e8b06cac0799c486df5bed" + } + }, + "buildifier_darwin_arm64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-darwin-arm64" + ], + "downloaded_file_path": "buildifier", + "executable": true, + "sha256": "fa07ba0d20165917ca4cc7609f9b19a8a4392898148b7babdf6bb2a7dd963f05" + } + }, + "buildifier_linux_arm64": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_file", + "attributes": { + "urls": [ + "https://github.com/bazelbuild/buildtools/releases/download/v6.4.0/buildifier-linux-arm64" + ], + "downloaded_file_path": "buildifier", + "executable": true, + "sha256": "18540fc10f86190f87485eb86963e603e41fa022f88a2d1b0cf52ff252b5e1dd" + } + } + }, + "recordedRepoMappingEntries": [ + [ + "buildifier_prebuilt~", + "bazel_skylib", + "bazel_skylib~" + ], + [ + "buildifier_prebuilt~", + "bazel_tools", + "bazel_tools" + ] + ] + } + }, + "@@hermetic_cc_toolchain~//toolchain:ext.bzl%toolchains": { + "general": { + "bzlTransitiveDigest": "L0EDVXQ1bqh5CxjodeVieW+SjWsjwxFXYEKhUNgMY50=", + "usagesDigest": "dNvS5vmHnd33Wm8wEDdfCELM1fuXE9dmHYK9BLQTjPc=", + "recordedFileInputs": {}, + "recordedDirentsInputs": {}, + "envVariables": {}, + "generatedRepoSpecs": { + "zig_sdk": { + "bzlFile": "@@hermetic_cc_toolchain~//toolchain:defs.bzl", + "ruleClassName": "zig_repository", + "attributes": { + "version": "0.12.0", + "url_formats": [ + "https://mirror.bazel.build/ziglang.org/download/{version}/zig-{host_platform}-{version}.{_ext}", + "https://ziglang.org/download/{version}/zig-{host_platform}-{version}.{_ext}" + ], + "host_platform_sha256": { + "linux-aarch64": "754f1029484079b7e0ca3b913a0a2f2a6afd5a28990cb224fe8845e72f09de63", + "linux-x86_64": "c7ae866b8a76a568e2d5cfd31fe89cdb629bdd161fdd5018b29a4a0a17045cad", + "macos-aarch64": "294e224c14fd0822cfb15a35cf39aa14bd9967867999bf8bdfe3db7ddec2a27f", + "macos-x86_64": "4d411bf413e7667821324da248e8589278180dbc197f4f282b7dbb599a689311", + "windows-aarch64": "04c6b92689241ca7a8a59b5f12d2ca2820c09d5043c3c4808b7e93e41c7bf97b", + "windows-x86_64": "2199eb4c2000ddb1fba85ba78f1fcf9c1fb8b3e57658f6a627a8e513131893f5" + }, + "host_platform_ext": { + "linux-aarch64": "tar.xz", + "linux-x86_64": "tar.xz", + "macos-aarch64": "tar.xz", + "macos-x86_64": "tar.xz", + "windows-x86_64": "zip" + } + } + } + }, + "recordedRepoMappingEntries": [ + [ + "hermetic_cc_toolchain~", + "bazel_tools", + "bazel_tools" + ], + [ + "hermetic_cc_toolchain~", + "hermetic_cc_toolchain", + "hermetic_cc_toolchain~" + ] + ] + } + }, + "@@platforms//host:extension.bzl%host_platform": { + "general": { + "bzlTransitiveDigest": "xelQcPZH8+tmuOHVjL9vDxMnnQNMlwj0SlvgoqBkm4U=", + "usagesDigest": "oS5QVdWCSAWner9adrekJ2fs1FPUng+yVuoJb9mq6e4=", + "recordedFileInputs": {}, + "recordedDirentsInputs": {}, + "envVariables": {}, + "generatedRepoSpecs": { + "host_platform": { + "bzlFile": "@@platforms//host:extension.bzl", + "ruleClassName": "host_platform_repo", + "attributes": {} + } + }, + "recordedRepoMappingEntries": [] + } + }, "@@pybind11_bazel~//:python_configure.bzl%extension": { "general": { - "bzlTransitiveDigest": "whINYge95GgPtysKDbNHQ0ZlWYdtKybHs5y2tLF+x7Q=", - "usagesDigest": "gNvOHVcAlwgDsNXD0amkv2CC96mnaCThPQoE44y8K+w=", + "bzlTransitiveDigest": "3LPSHhLo7VQLO+x5c48KQmJdPDwEMqMdeng5XVAZm4Y=", + "usagesDigest": "e/EIZlWEpIWcNL1dkob+QepsV4rx7UmnvodvXa76ycY=", "recordedFileInputs": { "@@pybind11_bazel~//MODULE.bazel": "88af1c246226d87e65be78ed49ecd1e6f5e98648558c14ce99176da041dc378e" }, @@ -245,21 +912,29 @@ }, "@@rules_fuzzing~//fuzzing/private:extensions.bzl%non_module_dependencies": { "general": { - "bzlTransitiveDigest": "hVgJRQ3Er45/UUAgNn1Yp2Khcp/Y8WyafA2kXIYmQ5M=", - "usagesDigest": "YnIrdgwnf3iCLfChsltBdZ7yOJh706lpa2vww/i2pDI=", + "bzlTransitiveDigest": "aN6cDs7sOfBWTyYmCu+aV9nr3VKpDIZprzN+yGEsNO0=", + "usagesDigest": "X26dvBYyk1211bNrYvtOxec7AmnYf6DQEYUw1L0Oo74=", "recordedFileInputs": {}, "recordedDirentsInputs": {}, "envVariables": {}, "generatedRepoSpecs": { - "platforms": { + "bazel_skylib": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", "ruleClassName": "http_archive", "attributes": { + "sha256": "cd55a062e763b9349921f0f5db8c3933288dc8ba4f76dd9416aac68acee3cb94", "urls": [ - "https://mirror.bazel.build/github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz", - "https://github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz" - ], - "sha256": "8150406605389ececb6da07cbcb509d5637a3ab9a24bc69b1101531367d89d74" + "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz", + "https://github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz" + ] + } + }, + "rules_fuzzing_jazzer": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_jar", + "attributes": { + "sha256": "ee6feb569d88962d59cb59e8a31eb9d007c82683f3ebc64955fd5b96f277eec2", + "url": "https://repo1.maven.org/maven2/com/code-intelligence/jazzer/0.20.1/jazzer-0.20.1.jar" } }, "rules_python": { @@ -271,16 +946,10 @@ "url": "https://github.com/bazelbuild/rules_python/releases/download/0.28.0/rules_python-0.28.0.tar.gz" } }, - "bazel_skylib": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_archive", - "attributes": { - "sha256": "cd55a062e763b9349921f0f5db8c3933288dc8ba4f76dd9416aac68acee3cb94", - "urls": [ - "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz", - "https://github.com/bazelbuild/bazel-skylib/releases/download/1.5.0/bazel-skylib-1.5.0.tar.gz" - ] - } + "rules_fuzzing_oss_fuzz": { + "bzlFile": "@@rules_fuzzing~//fuzzing/private/oss_fuzz:repository.bzl", + "ruleClassName": "oss_fuzz_repository", + "attributes": {} }, "com_google_absl": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", @@ -293,11 +962,6 @@ "integrity": "sha256-7capMWOvWyoYbUaHF/b+I2U6XLMaHmky8KugWvfXYuk=" } }, - "rules_fuzzing_oss_fuzz": { - "bzlFile": "@@rules_fuzzing~//fuzzing/private/oss_fuzz:repository.bzl", - "ruleClassName": "oss_fuzz_repository", - "attributes": {} - }, "honggfuzz": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", "ruleClassName": "http_archive", @@ -308,12 +972,15 @@ "strip_prefix": "honggfuzz-2.5" } }, - "rules_fuzzing_jazzer": { + "platforms": { "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_jar", + "ruleClassName": "http_archive", "attributes": { - "sha256": "ee6feb569d88962d59cb59e8a31eb9d007c82683f3ebc64955fd5b96f277eec2", - "url": "https://repo1.maven.org/maven2/com/code-intelligence/jazzer/0.20.1/jazzer-0.20.1.jar" + "urls": [ + "https://mirror.bazel.build/github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz", + "https://github.com/bazelbuild/platforms/releases/download/0.0.8/platforms-0.0.8.tar.gz" + ], + "sha256": "8150406605389ececb6da07cbcb509d5637a3ab9a24bc69b1101531367d89d74" } }, "rules_fuzzing_jazzer_api": { @@ -334,64 +1001,23 @@ ] } }, - "@@rules_java~//java:rules_java_deps.bzl%compatibility_proxy": { - "general": { - "bzlTransitiveDigest": "KIX40nDfygEWbU+rq3nYpt3tVgTK/iO8PKh5VMBlN7M=", - "usagesDigest": "pwHZ+26iLgQdwvdZeA5wnAjKnNI3y6XO2VbhOTeo5h8=", - "recordedFileInputs": {}, - "recordedDirentsInputs": {}, - "envVariables": {}, - "generatedRepoSpecs": { - "compatibility_proxy": { - "bzlFile": "@@rules_java~//java:rules_java_deps.bzl", - "ruleClassName": "_compatibility_proxy_repo_rule", - "attributes": {} - } - }, - "recordedRepoMappingEntries": [ - [ - "rules_java~", - "bazel_tools", - "bazel_tools" - ] - ] - } - }, "@@rules_kotlin~//src/main/starlark/core/repositories:bzlmod_setup.bzl%rules_kotlin_extensions": { "general": { - "bzlTransitiveDigest": "fus14IFJ/1LGWWGKPH/U18VnJCoMjfDt1ckahqCnM0A=", - "usagesDigest": "aJF6fLy82rR95Ff5CZPAqxNoFgOMLMN5ImfBS0nhnkg=", + "bzlTransitiveDigest": "l//eFZVgEUHSUfuQ1zQw9uxmcJku8ikraA2fv/2Pyh0=", + "usagesDigest": "NXmdQOmIAdsAdtLv3dhkX8UQ+0st9iQ0EkR28lUNdHc=", "recordedFileInputs": {}, "recordedDirentsInputs": {}, "envVariables": {}, "generatedRepoSpecs": { - "com_github_jetbrains_kotlin_git": { - "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", - "ruleClassName": "kotlin_compiler_git_repository", + "rules_android": { + "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", + "ruleClassName": "http_archive", "attributes": { + "sha256": "cd06d15dd8bb59926e4d65f9003bfc20f9da4b2519985c27e190cddc8b7a7806", + "strip_prefix": "rules_android-0.1.1", "urls": [ - "https://github.com/JetBrains/kotlin/releases/download/v1.9.23/kotlin-compiler-1.9.23.zip" - ], - "sha256": "93137d3aab9afa9b27cb06a824c2324195c6b6f6179d8a8653f440f5bd58be88" - } - }, - "com_github_jetbrains_kotlin": { - "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", - "ruleClassName": "kotlin_capabilities_repository", - "attributes": { - "git_repository_name": "com_github_jetbrains_kotlin_git", - "compiler_version": "1.9.23" - } - }, - "com_github_google_ksp": { - "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:ksp.bzl", - "ruleClassName": "ksp_compiler_plugin_repository", - "attributes": { - "urls": [ - "https://github.com/google/ksp/releases/download/1.9.23-1.0.20/artifacts.zip" - ], - "sha256": "ee0618755913ef7fd6511288a232e8fad24838b9af6ea73972a76e81053c8c2d", - "strip_version": "1.9.23-1.0.20" + "https://github.com/bazelbuild/rules_android/archive/v0.1.1.zip" + ] } }, "com_github_pinterest_ktlint": { @@ -405,15 +1031,33 @@ "executable": true } }, - "rules_android": { - "bzlFile": "@@bazel_tools//tools/build_defs/repo:http.bzl", - "ruleClassName": "http_archive", + "com_github_jetbrains_kotlin": { + "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", + "ruleClassName": "kotlin_capabilities_repository", + "attributes": { + "git_repository_name": "com_github_jetbrains_kotlin_git", + "compiler_version": "1.9.23" + } + }, + "com_github_jetbrains_kotlin_git": { + "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:compiler.bzl", + "ruleClassName": "kotlin_compiler_git_repository", "attributes": { - "sha256": "cd06d15dd8bb59926e4d65f9003bfc20f9da4b2519985c27e190cddc8b7a7806", - "strip_prefix": "rules_android-0.1.1", "urls": [ - "https://github.com/bazelbuild/rules_android/archive/v0.1.1.zip" - ] + "https://github.com/JetBrains/kotlin/releases/download/v1.9.23/kotlin-compiler-1.9.23.zip" + ], + "sha256": "93137d3aab9afa9b27cb06a824c2324195c6b6f6179d8a8653f440f5bd58be88" + } + }, + "com_github_google_ksp": { + "bzlFile": "@@rules_kotlin~//src/main/starlark/core/repositories:ksp.bzl", + "ruleClassName": "ksp_compiler_plugin_repository", + "attributes": { + "urls": [ + "https://github.com/google/ksp/releases/download/1.9.23-1.0.20/artifacts.zip" + ], + "sha256": "ee0618755913ef7fd6511288a232e8fad24838b9af6ea73972a76e81053c8c2d", + "strip_version": "1.9.23-1.0.20" } } }, @@ -426,39 +1070,2590 @@ ] } }, - "@@rules_python~//python/uv:uv.bzl%uv": { + "@@rules_python~//python/private/pypi:pip.bzl%pip_internal": { "general": { - "bzlTransitiveDigest": "Xpqjnjzy6zZ90Es9Wa888ZLHhn7IsNGbph/e6qoxzw8=", - "usagesDigest": "Tx9xMlyNlKU8Dq4pnYUJ8g2T1PHLiGoAs42AGwUIqh8=", - "recordedFileInputs": {}, + "bzlTransitiveDigest": "NuFWsw0F1ZHsRw6pAHHojBht90U7WPJQr64a2sg5Ib0=", + "usagesDigest": "/5Os1MEbCgZJ42ZFY1UZAhnLguIdryegbkM9Wq+We6Y=", + "recordedFileInputs": { + "@@rules_python~//tools/publish/requirements_linux.txt": "8175b4c8df50ae2f22d1706961884beeb54e7da27bd2447018314a175981997d", + "@@rules_python~//tools/publish/requirements_windows.txt": "7673adc71dc1a81d3661b90924d7a7c0fc998cd508b3cb4174337cef3f2de556", + "@@rules_python~//tools/publish/requirements_darwin.txt": "2994136eab7e57b083c3de76faf46f70fad130bc8e7360a7fed2b288b69e79dc" + }, "recordedDirentsInputs": {}, - "envVariables": {}, + "envVariables": { + "RULES_PYTHON_REPO_DEBUG": null, + "RULES_PYTHON_REPO_DEBUG_VERBOSITY": null + }, "generatedRepoSpecs": { - "uv": { - "bzlFile": "@@rules_python~//python/uv/private:uv_toolchains_repo.bzl", - "ruleClassName": "uv_toolchains_repo", + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_x86_64_c57516e5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", "attributes": { - "toolchain_type": "'@@rules_python~//python/uv:uv_toolchain_type'", - "toolchain_names": [ - "none" + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" ], - "toolchain_implementations": { - "none": "'@@rules_python~//python:none'" + "filename": "charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "c57516e58fd17d03ebe67e181a4e4e2ccab1168f8c2976c6a334d4f819fe5944", + "urls": [ + "https://files.pythonhosted.org/packages/77/d5/8c982d58144de49f59571f940e329ad6e8615e1e82ef84584c5eeb5e1d72/charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_sdist_1c39c601": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "cffi-1.17.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824", + "urls": [ + "https://files.pythonhosted.org/packages/fc/97/c783634659c2920c3fc70419e3af40972dbaf758daa229a7d6ea6135c90d/cffi-1.17.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_11_0_arm64_6dba5d19": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "6dba5d19c4dfab08e58d5b36304b3f92f3bd5d42c1a3fa37b5ba5cdf6dfcbcee", + "urls": [ + "https://files.pythonhosted.org/packages/bf/19/411a64f01ee971bed3231111b69eb56f9331a769072de479eae7de52296d/charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl" + ] + } + }, + "rules_python_publish_deps_311_urllib3_py3_none_any_ca899ca0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "urllib3-2.2.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "urllib3==2.2.3", + "sha256": "ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac", + "urls": [ + "https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_x86_64_3710a975": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "3710a9751938947e6327ea9f3ea6332a09bf0ba0c09cae9cb1f250bd1f1549bc", + "urls": [ + "https://files.pythonhosted.org/packages/eb/5b/6f10bad0f6461fa272bfbbdf5d0023b5fb9bc6217c92bf068fa5a99820f5/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_x86_64_0f996e72": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "0f996e7268af62598f2fc1204afa98a3b5712313a55c4c9d434aef49cadc91d4", + "urls": [ + "https://files.pythonhosted.org/packages/2a/2c/488776a3dc843f95f86d2f957ca0fc3407d0242b50bede7fad1e339be03f/cryptography-43.0.3-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_urllib3_sdist_e7d814a8": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "urllib3-2.2.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "urllib3==2.2.3", + "sha256": "e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9", + "urls": [ + "https://files.pythonhosted.org/packages/ed/63/22ba4ebfe7430b76388e7cd448d5478814d3032121827c12a2cc287e2260/urllib3-2.2.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_aarch64_e1be4655": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-musllinux_1_2_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "e1be4655c7ef6e1bbe6b5d0403526601323420bcf414598955968c9ef3eb7d16", + "urls": [ + "https://files.pythonhosted.org/packages/21/ce/b9c9ff56c7164d8e2edfb6c9305045fbc0df4508ccfdb13ee66eb8c95b0e/cryptography-43.0.3-cp39-abi3-musllinux_1_2_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_armv7l_0411beb0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "0411beb0589eacb6734f28d5497ca2ed379eafab8ad8c84b31bb5c34072b7164", + "urls": [ + "https://files.pythonhosted.org/packages/05/2b/85977d9e11713b5747595ee61f381bc820749daf83f07b90b6c9964cf932/nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_sdist_223217c3": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "charset_normalizer-3.4.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "223217c3d4f82c3ac5e29032b3f1c2eb0fb591b72161f86d93f5719079dae93e", + "urls": [ + "https://files.pythonhosted.org/packages/f2/4f/e1808dc01273379acc506d18f1504eb2d299bd4131743b9fc54d7be4df1e/charset_normalizer-3.4.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_aarch64_47334db7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "47334db71978b23ebcf3c0f9f5ee98b8d65992b65c9c4f2d34c2eaf5bcaf0594", + "urls": [ + "https://files.pythonhosted.org/packages/d7/a1/493919799446464ed0299c8eef3c3fad0daf1c3cd48bff9263c731b0d9e2/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_ppc64le_46bf4316": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1", + "urls": [ + "https://files.pythonhosted.org/packages/1c/a0/a4fa9f4f781bda074c3ddd57a572b060fa0df7655d2a4247bbe277200146/cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_aarch64_bf4475b8": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "bf4475b82be41b07cc5e5ff94810e6a01f276e37c2d55571e3fe175e467a1a1c", + "urls": [ + "https://files.pythonhosted.org/packages/4c/92/97509850f0d00e9f14a46bc751daabd0ad7765cff29cdfb66c68b6dad57f/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_sdist_315b9001": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "cryptography-43.0.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "315b9001266a492a6ff443b61238f956b214dbec9910a081ba5b6646a055a805", + "urls": [ + "https://files.pythonhosted.org/packages/0d/05/07b55d1fa21ac18c3a8c79f764e2514e6f6a9698f1be44994f5adf0d29db/cryptography-43.0.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64_5f36b271": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "5f36b271dae35c465ef5e9090e1fdaba4a60a56f0bb0ba03e0932a66f28b9189", + "urls": [ + "https://files.pythonhosted.org/packages/72/f2/5c894d5265ab80a97c68ca36f25c8f6f0308abac649aaf152b74e7e854a8/nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl" + ] + } + }, + "rules_python_publish_deps_311_secretstorage_sdist_2403533e": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "SecretStorage-3.3.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "secretstorage==3.3.3", + "sha256": "2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77", + "urls": [ + "https://files.pythonhosted.org/packages/53/a4/f48c9d79cb507ed1373477dbceaba7401fd8a23af63b837fa61f1dcd3691/SecretStorage-3.3.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_jaraco_functools_sdist_70f7e0e2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jaraco_functools-4.1.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-functools==4.1.0", + "sha256": "70f7e0e2ae076498e212562325e805204fc092d7b4c17e0e86c959e249701a9d", + "urls": [ + "https://files.pythonhosted.org/packages/ab/23/9894b3df5d0a6eb44611c36aec777823fc2e07740dabbd0b810e19594013/jaraco_functools-4.1.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_pycparser_py3_none_any_c3702b6d": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "pycparser-2.22-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pycparser==2.22", + "sha256": "c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc", + "urls": [ + "https://files.pythonhosted.org/packages/13/a3/a812df4e2dd5696d1f351d58b8fe16a405b234ad2886a0dab9183fb78109/pycparser-2.22-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_aarch64_a9b15d49": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6", + "urls": [ + "https://files.pythonhosted.org/packages/1a/52/d9a0e523a572fbccf2955f5abe883cfa8bcc570d7faeee06336fbd50c9fc/cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_idna_sdist_12f65c9b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "idna-3.10.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "idna==3.10", + "sha256": "12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", + "urls": [ + "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_s390x_19aaba96": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "19aaba96e0f795bd0a6c56291495ff59364f4300d4a39b29a0abc9cb3774a84b", + "urls": [ + "https://files.pythonhosted.org/packages/c2/a8/3bb02d0c60a03ad3a112b76c46971e9480efa98a8946677b5a59f60130ca/nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_pywin32_ctypes_sdist_d162dc04": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pywin32-ctypes-0.2.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pywin32-ctypes==0.2.3", + "sha256": "d162dc04946d704503b2edc4d55f3dba5c1d539ead017afa00142c38b9885755", + "urls": [ + "https://files.pythonhosted.org/packages/85/9f/01a1a99704853cb63f253eea009390c88e7131c67e66a0a02099a8c917cb/pywin32-ctypes-0.2.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_readme_renderer_py3_none_any_2fbca89b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "readme_renderer-44.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "readme-renderer==44.0", + "sha256": "2fbca89b81a08526aadf1357a8c2ae889ec05fb03f5da67f9769c9a592166151", + "urls": [ + "https://files.pythonhosted.org/packages/e1/67/921ec3024056483db83953ae8e48079ad62b92db7880013ca77632921dd0/readme_renderer-44.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_pygments_sdist_786ff802": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pygments-2.18.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pygments==2.18.0", + "sha256": "786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199", + "urls": [ + "https://files.pythonhosted.org/packages/8e/62/8336eff65bcbc8e4cb5d05b55faf041285951b6e80f33e2bff2024788f31/pygments-2.18.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_ppc64le_f1a2f519": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "f1a2f519ae173b5b6a2c9d5fa3116ce16e48b3462c8b96dfdded11055e3d6365", + "urls": [ + "https://files.pythonhosted.org/packages/75/d2/0ab54463d3410709c09266dfb416d032a08f97fd7d60e94b8c6ef54ae14b/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_14c5a72e": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "14c5a72e9fe82aea5fe3072116ad4661af5cf8e8ff8fc5ad3450f123e4925e86", + "urls": [ + "https://files.pythonhosted.org/packages/b3/89/1daff5d9ba5a95a157c092c7c5f39b8dd2b1ddb4559966f808d31cfb67e0/nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl" + ] + } + }, + "rules_python_publish_deps_311_zipp_py3_none_any_a817ac80": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "zipp-3.20.2-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "zipp==3.20.2", + "sha256": "a817ac80d6cf4b23bf7f2828b7cabf326f15a001bea8b1f9b49631780ba28350", + "urls": [ + "https://files.pythonhosted.org/packages/62/8b/5ba542fa83c90e09eac972fc9baca7a88e7e7ca4b221a89251954019308b/zipp-3.20.2-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_backports_tarfile_sdist_d75e02c2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "backports_tarfile-1.2.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "backports-tarfile==1.2.0", + "sha256": "d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991", + "urls": [ + "https://files.pythonhosted.org/packages/86/72/cd9b395f25e290e633655a100af28cb253e4393396264a98bd5f5951d50f/backports_tarfile-1.2.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_jeepney_py3_none_any_c0a454ad": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "jeepney-0.8.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jeepney==0.8.0", + "sha256": "c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755", + "urls": [ + "https://files.pythonhosted.org/packages/ae/72/2a1e2290f1ab1e06f71f3d0f1646c9e4634e70e1d37491535e19266e8dc9/jeepney-0.8.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_secretstorage_py3_none_any_f356e662": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "SecretStorage-3.3.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "secretstorage==3.3.3", + "sha256": "f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99", + "urls": [ + "https://files.pythonhosted.org/packages/54/24/b4293291fa1dd830f353d2cb163295742fa87f179fcc8a20a306a81978b7/SecretStorage-3.3.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_classes_sdist_47a024b5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jaraco.classes-3.4.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-classes==3.4.0", + "sha256": "47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd", + "urls": [ + "https://files.pythonhosted.org/packages/06/c0/ed4a27bc5571b99e3cff68f8a9fa5b56ff7df1c2251cc715a652ddd26402/jaraco.classes-3.4.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_win_amd64_cee4373f": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "cee4373f4d3ad28f1ab6290684d8e2ebdb9e7a1b74fdc39e4c211995f77bec27", + "urls": [ + "https://files.pythonhosted.org/packages/0b/6e/b13bd47fa9023b3699e94abf565b5a2f0b0be6e9ddac9812182596ee62e4/charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_x86_64_df6b6c6d": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-musllinux_1_2_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "df6b6c6d742395dd77a23ea3728ab62f98379eff8fb61be2744d4679ab678f73", + "urls": [ + "https://files.pythonhosted.org/packages/2a/33/b3682992ab2e9476b9c81fff22f02c8b0a1e6e1d49ee1750a67d85fd7ed2/cryptography-43.0.3-cp39-abi3-musllinux_1_2_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_7b7c2a3c": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "7b7c2a3c9eb1a827d42539aa64091640bd275b81e097cd1d8d82ef91ffa2e811", + "urls": [ + "https://files.pythonhosted.org/packages/2c/b6/42fc3c69cabf86b6b81e4c051a9b6e249c5ba9f8155590222c2622961f58/nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_requests_toolbelt_sdist_7681a0a3": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "requests-toolbelt-1.0.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests-toolbelt==1.0.0", + "sha256": "7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6", + "urls": [ + "https://files.pythonhosted.org/packages/f3/61/d7545dafb7ac2230c70d38d31cbfe4cc64f7144dc41f6e4e4b78ecd9f5bb/requests-toolbelt-1.0.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_rich_py3_none_any_9836f509": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "rich-13.9.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rich==13.9.3", + "sha256": "9836f5096eb2172c9e77df411c1b009bace4193d6a481d534fea75ebba758283", + "urls": [ + "https://files.pythonhosted.org/packages/9a/e2/10e9819cf4a20bd8ea2f5dabafc2e6bf4a78d6a0965daeb60a4b34d1c11f/rich-13.9.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_importlib_metadata_py3_none_any_45e54197": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "importlib_metadata-8.5.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "importlib-metadata==8.5.0", + "sha256": "45e54197d28b7a7f1559e60b95e7c567032b602131fbd588f1497f47880aa68b", + "urls": [ + "https://files.pythonhosted.org/packages/a0/d9/a1e041c5e7caa9a05c925f4bdbdfb7f006d1f74996af53467bc394c97be7/importlib_metadata-8.5.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_twine_py3_none_any_215dbe7b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "twine-5.1.1-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "twine==5.1.1", + "sha256": "215dbe7b4b94c2c50a7315c0275d2258399280fbb7d04182c7e55e24b5f93997", + "urls": [ + "https://files.pythonhosted.org/packages/5d/ec/00f9d5fd040ae29867355e559a94e9a8429225a0284a3f5f091a3878bfc0/twine-5.1.1-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_docutils_sdist_3a6b1873": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "docutils-0.21.2.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "docutils==0.21.2", + "sha256": "3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f", + "urls": [ + "https://files.pythonhosted.org/packages/ae/ed/aefcc8cd0ba62a0560c3c18c33925362d46c6075480bfa4df87b28e169a9/docutils-0.21.2.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_keyring_sdist_b07ebc55": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "keyring-25.4.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "keyring==25.4.1", + "sha256": "b07ebc55f3e8ed86ac81dd31ef14e81ace9dd9c3d4b5d77a6e9a2016d0d71a1b", + "urls": [ + "https://files.pythonhosted.org/packages/a5/1c/2bdbcfd5d59dc6274ffb175bc29aa07ecbfab196830e0cfbde7bd861a2ea/keyring-25.4.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_markdown_it_py_py3_none_any_35521684": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "markdown_it_py-3.0.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "markdown-it-py==3.0.0", + "sha256": "355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1", + "urls": [ + "https://files.pythonhosted.org/packages/42/d7/1ec15b46af6af88f19b8e5ffea08fa375d433c998b8a7639e76935c14f1f/markdown_it_py-3.0.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_certifi_py3_none_any_922820b5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "certifi-2024.8.30-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "certifi==2024.8.30", + "sha256": "922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8", + "urls": [ + "https://files.pythonhosted.org/packages/12/90/3c9ff0512038035f59d279fddeb79f5f1eccd8859f06d6163c58798b9487/certifi-2024.8.30-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_more_itertools_sdist_5482bfef": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "more-itertools-10.5.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "more-itertools==10.5.0", + "sha256": "5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6", + "urls": [ + "https://files.pythonhosted.org/packages/51/78/65922308c4248e0eb08ebcbe67c95d48615cc6f27854b6f2e57143e9178f/more-itertools-10.5.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_win_amd64_8ce0f819": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-win_amd64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "8ce0f819d2f1933953fca255db2471ad58184a60508f03e6285e5114b6254844", + "urls": [ + "https://files.pythonhosted.org/packages/26/8d/53c5b19c4999bdc6ba95f246f4ef35ca83d7d7423e5e38be43ad66544e5d/nh3-0.2.18-cp37-abi3-win_amd64.whl" + ] + } + }, + "rules_python_publish_deps_311_certifi_sdist_bec941d2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "certifi-2024.8.30.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "certifi==2024.8.30", + "sha256": "bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9", + "urls": [ + "https://files.pythonhosted.org/packages/b0/ee/9b19140fe824b367c04c5e1b369942dd754c4c5462d5674002f75c4dedc1/certifi-2024.8.30.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_py3_none_any_fe9f97fe": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "fe9f97feb71aa9896b81973a7bbada8c49501dc73e58a10fcef6663af95e5079", + "urls": [ + "https://files.pythonhosted.org/packages/bf/9b/08c0432272d77b04803958a4598a51e2a4b51c06640af8b8f0f908c18bf2/charset_normalizer-3.4.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_mdurl_py3_none_any_84008a41": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "mdurl-0.1.2-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "mdurl==0.1.2", + "sha256": "84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8", + "urls": [ + "https://files.pythonhosted.org/packages/b3/38/89ba8ad64ae25be8de66a6d463314cf1eb366222074cfda9ee839c56a4b4/mdurl-0.1.2-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_x86_64_bcb4f8ea": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "bcb4f8ea87d03bc51ad04add8ceaf9b0f085ac045ab4d74e73bbc2dc033f0236", + "urls": [ + "https://files.pythonhosted.org/packages/ee/44/4f62042ca8cdc0cabf87c0fc00ae27cd8b53ab68be3605ba6d071f742ad3/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_s390x_a24ed04c": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6", + "urls": [ + "https://files.pythonhosted.org/packages/62/12/ce8710b5b8affbcdd5c6e367217c242524ad17a02fe5beec3ee339f69f85/cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_mdurl_sdist_bb413d29": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "mdurl-0.1.2.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "mdurl==0.1.2", + "sha256": "bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba", + "urls": [ + "https://files.pythonhosted.org/packages/d6/54/cfe61301667036ec958cb99bd3efefba235e65cdeb9c84d24a8293ba1d90/mdurl-0.1.2.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_keyring_py3_none_any_5426f817": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "keyring-25.4.1-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "keyring==25.4.1", + "sha256": "5426f817cf7f6f007ba5ec722b1bcad95a75b27d780343772ad76b17cb47b0bf", + "urls": [ + "https://files.pythonhosted.org/packages/83/25/e6d59e5f0a0508d0dca8bb98c7f7fd3772fc943ac3f53d5ab18a218d32c0/keyring-25.4.1-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_aarch64_42c64511": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "42c64511469005058cd17cc1537578eac40ae9f7200bedcfd1fc1a05f4f8c200", + "urls": [ + "https://files.pythonhosted.org/packages/45/b9/833f385403abaf0023c6547389ec7a7acf141ddd9d1f21573723a6eab39a/nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_rfc3986_sdist_97aacf9d": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "rfc3986-2.0.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rfc3986==2.0.0", + "sha256": "97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c", + "urls": [ + "https://files.pythonhosted.org/packages/85/40/1520d68bfa07ab5a6f065a186815fb6610c86fe957bc065754e47f7b0840/rfc3986-2.0.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_twine_sdist_9aa08251": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "twine-5.1.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "twine==5.1.1", + "sha256": "9aa0825139c02b3434d913545c7b847a21c835e11597f5255842d457da2322db", + "urls": [ + "https://files.pythonhosted.org/packages/77/68/bd982e5e949ef8334e6f7dcf76ae40922a8750aa2e347291ae1477a4782b/twine-5.1.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_pkginfo_sdist_5df73835": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pkginfo-1.10.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pkginfo==1.10.0", + "sha256": "5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297", + "urls": [ + "https://files.pythonhosted.org/packages/2f/72/347ec5be4adc85c182ed2823d8d1c7b51e13b9a6b0c1aae59582eca652df/pkginfo-1.10.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_backports_tarfile_py3_none_any_77e284d7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "backports.tarfile-1.2.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "backports-tarfile==1.2.0", + "sha256": "77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34", + "urls": [ + "https://files.pythonhosted.org/packages/b9/fa/123043af240e49752f1c4bd24da5053b6bd00cad78c2be53c0d1e8b975bc/backports.tarfile-1.2.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_markdown_it_py_sdist_e3f60a94": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "markdown-it-py-3.0.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "markdown-it-py==3.0.0", + "sha256": "e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb", + "urls": [ + "https://files.pythonhosted.org/packages/38/71/3b932df36c1a044d397a1f92d1cf91ee0a503d91e470cbd670aa66b07ed0/markdown-it-py-3.0.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_ppc64le_ce031db0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "ce031db0408e487fd2775d745ce30a7cd2923667cf3b69d48d219f1d8f5ddeb6", + "urls": [ + "https://files.pythonhosted.org/packages/e2/29/d227805bff72ed6d6cb1ce08eec707f7cfbd9868044893617eb331f16295/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_aarch64_f0eca9ca": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "f0eca9ca8628dbb4e916ae2491d72957fdd35f7a5d326b7032a345f111ac07fe", + "urls": [ + "https://files.pythonhosted.org/packages/a3/da/0c4e282bc3cff4a0adf37005fa1fb42257673fbc1bbf7d1ff639ec3d255a/nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_pkginfo_py3_none_any_889a6da2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "pkginfo-1.10.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pkginfo==1.10.0", + "sha256": "889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097", + "urls": [ + "https://files.pythonhosted.org/packages/56/09/054aea9b7534a15ad38a363a2bd974c20646ab1582a387a95b8df1bfea1c/pkginfo-1.10.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_idna_py3_none_any_946d195a": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "idna-3.10-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "idna==3.10", + "sha256": "946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3", + "urls": [ + "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_sdist_94a16692": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "nh3-0.2.18.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "94a166927e53972a9698af9542ace4e38b9de50c34352b962f4d9a7d4c927af4", + "urls": [ + "https://files.pythonhosted.org/packages/62/73/10df50b42ddb547a907deeb2f3c9823022580a7a47281e8eae8e003a9639/nh3-0.2.18.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_requests_sdist_55365417": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "requests-2.32.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests==2.32.3", + "sha256": "55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760", + "urls": [ + "https://files.pythonhosted.org/packages/63/70/2bf7780ad2d390a8d301ad0b550f1581eadbd9a20f896afe06353c2a2913/requests-2.32.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_aarch64_846da004": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "846da004a5804145a5f441b8530b4bf35afbf7da70f82409f151695b127213d5", + "urls": [ + "https://files.pythonhosted.org/packages/2f/78/55356eb9075d0be6e81b59f45c7b48df87f76a20e73893872170471f3ee8/cryptography-43.0.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_pycparser_sdist_491c8be9": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "pycparser-2.22.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pycparser==2.22", + "sha256": "491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6", + "urls": [ + "https://files.pythonhosted.org/packages/1d/b2/31537cf4b1ca988837256c910a668b553fceb8f069bedc4b1c826024b52c/pycparser-2.22.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_x86_64_de3ceed6": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "de3ceed6e661954871d6cd78b410213bdcb136f79aafe22aa7182e028b8c7307", + "urls": [ + "https://files.pythonhosted.org/packages/1b/63/6ab90d0e5225ab9780f6c9fb52254fa36b52bb7c188df9201d05b647e5e1/nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_pygments_py3_none_any_b8e6aca0": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "pygments-2.18.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pygments==2.18.0", + "sha256": "b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a", + "urls": [ + "https://files.pythonhosted.org/packages/f7/3f/01c8b82017c199075f8f788d0d906b9ffbbc5a47dc9918a945e13d5a2bda/pygments-2.18.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_importlib_metadata_sdist_71522656": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "importlib_metadata-8.5.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "importlib-metadata==8.5.0", + "sha256": "71522656f0abace1d072b9e5481a48f07c138e00f079c38c8f883823f9c26bd7", + "urls": [ + "https://files.pythonhosted.org/packages/cd/12/33e59336dca5be0c398a7482335911a33aa0e20776128f038019f1a95f1b/importlib_metadata-8.5.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_armv7l_3a157ab1": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "3a157ab149e591bb638a55c8c6bcb8cdb559c8b12c13a8affaba6cedfe51713a", + "urls": [ + "https://files.pythonhosted.org/packages/de/81/c291231463d21da5f8bba82c8167a6d6893cc5419b0639801ee5d3aeb8a9/nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_context_py3_none_any_f797fc48": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "jaraco.context-6.0.1-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-context==6.0.1", + "sha256": "f797fc481b490edb305122c9181830a3a5b76d84ef6d1aef2fb9b47ab956f9e4", + "urls": [ + "https://files.pythonhosted.org/packages/ff/db/0c52c4cf5e4bd9f5d7135ec7669a3a767af21b3a308e1ed3674881e52b62/jaraco.context-6.0.1-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_more_itertools_py3_none_any_037b0d32": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "more_itertools-10.5.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "more-itertools==10.5.0", + "sha256": "037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef", + "urls": [ + "https://files.pythonhosted.org/packages/48/7e/3a64597054a70f7c86eb0a7d4fc315b8c1ab932f64883a297bdffeb5f967/more_itertools-10.5.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_s390x_63bc5c4a": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "63bc5c4ae26e4bc6be6469943b8253c0fd4e4186c43ad46e713ea61a0ba49129", + "urls": [ + "https://files.pythonhosted.org/packages/8d/c9/27e41d481557be53d51e60750b85aa40eaf52b841946b3cdeff363105737/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64le_34c03fa7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "34c03fa78e328c691f982b7c03d4423bdfd7da69cd707fe572f544cf74ac23ad", + "urls": [ + "https://files.pythonhosted.org/packages/ab/a7/375afcc710dbe2d64cfbd69e31f82f3e423d43737258af01f6a56d844085/nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl" + ] + } + }, + "rules_python_publish_deps_311_rich_sdist_bc1e01b8": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "rich-13.9.3.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rich==13.9.3", + "sha256": "bc1e01b899537598cf02579d2b9f4a415104d3fc439313a7a2c165d76557a08e", + "urls": [ + "https://files.pythonhosted.org/packages/d9/e9/cf9ef5245d835065e6673781dbd4b8911d352fb770d56cf0879cf11b7ee1/rich-13.9.3.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_requests_toolbelt_py2_none_any_cccfdd66": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "requests_toolbelt-1.0.0-py2.py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests-toolbelt==1.0.0", + "sha256": "cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06", + "urls": [ + "https://files.pythonhosted.org/packages/3f/51/d4db610ef29373b879047326cbf6fa98b6c1969d6f6dc423279de2b1be2c/requests_toolbelt-1.0.0-py2.py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_x86_64_610faea7": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d", + "urls": [ + "https://files.pythonhosted.org/packages/ff/6b/d45873c5e0242196f042d555526f92aa9e0c32355a1be1ff8c27f077fd37/cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_x86_64_fc48c783": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b", + "urls": [ + "https://files.pythonhosted.org/packages/f8/4a/34599cac7dfcd888ff54e801afe06a19c17787dfd94495ab0c8d35fe99fb/cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_aarch64_f7b178f1": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_28_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "f7b178f11ed3664fd0e995a47ed2b5ff0a12d893e41dd0494f406d1cf555cab7", + "urls": [ + "https://files.pythonhosted.org/packages/7c/04/2345ca92f7a22f601a9c62961741ef7dd0127c39f7310dffa0041c80f16f/cryptography-43.0.3-cp39-abi3-manylinux_2_28_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_docutils_py3_none_any_dafca5b9": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "docutils-0.21.2-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "docutils==0.21.2", + "sha256": "dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2", + "urls": [ + "https://files.pythonhosted.org/packages/8f/d7/9322c609343d929e75e7e5e6255e614fcc67572cfd083959cdef3b7aad79/docutils-0.21.2-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_pywin32_ctypes_py3_none_any_8a151337": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_windows_x86_64" + ], + "filename": "pywin32_ctypes-0.2.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "pywin32-ctypes==0.2.3", + "sha256": "8a1513379d709975552d202d942d9837758905c8d01eb82b8bcc30918929e7b8", + "urls": [ + "https://files.pythonhosted.org/packages/de/3d/8161f7711c017e01ac9f008dfddd9410dff3674334c233bde66e7ba65bbf/pywin32_ctypes-0.2.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_x86_64_36c95d4b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "nh3==0.2.18", + "sha256": "36c95d4b70530b320b365659bb5034341316e6a9b30f0b25fa9c9eff4c27a204", + "urls": [ + "https://files.pythonhosted.org/packages/eb/61/73a007c74c37895fdf66e0edcd881f5eaa17a348ff02f4bb4bc906d61085/nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_jeepney_sdist_5efe48d2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jeepney-0.8.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jeepney==0.8.0", + "sha256": "5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806", + "urls": [ + "https://files.pythonhosted.org/packages/d6/f4/154cf374c2daf2020e05c3c6a03c91348d59b23c5366e968feb198306fdf/jeepney-0.8.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_x86_64_c2e6fc39": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cryptography==43.0.3", + "sha256": "c2e6fc39c4ab499049df3bdf567f768a723a5e8464816e8f009f121a5a9f4405", + "urls": [ + "https://files.pythonhosted.org/packages/ac/25/e715fa0bc24ac2114ed69da33adf451a38abb6f3f24ec207908112e9ba53/cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl" + ] + } + }, + "rules_python_publish_deps_311_rfc3986_py2_none_any_50b1502b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "rfc3986-2.0.0-py2.py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "rfc3986==2.0.0", + "sha256": "50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd", + "urls": [ + "https://files.pythonhosted.org/packages/ff/9a/9afaade874b2fa6c752c36f1548f718b5b83af81ed9b76628329dab81c1b/rfc3986-2.0.0-py2.py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_zipp_sdist_bc9eb26f": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "zipp-3.20.2.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "zipp==3.20.2", + "sha256": "bc9eb26f4506fda01b81bcde0ca78103b6e62f991b381fec825435c836edbc29", + "urls": [ + "https://files.pythonhosted.org/packages/54/bf/5c0000c44ebc80123ecbdddba1f5dcd94a5ada602a9c225d84b5aaa55e86/zipp-3.20.2.tar.gz" + ] + } + }, + "rules_python_publish_deps": { + "bzlFile": "@@rules_python~//python/private/pypi:hub_repository.bzl", + "ruleClassName": "hub_repository", + "attributes": { + "repo_name": "rules_python_publish_deps", + "extra_hub_aliases": {}, + "whl_map": { + "backports_tarfile": "[{\"filename\":\"backports.tarfile-1.2.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_backports_tarfile_py3_none_any_77e284d7\",\"version\":\"3.11\"},{\"filename\":\"backports_tarfile-1.2.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_backports_tarfile_sdist_d75e02c2\",\"version\":\"3.11\"}]", + "certifi": "[{\"filename\":\"certifi-2024.8.30-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_certifi_py3_none_any_922820b5\",\"version\":\"3.11\"},{\"filename\":\"certifi-2024.8.30.tar.gz\",\"repo\":\"rules_python_publish_deps_311_certifi_sdist_bec941d2\",\"version\":\"3.11\"}]", + "cffi": "[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_aarch64_a1ed2dd2\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_ppc64le_46bf4316\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_s390x_a24ed04c\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_x86_64_610faea7\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_aarch64_a9b15d49\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_x86_64_fc48c783\",\"version\":\"3.11\"},{\"filename\":\"cffi-1.17.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_cffi_sdist_1c39c601\",\"version\":\"3.11\"}]", + "charset_normalizer": "[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_universal2_0d99dd8f\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_x86_64_c57516e5\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_11_0_arm64_6dba5d19\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_aarch64_bf4475b8\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_ppc64le_ce031db0\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_s390x_8ff4e7cd\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_x86_64_3710a975\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_aarch64_47334db7\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_ppc64le_f1a2f519\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_s390x_63bc5c4a\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_x86_64_bcb4f8ea\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_win_amd64_cee4373f\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_py3_none_any_fe9f97fe\",\"version\":\"3.11\"},{\"filename\":\"charset_normalizer-3.4.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_charset_normalizer_sdist_223217c3\",\"version\":\"3.11\"}]", + "cryptography": "[{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_aarch64_846da004\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_x86_64_0f996e72\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_28_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_aarch64_f7b178f1\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_x86_64_c2e6fc39\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-musllinux_1_2_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_aarch64_e1be4655\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3-cp39-abi3-musllinux_1_2_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_x86_64_df6b6c6d\",\"version\":\"3.11\"},{\"filename\":\"cryptography-43.0.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_cryptography_sdist_315b9001\",\"version\":\"3.11\"}]", + "docutils": "[{\"filename\":\"docutils-0.21.2-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_docutils_py3_none_any_dafca5b9\",\"version\":\"3.11\"},{\"filename\":\"docutils-0.21.2.tar.gz\",\"repo\":\"rules_python_publish_deps_311_docutils_sdist_3a6b1873\",\"version\":\"3.11\"}]", + "idna": "[{\"filename\":\"idna-3.10-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_idna_py3_none_any_946d195a\",\"version\":\"3.11\"},{\"filename\":\"idna-3.10.tar.gz\",\"repo\":\"rules_python_publish_deps_311_idna_sdist_12f65c9b\",\"version\":\"3.11\"}]", + "importlib_metadata": "[{\"filename\":\"importlib_metadata-8.5.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_importlib_metadata_py3_none_any_45e54197\",\"version\":\"3.11\"},{\"filename\":\"importlib_metadata-8.5.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_importlib_metadata_sdist_71522656\",\"version\":\"3.11\"}]", + "jaraco_classes": "[{\"filename\":\"jaraco.classes-3.4.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jaraco_classes_py3_none_any_f662826b\",\"version\":\"3.11\"},{\"filename\":\"jaraco.classes-3.4.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jaraco_classes_sdist_47a024b5\",\"version\":\"3.11\"}]", + "jaraco_context": "[{\"filename\":\"jaraco.context-6.0.1-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jaraco_context_py3_none_any_f797fc48\",\"version\":\"3.11\"},{\"filename\":\"jaraco_context-6.0.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jaraco_context_sdist_9bae4ea5\",\"version\":\"3.11\"}]", + "jaraco_functools": "[{\"filename\":\"jaraco.functools-4.1.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jaraco_functools_py3_none_any_ad159f13\",\"version\":\"3.11\"},{\"filename\":\"jaraco_functools-4.1.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jaraco_functools_sdist_70f7e0e2\",\"version\":\"3.11\"}]", + "jeepney": "[{\"filename\":\"jeepney-0.8.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_jeepney_py3_none_any_c0a454ad\",\"version\":\"3.11\"},{\"filename\":\"jeepney-0.8.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_jeepney_sdist_5efe48d2\",\"version\":\"3.11\"}]", + "keyring": "[{\"filename\":\"keyring-25.4.1-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_keyring_py3_none_any_5426f817\",\"version\":\"3.11\"},{\"filename\":\"keyring-25.4.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_keyring_sdist_b07ebc55\",\"version\":\"3.11\"}]", + "markdown_it_py": "[{\"filename\":\"markdown-it-py-3.0.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_markdown_it_py_sdist_e3f60a94\",\"version\":\"3.11\"},{\"filename\":\"markdown_it_py-3.0.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_markdown_it_py_py3_none_any_35521684\",\"version\":\"3.11\"}]", + "mdurl": "[{\"filename\":\"mdurl-0.1.2-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_mdurl_py3_none_any_84008a41\",\"version\":\"3.11\"},{\"filename\":\"mdurl-0.1.2.tar.gz\",\"repo\":\"rules_python_publish_deps_311_mdurl_sdist_bb413d29\",\"version\":\"3.11\"}]", + "more_itertools": "[{\"filename\":\"more-itertools-10.5.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_more_itertools_sdist_5482bfef\",\"version\":\"3.11\"},{\"filename\":\"more_itertools-10.5.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_more_itertools_py3_none_any_037b0d32\",\"version\":\"3.11\"}]", + "nh3": "[{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_14c5a72e\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_7b7c2a3c\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_aarch64_42c64511\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_armv7l_0411beb0\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64_5f36b271\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64le_34c03fa7\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_s390x_19aaba96\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_x86_64_de3ceed6\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_aarch64_f0eca9ca\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_armv7l_3a157ab1\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_x86_64_36c95d4b\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18-cp37-abi3-win_amd64.whl\",\"repo\":\"rules_python_publish_deps_311_nh3_cp37_abi3_win_amd64_8ce0f819\",\"version\":\"3.11\"},{\"filename\":\"nh3-0.2.18.tar.gz\",\"repo\":\"rules_python_publish_deps_311_nh3_sdist_94a16692\",\"version\":\"3.11\"}]", + "pkginfo": "[{\"filename\":\"pkginfo-1.10.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pkginfo_py3_none_any_889a6da2\",\"version\":\"3.11\"},{\"filename\":\"pkginfo-1.10.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pkginfo_sdist_5df73835\",\"version\":\"3.11\"}]", + "pycparser": "[{\"filename\":\"pycparser-2.22-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pycparser_py3_none_any_c3702b6d\",\"version\":\"3.11\"},{\"filename\":\"pycparser-2.22.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pycparser_sdist_491c8be9\",\"version\":\"3.11\"}]", + "pygments": "[{\"filename\":\"pygments-2.18.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pygments_py3_none_any_b8e6aca0\",\"version\":\"3.11\"},{\"filename\":\"pygments-2.18.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pygments_sdist_786ff802\",\"version\":\"3.11\"}]", + "pywin32_ctypes": "[{\"filename\":\"pywin32-ctypes-0.2.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_pywin32_ctypes_sdist_d162dc04\",\"version\":\"3.11\"},{\"filename\":\"pywin32_ctypes-0.2.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_pywin32_ctypes_py3_none_any_8a151337\",\"version\":\"3.11\"}]", + "readme_renderer": "[{\"filename\":\"readme_renderer-44.0-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_readme_renderer_py3_none_any_2fbca89b\",\"version\":\"3.11\"},{\"filename\":\"readme_renderer-44.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_readme_renderer_sdist_8712034e\",\"version\":\"3.11\"}]", + "requests": "[{\"filename\":\"requests-2.32.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_requests_py3_none_any_70761cfe\",\"version\":\"3.11\"},{\"filename\":\"requests-2.32.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_requests_sdist_55365417\",\"version\":\"3.11\"}]", + "requests_toolbelt": "[{\"filename\":\"requests-toolbelt-1.0.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_requests_toolbelt_sdist_7681a0a3\",\"version\":\"3.11\"},{\"filename\":\"requests_toolbelt-1.0.0-py2.py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_requests_toolbelt_py2_none_any_cccfdd66\",\"version\":\"3.11\"}]", + "rfc3986": "[{\"filename\":\"rfc3986-2.0.0-py2.py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_rfc3986_py2_none_any_50b1502b\",\"version\":\"3.11\"},{\"filename\":\"rfc3986-2.0.0.tar.gz\",\"repo\":\"rules_python_publish_deps_311_rfc3986_sdist_97aacf9d\",\"version\":\"3.11\"}]", + "rich": "[{\"filename\":\"rich-13.9.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_rich_py3_none_any_9836f509\",\"version\":\"3.11\"},{\"filename\":\"rich-13.9.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_rich_sdist_bc1e01b8\",\"version\":\"3.11\"}]", + "secretstorage": "[{\"filename\":\"SecretStorage-3.3.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_secretstorage_py3_none_any_f356e662\",\"version\":\"3.11\"},{\"filename\":\"SecretStorage-3.3.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_secretstorage_sdist_2403533e\",\"version\":\"3.11\"}]", + "twine": "[{\"filename\":\"twine-5.1.1-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_twine_py3_none_any_215dbe7b\",\"version\":\"3.11\"},{\"filename\":\"twine-5.1.1.tar.gz\",\"repo\":\"rules_python_publish_deps_311_twine_sdist_9aa08251\",\"version\":\"3.11\"}]", + "urllib3": "[{\"filename\":\"urllib3-2.2.3-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_urllib3_py3_none_any_ca899ca0\",\"version\":\"3.11\"},{\"filename\":\"urllib3-2.2.3.tar.gz\",\"repo\":\"rules_python_publish_deps_311_urllib3_sdist_e7d814a8\",\"version\":\"3.11\"}]", + "zipp": "[{\"filename\":\"zipp-3.20.2-py3-none-any.whl\",\"repo\":\"rules_python_publish_deps_311_zipp_py3_none_any_a817ac80\",\"version\":\"3.11\"},{\"filename\":\"zipp-3.20.2.tar.gz\",\"repo\":\"rules_python_publish_deps_311_zipp_sdist_bc9eb26f\",\"version\":\"3.11\"}]" }, - "toolchain_compatible_with": { - "none": [ - "@platforms//:incompatible" - ] - }, - "toolchain_target_settings": {} + "packages": [ + "backports_tarfile", + "certifi", + "charset_normalizer", + "docutils", + "idna", + "importlib_metadata", + "jaraco_classes", + "jaraco_context", + "jaraco_functools", + "keyring", + "markdown_it_py", + "mdurl", + "more_itertools", + "nh3", + "pkginfo", + "pygments", + "readme_renderer", + "requests", + "requests_toolbelt", + "rfc3986", + "rich", + "twine", + "urllib3", + "zipp" + ], + "groups": {} + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_universal2_0d99dd8f": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "0d99dd8ff461990f12d6e42c7347fd9ab2532fb70e9621ba520f9e8637161d7c", + "urls": [ + "https://files.pythonhosted.org/packages/9c/61/73589dcc7a719582bf56aae309b6103d2762b526bffe189d635a7fcfd998/charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_classes_py3_none_any_f662826b": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "jaraco.classes-3.4.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-classes==3.4.0", + "sha256": "f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790", + "urls": [ + "https://files.pythonhosted.org/packages/7f/66/b15ce62552d84bbfcec9a4873ab79d993a1dd4edb922cbfccae192bd5b5f/jaraco.classes-3.4.0-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_context_sdist_9bae4ea5": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "jaraco_context-6.0.1.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-context==6.0.1", + "sha256": "9bae4ea555cf0b14938dc0aee7c9f32ed303aa20a3b73e7dc80111628792d1b3", + "urls": [ + "https://files.pythonhosted.org/packages/df/ad/f3777b81bf0b6e7bc7514a1656d3e637b2e8e15fab2ce3235730b3e7a4e6/jaraco_context-6.0.1.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_requests_py3_none_any_70761cfe": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "requests-2.32.3-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "requests==2.32.3", + "sha256": "70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6", + "urls": [ + "https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl" + ] + } + }, + "rules_python_publish_deps_311_readme_renderer_sdist_8712034e": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "extra_pip_args": [ + "--index-url", + "https://pypi.org/simple" + ], + "filename": "readme_renderer-44.0.tar.gz", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "readme-renderer==44.0", + "sha256": "8712034eabbfa6805cacf1402b4eeb2a73028f72d1166d6f5cb7f9c047c5d1e1", + "urls": [ + "https://files.pythonhosted.org/packages/5a/a9/104ec9234c8448c4379768221ea6df01260cd6c2ce13182d4eac531c8342/readme_renderer-44.0.tar.gz" + ] + } + }, + "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_aarch64_a1ed2dd2": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64" + ], + "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "cffi==1.17.1", + "sha256": "a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41", + "urls": [ + "https://files.pythonhosted.org/packages/2e/ea/70ce63780f096e16ce8588efe039d3c4f91deb1dc01e9c73a287939c79a6/cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + ] + } + }, + "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_s390x_8ff4e7cd": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "charset-normalizer==3.4.0", + "sha256": "8ff4e7cdfdb1ab5698e675ca622e72d58a6fa2a8aa58195de0c0061288e6e3ea", + "urls": [ + "https://files.pythonhosted.org/packages/13/bc/87c2c9f2c144bedfa62f894c3007cd4530ba4b5351acb10dc786428a50f0/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl" + ] + } + }, + "rules_python_publish_deps_311_jaraco_functools_py3_none_any_ad159f13": { + "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl", + "ruleClassName": "whl_library", + "attributes": { + "dep_template": "@rules_python_publish_deps//{name}:{target}", + "experimental_target_platforms": [ + "cp311_linux_aarch64", + "cp311_linux_arm", + "cp311_linux_ppc", + "cp311_linux_s390x", + "cp311_linux_x86_64", + "cp311_osx_aarch64", + "cp311_osx_x86_64", + "cp311_windows_x86_64" + ], + "filename": "jaraco.functools-4.1.0-py3-none-any.whl", + "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python", + "repo": "rules_python_publish_deps_311", + "requirement": "jaraco-functools==4.1.0", + "sha256": "ad159f13428bc4acbf5541ad6dec511f91573b90fba04df61dafa2a1231cf649", + "urls": [ + "https://files.pythonhosted.org/packages/9f/4f/24b319316142c44283d7540e76c7b5a6dbd5db623abd86bb7b3491c21018/jaraco.functools-4.1.0-py3-none-any.whl" + ] } } }, "recordedRepoMappingEntries": [ + [ + "bazel_features~", + "bazel_features_globals", + "bazel_features~~version_extension~bazel_features_globals" + ], + [ + "bazel_features~", + "bazel_features_version", + "bazel_features~~version_extension~bazel_features_version" + ], [ "rules_python~", - "platforms", - "platforms" + "bazel_features", + "bazel_features~" + ], + [ + "rules_python~", + "bazel_skylib", + "bazel_skylib~" + ], + [ + "rules_python~", + "bazel_tools", + "bazel_tools" + ], + [ + "rules_python~", + "pypi__build", + "rules_python~~internal_deps~pypi__build" + ], + [ + "rules_python~", + "pypi__click", + "rules_python~~internal_deps~pypi__click" + ], + [ + "rules_python~", + "pypi__colorama", + "rules_python~~internal_deps~pypi__colorama" + ], + [ + "rules_python~", + "pypi__importlib_metadata", + "rules_python~~internal_deps~pypi__importlib_metadata" + ], + [ + "rules_python~", + "pypi__installer", + "rules_python~~internal_deps~pypi__installer" + ], + [ + "rules_python~", + "pypi__more_itertools", + "rules_python~~internal_deps~pypi__more_itertools" + ], + [ + "rules_python~", + "pypi__packaging", + "rules_python~~internal_deps~pypi__packaging" + ], + [ + "rules_python~", + "pypi__pep517", + "rules_python~~internal_deps~pypi__pep517" + ], + [ + "rules_python~", + "pypi__pip", + "rules_python~~internal_deps~pypi__pip" + ], + [ + "rules_python~", + "pypi__pip_tools", + "rules_python~~internal_deps~pypi__pip_tools" + ], + [ + "rules_python~", + "pypi__pyproject_hooks", + "rules_python~~internal_deps~pypi__pyproject_hooks" + ], + [ + "rules_python~", + "pypi__setuptools", + "rules_python~~internal_deps~pypi__setuptools" + ], + [ + "rules_python~", + "pypi__tomli", + "rules_python~~internal_deps~pypi__tomli" + ], + [ + "rules_python~", + "pypi__wheel", + "rules_python~~internal_deps~pypi__wheel" + ], + [ + "rules_python~", + "pypi__zipp", + "rules_python~~internal_deps~pypi__zipp" + ], + [ + "rules_python~", + "pythons_hub", + "rules_python~~python~pythons_hub" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_10_host", + "rules_python~~python~python_3_10_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_11_host", + "rules_python~~python~python_3_11_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_12_host", + "rules_python~~python~python_3_12_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_8_host", + "rules_python~~python~python_3_8_host" + ], + [ + "rules_python~~python~pythons_hub", + "python_3_9_host", + "rules_python~~python~python_3_9_host" ] ] } diff --git a/README.md b/README.md index 4f2706fe5..170ad1dc6 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ # Always Encrypted Kubernetes

+ Constellation License Govulncheck Go Report Discord @@ -102,7 +103,7 @@ Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most imp ## License -Constellation is licensed under the [Business Source License 1.1](LICENSE). You may use it free of charge for non-production use. You can find more information in the [license] section of the docs. +The Constellation source code is licensed under the [GNU Affero General Public License v3.0](LICENSE). Edgeless Systems provides pre-built and signed binaries and images for Constellation. You may use these free of charge to create and run services for internal consumption, evaluation purposes, or non-commercial use. You can find more information in the [license] section of the docs. [architecture]: https://docs.edgeless.systems/constellation/architecture/overview diff --git a/WORKSPACE.bzlmod b/WORKSPACE.bzlmod index 273d85e75..5bf5f4fd9 100644 --- a/WORKSPACE.bzlmod +++ b/WORKSPACE.bzlmod @@ -234,10 +234,6 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl" node_maintainance_operator_deps() -load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps") - -aws_load_balancer_controller_deps() - # CI deps load("//bazel/toolchains:ci_deps.bzl", "ci_deps") diff --git a/bazel/ci/BUILD.bazel b/bazel/ci/BUILD.bazel index 3fdcdcc8b..455b136e5 100644 --- a/bazel/ci/BUILD.bazel +++ b/bazel/ci/BUILD.bazel @@ -1,7 +1,7 @@ load("@buildifier_prebuilt//:rules.bzl", "buildifier", "buildifier_test") load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun") load("@gazelle//:def.bzl", "gazelle") -load("//bazel/ci:go_bin_for_host.bzl", "go_bin_for_host") +load("@io_bazel_rules_go//go/private/rules:go_bin_for_host.bzl", "go_bin_for_host") load("//bazel/ci:proto_targets.bzl", "proto_targets") load("//bazel/sh:def.bzl", "noop_warn", "repo_command", "sh_template") @@ -558,7 +558,6 @@ multirun( commands = [ ":terraform_gen", "//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files", - "//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files", ":go_generate", ":proto_generate", ], diff --git a/bazel/ci/go_bin_for_host.bzl b/bazel/ci/go_bin_for_host.bzl deleted file mode 100644 index 29721b2e2..000000000 --- a/bazel/ci/go_bin_for_host.bzl +++ /dev/null @@ -1,29 +0,0 @@ -""" -Go toolchain for the host platformS -Inspired by https://github.com/bazel-contrib/rules_go/blob/6e4fdcfeb1a333b54ab39ae3413d4ded46d8958d/go/private/rules/go_bin_for_host.bzl -""" - -load("@local_config_platform//:constraints.bzl", "HOST_CONSTRAINTS") - -GO_TOOLCHAIN = "@io_bazel_rules_go//go:toolchain" - -def _ensure_target_cfg(ctx): - if "-exec" in ctx.bin_dir.path or "/host/" in ctx.bin_dir.path: - fail("exec not found") - -def _go_bin_for_host_impl(ctx): - _ensure_target_cfg(ctx) - sdk = ctx.toolchains[GO_TOOLCHAIN].sdk - sdk_files = ctx.runfiles([sdk.go] + sdk.headers.to_list() + sdk.libs.to_list() + sdk.srcs.to_list() + sdk.tools.to_list()) - return [ - DefaultInfo( - files = depset([sdk.go]), - runfiles = sdk_files, - ), - ] - -go_bin_for_host = rule( - implementation = _go_bin_for_host_impl, - toolchains = [GO_TOOLCHAIN], - exec_compatible_with = HOST_CONSTRAINTS, -) diff --git a/bazel/ci/golicenses.sh.in b/bazel/ci/golicenses.sh.in index 4f3eb78e9..2189b511d 100644 --- a/bazel/ci/golicenses.sh.in +++ b/bazel/ci/golicenses.sh.in @@ -57,7 +57,11 @@ license_report() { AGPL-3.0) case ${pkg} in - github.com/edgelesssys/go-tdx-qpl) ;; + github.com/edgelesssys/constellation/v2) ;; + + github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api/v1alpha1) ;; + + github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api) ;; *) not_allowed @@ -67,7 +71,7 @@ license_report() { Unknown) case ${pkg} in - github.com/edgelesssys/constellation/v2/*) ;; + github.com/edgelesssys/go-tdx-qpl/*) ;; *) not_allowed diff --git a/bazel/ci/govulncheck.sh.in b/bazel/ci/govulncheck.sh.in index e73135093..d3cda88be 100644 --- a/bazel/ci/govulncheck.sh.in +++ b/bazel/ci/govulncheck.sh.in @@ -27,16 +27,11 @@ submodules=$(${go} list -f '{{.Dir}}' -m) PATH=$(dirname "${go}"):${PATH} check_module() { - excluded_osvs=( - "GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access - "GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition - ) - # shellcheck disable=SC2016 # The $ sign in the single quoted string is correct. CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." | - "${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr ' + "${jq}" -sr ' (map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs | - map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) | + map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) | group_by(.osv) | map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) | if length > 0 then halt_error(1) else .[] end' diff --git a/bazel/ci/license_header.sh.in b/bazel/ci/license_header.sh.in index 8278769cd..4e5ce470c 100644 --- a/bazel/ci/license_header.sh.in +++ b/bazel/ci/license_header.sh.in @@ -25,7 +25,7 @@ noHeader=$( --include='*.go' \ --exclude-dir 3rdparty \ --exclude-dir build \ - -e'SPDX-License-Identifier: BUSL-1.1' \ + -e'SPDX-License-Identifier: AGPL-3.0-only' \ -e'DO NOT EDIT' | { grep -v internal/cloud/openstack/clouds || true; } ) diff --git a/bazel/ci/terraform.sh.in b/bazel/ci/terraform.sh.in index 777049106..456e312c4 100644 --- a/bazel/ci/terraform.sh.in +++ b/bazel/ci/terraform.sh.in @@ -46,6 +46,7 @@ excludeDirs=( excludeLockDirs=( "build" "terraform-provider-constellation" + "terraform/legacy-module" ) excludeCheckDirs=( diff --git a/bazel/proto/rules.bzl b/bazel/proto/rules.bzl index 3807796b2..da73d5f72 100644 --- a/bazel/proto/rules.bzl +++ b/bazel/proto/rules.bzl @@ -5,14 +5,17 @@ based on https://github.com/bazelbuild/rules_go/issues/2111#issuecomment-1355927 """ load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files") -load("@io_bazel_rules_go//go:def.bzl", "GoInfo") +load("@io_bazel_rules_go//go:def.bzl", "GoLibrary", "go_context") load("@io_bazel_rules_go//proto:compiler.bzl", "GoProtoCompiler") def _output_go_library_srcs_impl(ctx): + go = go_context(ctx) + srcs_of_library = [] importpath = "" for src in ctx.attr.deps: - lib = src[GoInfo] + lib = src[GoLibrary] + go_src = go.library_to_source(go, ctx.attr, lib, False) if importpath and lib.importpath != importpath: fail( "importpath of all deps must match, got {} and {}", @@ -20,7 +23,7 @@ def _output_go_library_srcs_impl(ctx): lib.importpath, ) importpath = lib.importpath - srcs_of_library.extend(lib.srcs) + srcs_of_library.extend(go_src.srcs) if len(srcs_of_library) != 1: fail("expected exactly one src for library, got {}", len(srcs_of_library)) @@ -51,7 +54,7 @@ output_go_library_srcs = rule( default = "@io_bazel_rules_go//proto:go_proto", ), "deps": attr.label_list( - providers = [GoInfo], + providers = [GoLibrary], aspects = [], ), "out": attr.output( diff --git a/bazel/release/artifacts/BUILD.bazel b/bazel/release/artifacts/BUILD.bazel index 8861d6dfe..bba7fb0c8 100644 --- a/bazel/release/artifacts/BUILD.bazel +++ b/bazel/release/artifacts/BUILD.bazel @@ -70,5 +70,5 @@ go_test( env = platform_container_sums_paths | platform_clis_paths, # keep x_defs = {"runsUnder": "bazel"}, - deps = ["@io_bazel_rules_go//go/runfiles"], + deps = ["@io_bazel_rules_go//go/runfiles:go_default_library"], ) diff --git a/bazel/release/artifacts/artifacts_test.go b/bazel/release/artifacts/artifacts_test.go index 0c23a3f41..3a093d21a 100644 --- a/bazel/release/artifacts/artifacts_test.go +++ b/bazel/release/artifacts/artifacts_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package artifacts diff --git a/bazel/sh/BUILD.bazel b/bazel/sh/BUILD.bazel index 7a347a852..cac8fda5a 100644 --- a/bazel/sh/BUILD.bazel +++ b/bazel/sh/BUILD.bazel @@ -1,5 +1,3 @@ -load("@rules_shell//shell:sh_library.bzl", "sh_library") - exports_files([ "repo_command.sh.in", "noop_warn.sh.in", diff --git a/bazel/sh/def.bzl b/bazel/sh/def.bzl index 4ddad1fe0..5f2129017 100644 --- a/bazel/sh/def.bzl +++ b/bazel/sh/def.bzl @@ -1,8 +1,6 @@ """Bazel rules for CI and dev tooling""" load("@bazel_skylib//lib:shell.bzl", "shell") -load("@rules_shell//shell:sh_binary.bzl", "sh_binary") -load("@rules_shell//shell:sh_test.bzl", "sh_test") def _sh_template_impl(ctx): out_file = ctx.actions.declare_file(ctx.label.name + ".bash") @@ -68,7 +66,8 @@ def sh_template(name, **kwargs): template = template, toolchains = toolchains, ) - sh_binary( + + native.sh_binary( name = name, srcs = [script_name], data = [script_name] + data, @@ -96,7 +95,8 @@ def sh_test_template(name, **kwargs): substitutions = substitutions, template = template, ) - sh_test( + + native.sh_test( name = name, srcs = [script_name], data = [script_name] + data, diff --git a/bazel/toolchains/ci_deps.bzl b/bazel/toolchains/ci_deps.bzl index f6354e6ca..2215f85a8 100644 --- a/bazel/toolchains/ci_deps.bzl +++ b/bazel/toolchains/ci_deps.bzl @@ -97,83 +97,83 @@ def _actionlint_deps(): name = "com_github_rhysd_actionlint_linux_amd64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/fc0a6886bbb9a23a39eeec4b176193cadb54ddbe77cdbb19b637933919545395", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_linux_amd64.tar.gz", ], type = "tar.gz", - sha256 = "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757", + sha256 = "fc0a6886bbb9a23a39eeec4b176193cadb54ddbe77cdbb19b637933919545395", ) http_archive( name = "com_github_rhysd_actionlint_linux_arm64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/ede03682dc955381d057dde95bb85ce9ca418122209a8a313b617d4adec56416", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_linux_arm64.tar.gz", ], type = "tar.gz", - sha256 = "401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0", + sha256 = "ede03682dc955381d057dde95bb85ce9ca418122209a8a313b617d4adec56416", ) http_archive( name = "com_github_rhysd_actionlint_darwin_amd64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/63a3ba90ee2325afad3ff2e64a4d80688c261e6c68be8e6ab91214637bf936b8", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_darwin_amd64.tar.gz", ], type = "tar.gz", - sha256 = "28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5", + sha256 = "63a3ba90ee2325afad3ff2e64a4d80688c261e6c68be8e6ab91214637bf936b8", ) http_archive( name = "com_github_rhysd_actionlint_darwin_arm64", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db", - "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/cbd193bb490f598d77e179261d7b76dfebd049dddede5803ba21cbf6a469aeee", + "https://github.com/rhysd/actionlint/releases/download/v1.7.4/actionlint_1.7.4_darwin_arm64.tar.gz", ], type = "tar.gz", - sha256 = "2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db", + sha256 = "cbd193bb490f598d77e179261d7b76dfebd049dddede5803ba21cbf6a469aeee", ) def _gofumpt_deps(): http_file( name = "com_github_mvdan_gofumpt_linux_amd64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/11604bbaf7321abcc2fca2c6a37b7e9198bb1e76e5a86f297c07201e8ab1fda9", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_linux_amd64", + "https://cdn.confidential.cloud/constellation/cas/sha256/6ff459c1dcae3b0b00844c1a5a4a5b0f547237d8a4f3624aaea8d424aeef24c6", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_linux_amd64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "11604bbaf7321abcc2fca2c6a37b7e9198bb1e76e5a86f297c07201e8ab1fda9", + sha256 = "6ff459c1dcae3b0b00844c1a5a4a5b0f547237d8a4f3624aaea8d424aeef24c6", ) http_file( name = "com_github_mvdan_gofumpt_linux_arm64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/787c1d3d4d20e6fe2b0bf06a5a913ac0f50343dbf9a71540724a2b8092a0e6ca", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_linux_arm64", + "https://cdn.confidential.cloud/constellation/cas/sha256/00c18c88ef50437629626ba20d677f4648684cb280952814cdd887677d42cbd3", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_linux_arm64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "787c1d3d4d20e6fe2b0bf06a5a913ac0f50343dbf9a71540724a2b8092a0e6ca", + sha256 = "00c18c88ef50437629626ba20d677f4648684cb280952814cdd887677d42cbd3", ) http_file( name = "com_github_mvdan_gofumpt_darwin_amd64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/0dda6600cf263b703a5ad93e792b06180c36afdee9638617a91dd552f2c6fb3e", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_darwin_amd64", + "https://cdn.confidential.cloud/constellation/cas/sha256/b7d05e092da45c5ec96344ab635b1d6547c3e27c840ba39bc76989934efd7ce3", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_darwin_amd64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "0dda6600cf263b703a5ad93e792b06180c36afdee9638617a91dd552f2c6fb3e", + sha256 = "b7d05e092da45c5ec96344ab635b1d6547c3e27c840ba39bc76989934efd7ce3", ) http_file( name = "com_github_mvdan_gofumpt_darwin_arm64", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/7e66e92b7a67d1d12839ab030fb7ae38e5e2273474af3762e67bc7fe9471fcd9", - "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_darwin_arm64", + "https://cdn.confidential.cloud/constellation/cas/sha256/08f23114760a090b090706d92b8c52b9875b9eb352d76c77aa354d6aa20b045a", + "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_darwin_arm64", ], executable = True, downloaded_file_path = "gofumpt", - sha256 = "7e66e92b7a67d1d12839ab030fb7ae38e5e2273474af3762e67bc7fe9471fcd9", + sha256 = "08f23114760a090b090706d92b8c52b9875b9eb352d76c77aa354d6aa20b045a", ) def _tfsec_deps(): @@ -181,41 +181,41 @@ def _tfsec_deps(): name = "com_github_aquasecurity_tfsec_linux_amd64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/329ae7f67f2f1813ebe08de498719ea7003c75d3ca24bb0b038369062508008e", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_linux_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_amd64.tar.gz", ], type = "tar.gz", - sha256 = "329ae7f67f2f1813ebe08de498719ea7003c75d3ca24bb0b038369062508008e", + sha256 = "9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c", ) http_archive( name = "com_github_aquasecurity_tfsec_linux_arm64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/13dcbd3602027be49ce6cab7e1c24b0a8e833f0143fe327b0a13b87686541ce0", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_linux_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_arm64.tar.gz", ], type = "tar.gz", - sha256 = "13dcbd3602027be49ce6cab7e1c24b0a8e833f0143fe327b0a13b87686541ce0", + sha256 = "68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52", ) http_archive( name = "com_github_aquasecurity_tfsec_darwin_amd64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/0aeef31f83d6f44ba9ba5b6cbb954304c772dee73ac704e38896940f94af887a", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_darwin_amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_amd64.tar.gz", ], type = "tar.gz", - sha256 = "0aeef31f83d6f44ba9ba5b6cbb954304c772dee73ac704e38896940f94af887a", + sha256 = "d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001", ) http_archive( name = "com_github_aquasecurity_tfsec_darwin_arm64", build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/f39d59a3f9be4eeb3d965657653ad62243103a3d921ce52ca8f907cff45896f5", - "https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec_1.28.14_darwin_arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7", + "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_arm64.tar.gz", ], type = "tar.gz", - sha256 = "f39d59a3f9be4eeb3d965657653ad62243103a3d921ce52ca8f907cff45896f5", + sha256 = "14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7", ) def _golangci_lint_deps(): @@ -223,45 +223,45 @@ def _golangci_lint_deps(): name = "com_github_golangci_golangci_lint_linux_amd64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/e55e0eb515936c0fbd178bce504798a9bd2f0b191e5e357768b18fd5415ee541", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-linux-amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/5101292b7925a6a14b49c5c3d845c5021399698ffd2f41bcfab8a111b5669939", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-linux-amd64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-linux-amd64", + strip_prefix = "golangci-lint-1.62.2-linux-amd64", type = "tar.gz", - sha256 = "e55e0eb515936c0fbd178bce504798a9bd2f0b191e5e357768b18fd5415ee541", + sha256 = "5101292b7925a6a14b49c5c3d845c5021399698ffd2f41bcfab8a111b5669939", ) http_archive( name = "com_github_golangci_golangci_lint_linux_arm64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/582eb73880f4408d7fb89f12b502d577bd7b0b63d8c681da92bb6b9d934d4363", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-linux-arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/10b6f5bd8483bd9e85a82f6119ed08f95609f42b86dc344b5dc15703c74d5b85", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-linux-arm64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-linux-arm64", + strip_prefix = "golangci-lint-1.62.2-linux-arm64", type = "tar.gz", - sha256 = "582eb73880f4408d7fb89f12b502d577bd7b0b63d8c681da92bb6b9d934d4363", + sha256 = "10b6f5bd8483bd9e85a82f6119ed08f95609f42b86dc344b5dc15703c74d5b85", ) http_archive( name = "com_github_golangci_golangci_lint_darwin_amd64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/e091107c4ca7e283902343ba3a09d14fb56b86e071effd461ce9d67193ef580e", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-darwin-amd64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/6c9ffd05896f0638d5c37152ac4ae337c2d301ba6c9dadf49c04e6d639f10f91", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-darwin-amd64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-darwin-amd64", + strip_prefix = "golangci-lint-1.62.2-darwin-amd64", type = "tar.gz", - sha256 = "e091107c4ca7e283902343ba3a09d14fb56b86e071effd461ce9d67193ef580e", + sha256 = "6c9ffd05896f0638d5c37152ac4ae337c2d301ba6c9dadf49c04e6d639f10f91", ) http_archive( name = "com_github_golangci_golangci_lint_darwin_arm64", build_file = "//bazel/toolchains:BUILD.golangci.bazel", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/90783fa092a0f64a4f7b7d419f3da1f53207e300261773babe962957240e9ea6", - "https://github.com/golangci/golangci-lint/releases/download/v2.1.6/golangci-lint-2.1.6-darwin-arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/6c76f54467ba471f7bdcd5df0f27c3fa3dbe530b771a10d384c3d8c7178f5e89", + "https://github.com/golangci/golangci-lint/releases/download/v1.62.2/golangci-lint-1.62.2-darwin-arm64.tar.gz", ], - strip_prefix = "golangci-lint-2.1.6-darwin-arm64", + strip_prefix = "golangci-lint-1.62.2-darwin-arm64", type = "tar.gz", - sha256 = "90783fa092a0f64a4f7b7d419f3da1f53207e300261773babe962957240e9ea6", + sha256 = "6c76f54467ba471f7bdcd5df0f27c3fa3dbe530b771a10d384c3d8c7178f5e89", ) def _buf_deps(): @@ -270,44 +270,44 @@ def _buf_deps(): strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/fa10faf16973f3861992cc2687b651350d70eafd467aea72cf0994556c2a0927", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Linux-x86_64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-x86_64.tar.gz", ], type = "tar.gz", - sha256 = "fa10faf16973f3861992cc2687b651350d70eafd467aea72cf0994556c2a0927", + sha256 = "deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4", ) http_archive( name = "com_github_bufbuild_buf_linux_arm64", strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/f41ef4431858556ece6a77662d6b9317fa4406585998cb3dffb7403b3e86713e", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Linux-aarch64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-aarch64.tar.gz", ], type = "tar.gz", - sha256 = "f41ef4431858556ece6a77662d6b9317fa4406585998cb3dffb7403b3e86713e", + sha256 = "2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d", ) http_archive( name = "com_github_bufbuild_buf_darwin_amd64", strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/22c9836a836b867e49e9d0ef223fd934cbf2690e7400facddb9be07b8809f889", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Darwin-x86_64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-x86_64.tar.gz", ], type = "tar.gz", - sha256 = "22c9836a836b867e49e9d0ef223fd934cbf2690e7400facddb9be07b8809f889", + sha256 = "7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4", ) http_archive( name = "com_github_bufbuild_buf_darwin_arm64", strip_prefix = "buf/bin", build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/f01f32a690efab3ef22a1c821aebc0c4bec7ca63faddbf64408d7d614e9d7f92", - "https://github.com/bufbuild/buf/releases/download/v1.54.0/buf-Darwin-arm64.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b", + "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-arm64.tar.gz", ], type = "tar.gz", - sha256 = "f01f32a690efab3ef22a1c821aebc0c4bec7ca63faddbf64408d7d614e9d7f92", + sha256 = "e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b", ) def _talos_docgen_deps(): diff --git a/bazel/toolchains/container_images.bzl b/bazel/toolchains/container_images.bzl index 1c405484f..cd82c6fae 100644 --- a/bazel/toolchains/container_images.bzl +++ b/bazel/toolchains/container_images.bzl @@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull") def containter_image_deps(): oci_pull( name = "distroless_static", - digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9", + digest = "sha256:f4a57e8ffd7ba407bdd0eb315bb54ef1f21a2100a7f032e9102e4da34fe7c196", image = "gcr.io/distroless/static", platforms = [ "linux/amd64", @@ -16,6 +16,6 @@ def containter_image_deps(): ) oci_pull( name = "libvirtd_base", - digest = "sha256:f23e0f587860c841adde25b1b4f0d99aa4fbce1c92b01b5b46ab5fa35980a135", + digest = "sha256:99dbf3cf69b3f97cb0158bde152c9bc7c2a96458cf462527ee80b75754f572a7", image = "ghcr.io/edgelesssys/constellation/libvirtd-base", ) diff --git a/bazel/toolchains/linux_kernel.bzl b/bazel/toolchains/linux_kernel.bzl index d34d15324..b4aab0fa5 100644 --- a/bazel/toolchains/linux_kernel.bzl +++ b/bazel/toolchains/linux_kernel.bzl @@ -9,38 +9,38 @@ def kernel_rpms(): http_file( name = "kernel_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/7834bc4bc7e088c98505956382884bdc670ab9a9283288b7fef04a43df31356e", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/c87995e19c04e2f033e6db5e92bfcb845ac015722e776c09a7af4c82c86cd273", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-lts.rpm", - sha256 = "7834bc4bc7e088c98505956382884bdc670ab9a9283288b7fef04a43df31356e", + sha256 = "c87995e19c04e2f033e6db5e92bfcb845ac015722e776c09a7af4c82c86cd273", ) http_file( name = "kernel_core_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/2763c699d1e2f9810421ac7af2e9c94c6f98533e83f2938c26f1d824e3559b97", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-core-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/5692d862b0cc0c442c581e5f3dc9f3c36cabda0c29d3f62e9b6313a6ec88b140", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-core-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-core-lts.rpm", - sha256 = "2763c699d1e2f9810421ac7af2e9c94c6f98533e83f2938c26f1d824e3559b97", + sha256 = "5692d862b0cc0c442c581e5f3dc9f3c36cabda0c29d3f62e9b6313a6ec88b140", ) http_file( name = "kernel_modules_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/a7604eec263f190db573d809d20336bbf75e46c51f5977f5db95bb88bfec56d3", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-modules-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/e1b697343b4f8ed8e992cd92860208dc1c28eb8b25a88f42f426326a0bbc307f", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-modules-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-modules-lts.rpm", - sha256 = "a7604eec263f190db573d809d20336bbf75e46c51f5977f5db95bb88bfec56d3", + sha256 = "e1b697343b4f8ed8e992cd92860208dc1c28eb8b25a88f42f426326a0bbc307f", ) http_file( name = "kernel_modules_core_lts", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/648fd503d7d54608fbd62ace87c4da098f72abbaac1ab7e343327fc24ccef7f8", - "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-modules-core-6.6.87-100.constellation.fc40.x86_64.rpm", + "https://cdn.confidential.cloud/constellation/cas/sha256/448c6b10d9ed02aed078ff77223f5e495b2041be12d92eb0e5ca5726a08e0626", + "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-modules-core-6.6.30-100.constellation.fc40.x86_64.rpm", ], downloaded_file_path = "kernel-modules-core-lts.rpm", - sha256 = "648fd503d7d54608fbd62ace87c4da098f72abbaac1ab7e343327fc24ccef7f8", + sha256 = "448c6b10d9ed02aed078ff77223f5e495b2041be12d92eb0e5ca5726a08e0626", ) # mainline kernel diff --git a/bazel/toolchains/nixpkgs_deps.bzl b/bazel/toolchains/nixpkgs_deps.bzl index bdf5f0f1c..c28c10cef 100644 --- a/bazel/toolchains/nixpkgs_deps.bzl +++ b/bazel/toolchains/nixpkgs_deps.bzl @@ -5,11 +5,11 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") def nixpkgs_deps(): http_archive( name = "io_tweag_rules_nixpkgs", - sha256 = "30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397", - strip_prefix = "rules_nixpkgs-0.13.0", + sha256 = "1ce13c13a2f354fd37016d9fb333efeddcb308e89db9b3a8f45eafce57746f49", + strip_prefix = "rules_nixpkgs-668609f0b3627751651cb325166d0e95062be3f7", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397", - "https://github.com/tweag/rules_nixpkgs/releases/download/v0.13.0/rules_nixpkgs-0.13.0.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/1ce13c13a2f354fd37016d9fb333efeddcb308e89db9b3a8f45eafce57746f49", + "https://github.com/tweag/rules_nixpkgs/archive/668609f0b3627751651cb325166d0e95062be3f7.tar.gz", ], type = "tar.gz", ) diff --git a/bazel/toolchains/oci_deps.bzl b/bazel/toolchains/oci_deps.bzl index f425e9066..8cfbecf3b 100644 --- a/bazel/toolchains/oci_deps.bzl +++ b/bazel/toolchains/oci_deps.bzl @@ -7,13 +7,14 @@ def oci_deps(): # Remove this override once https://github.com/bazel-contrib/rules_oci/issues/420 is fixed. http_archive( name = "rules_oci", - strip_prefix = "rules_oci-2.2.5", + strip_prefix = "rules_oci-2.0.1", type = "tar.gz", urls = [ - "https://cdn.confidential.cloud/constellation/cas/sha256/361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142", - "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.5/rules_oci-v2.2.5.tar.gz", + "https://cdn.confidential.cloud/constellation/cas/sha256/acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43", + "https://cdn.confidential.cloud/constellation/cas/sha256/f70f07f9d0d6c275d7ec7d3c7f236d9b552ba3205e8f37df9c1125031cf967cc", + "https://github.com/bazel-contrib/rules_oci/releases/download/v2.0.1/rules_oci-v2.0.1.tar.gz", ], - sha256 = "361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142", + sha256 = "acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43", patches = ["//bazel/toolchains:0001-disable-Windows-support.patch"], patch_args = ["-p1"], ) diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go index f1a533245..ebd5a82c5 100644 --- a/bootstrapper/cmd/bootstrapper/main.go +++ b/bootstrapper/cmd/bootstrapper/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/bootstrapper/cmd/bootstrapper/run.go b/bootstrapper/cmd/bootstrapper/run.go index fdb5891a6..815d879ce 100644 --- a/bootstrapper/cmd/bootstrapper/run.go +++ b/bootstrapper/cmd/bootstrapper/run.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/bootstrapper/cmd/bootstrapper/test.go b/bootstrapper/cmd/bootstrapper/test.go index 0f6707bcd..d0132ead8 100644 --- a/bootstrapper/cmd/bootstrapper/test.go +++ b/bootstrapper/cmd/bootstrapper/test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/bootstrapper/initproto/init.pb.go b/bootstrapper/initproto/init.pb.go index 5ce2213ae..2d3b04e93 100644 --- a/bootstrapper/initproto/init.pb.go +++ b/bootstrapper/initproto/init.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: bootstrapper/initproto/init.proto package initproto @@ -16,7 +16,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -27,7 +26,10 @@ const ( ) type InitRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + KmsUri string `protobuf:"bytes,1,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"` StorageUri string `protobuf:"bytes,2,opt,name=storage_uri,json=storageUri,proto3" json:"storage_uri,omitempty"` MeasurementSalt []byte `protobuf:"bytes,3,opt,name=measurement_salt,json=measurementSalt,proto3" json:"measurement_salt,omitempty"` @@ -38,8 +40,6 @@ type InitRequest struct { ClusterName string `protobuf:"bytes,9,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"` ApiserverCertSans []string `protobuf:"bytes,10,rep,name=apiserver_cert_sans,json=apiserverCertSans,proto3" json:"apiserver_cert_sans,omitempty"` ServiceCidr string `protobuf:"bytes,11,opt,name=service_cidr,json=serviceCidr,proto3" json:"service_cidr,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache } func (x *InitRequest) Reset() { @@ -143,15 +143,16 @@ func (x *InitRequest) GetServiceCidr() string { } type InitResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Types that are valid to be assigned to Kind: + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Kind: // // *InitResponse_InitSuccess // *InitResponse_InitFailure // *InitResponse_Log - Kind isInitResponse_Kind `protobuf_oneof:"kind"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Kind isInitResponse_Kind `protobuf_oneof:"kind"` } func (x *InitResponse) Reset() { @@ -184,36 +185,30 @@ func (*InitResponse) Descriptor() ([]byte, []int) { return file_bootstrapper_initproto_init_proto_rawDescGZIP(), []int{1} } -func (x *InitResponse) GetKind() isInitResponse_Kind { - if x != nil { - return x.Kind +func (m *InitResponse) GetKind() isInitResponse_Kind { + if m != nil { + return m.Kind } return nil } func (x *InitResponse) GetInitSuccess() *InitSuccessResponse { - if x != nil { - if x, ok := x.Kind.(*InitResponse_InitSuccess); ok { - return x.InitSuccess - } + if x, ok := x.GetKind().(*InitResponse_InitSuccess); ok { + return x.InitSuccess } return nil } func (x *InitResponse) GetInitFailure() *InitFailureResponse { - if x != nil { - if x, ok := x.Kind.(*InitResponse_InitFailure); ok { - return x.InitFailure - } + if x, ok := x.GetKind().(*InitResponse_InitFailure); ok { + return x.InitFailure } return nil } func (x *InitResponse) GetLog() *LogResponseType { - if x != nil { - if x, ok := x.Kind.(*InitResponse_Log); ok { - return x.Log - } + if x, ok := x.GetKind().(*InitResponse_Log); ok { + return x.Log } return nil } @@ -241,12 +236,13 @@ func (*InitResponse_InitFailure) isInitResponse_Kind() {} func (*InitResponse_Log) isInitResponse_Kind() {} type InitSuccessResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Kubeconfig []byte `protobuf:"bytes,1,opt,name=kubeconfig,proto3" json:"kubeconfig,omitempty"` - OwnerId []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"` - ClusterId []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Kubeconfig []byte `protobuf:"bytes,1,opt,name=kubeconfig,proto3" json:"kubeconfig,omitempty"` + OwnerId []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"` + ClusterId []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` } func (x *InitSuccessResponse) Reset() { @@ -301,10 +297,11 @@ func (x *InitSuccessResponse) GetClusterId() []byte { } type InitFailureResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"` } func (x *InitFailureResponse) Reset() { @@ -345,10 +342,11 @@ func (x *InitFailureResponse) GetError() string { } type LogResponseType struct { - state protoimpl.MessageState `protogen:"open.v1"` - Log []byte `protobuf:"bytes,1,opt,name=log,proto3" json:"log,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Log []byte `protobuf:"bytes,1,opt,name=log,proto3" json:"log,omitempty"` } func (x *LogResponseType) Reset() { @@ -389,13 +387,14 @@ func (x *LogResponseType) GetLog() []byte { } type KubernetesComponent struct { - state protoimpl.MessageState `protogen:"open.v1"` - Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` - Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` - InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` - Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` + Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` + InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` + Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` } func (x *KubernetesComponent) Reset() { @@ -458,55 +457,92 @@ func (x *KubernetesComponent) GetExtract() bool { var File_bootstrapper_initproto_init_proto protoreflect.FileDescriptor -const file_bootstrapper_initproto_init_proto_rawDesc = "" + - "\n" + - "!bootstrapper/initproto/init.proto\x12\x04init\x1a-internal/versions/components/components.proto\"\xd0\x03\n" + - "\vInitRequest\x12\x17\n" + - "\akms_uri\x18\x01 \x01(\tR\x06kmsUri\x12\x1f\n" + - "\vstorage_uri\x18\x02 \x01(\tR\n" + - "storageUri\x12)\n" + - "\x10measurement_salt\x18\x03 \x01(\fR\x0fmeasurementSalt\x12-\n" + - "\x12kubernetes_version\x18\x05 \x01(\tR\x11kubernetesVersion\x12)\n" + - "\x10conformance_mode\x18\x06 \x01(\bR\x0fconformanceMode\x12J\n" + - "\x15kubernetes_components\x18\a \x03(\v2\x15.components.ComponentR\x14kubernetesComponents\x12\x1f\n" + - "\vinit_secret\x18\b \x01(\fR\n" + - "initSecret\x12!\n" + - "\fcluster_name\x18\t \x01(\tR\vclusterName\x12.\n" + - "\x13apiserver_cert_sans\x18\n" + - " \x03(\tR\x11apiserverCertSans\x12!\n" + - "\fservice_cidr\x18\v \x01(\tR\vserviceCidrJ\x04\b\x04\x10\x05R\x19cloud_service_account_uri\"\xc1\x01\n" + - "\fInitResponse\x12>\n" + - "\finit_success\x18\x01 \x01(\v2\x19.init.InitSuccessResponseH\x00R\vinitSuccess\x12>\n" + - "\finit_failure\x18\x02 \x01(\v2\x19.init.InitFailureResponseH\x00R\vinitFailure\x12)\n" + - "\x03log\x18\x03 \x01(\v2\x15.init.LogResponseTypeH\x00R\x03logB\x06\n" + - "\x04kind\"o\n" + - "\x13InitSuccessResponse\x12\x1e\n" + - "\n" + - "kubeconfig\x18\x01 \x01(\fR\n" + - "kubeconfig\x12\x19\n" + - "\bowner_id\x18\x02 \x01(\fR\aownerId\x12\x1d\n" + - "\n" + - "cluster_id\x18\x03 \x01(\fR\tclusterId\"+\n" + - "\x13InitFailureResponse\x12\x14\n" + - "\x05error\x18\x01 \x01(\tR\x05error\"#\n" + - "\x0fLogResponseType\x12\x10\n" + - "\x03log\x18\x01 \x01(\fR\x03log\"x\n" + - "\x13KubernetesComponent\x12\x10\n" + - "\x03url\x18\x01 \x01(\tR\x03url\x12\x12\n" + - "\x04hash\x18\x02 \x01(\tR\x04hash\x12!\n" + - "\finstall_path\x18\x03 \x01(\tR\vinstallPath\x12\x18\n" + - "\aextract\x18\x04 \x01(\bR\aextract26\n" + - "\x03API\x12/\n" + - "\x04Init\x12\x11.init.InitRequest\x1a\x12.init.InitResponse0\x01B@Z>github.com/edgelesssys/constellation/v2/bootstrapper/initprotob\x06proto3" +var file_bootstrapper_initproto_init_proto_rawDesc = []byte{ + 0x0a, 0x21, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, + 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e, 0x69, 0x74, 0x1a, 0x2d, 0x69, 0x6e, 0x74, 0x65, 0x72, + 0x6e, 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, + 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, + 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd0, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f, + 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x55, 0x72, + 0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x5f, 0x75, 0x72, 0x69, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x55, + 0x72, 0x69, 0x12, 0x29, 0x0a, 0x10, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x5f, 0x73, 0x61, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x6d, 0x65, + 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x61, 0x6c, 0x74, 0x12, 0x2d, 0x0a, + 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x76, 0x65, 0x72, 0x73, + 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, + 0x6e, 0x65, 0x74, 0x65, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x29, 0x0a, 0x10, + 0x63, 0x6f, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x6d, 0x6f, 0x64, 0x65, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, + 0x6e, 0x63, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x4a, 0x0a, 0x15, 0x6b, 0x75, 0x62, 0x65, 0x72, + 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, + 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, + 0x6e, 0x74, 0x73, 0x2e, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x52, 0x14, 0x6b, + 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, + 0x6e, 0x74, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x69, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x53, 0x65, + 0x63, 0x72, 0x65, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, + 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x13, 0x61, 0x70, 0x69, 0x73, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x61, 0x6e, 0x73, 0x18, 0x0a, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x61, 0x70, 0x69, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, + 0x65, 0x72, 0x74, 0x53, 0x61, 0x6e, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x63, 0x69, 0x64, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x43, 0x69, 0x64, 0x72, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, + 0x52, 0x19, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, + 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x22, 0xc1, 0x01, 0x0a, 0x0c, + 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3e, 0x0a, 0x0c, + 0x69, 0x6e, 0x69, 0x74, 0x5f, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x53, 0x75, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x00, 0x52, + 0x0b, 0x69, 0x6e, 0x69, 0x74, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x3e, 0x0a, 0x0c, + 0x69, 0x6e, 0x69, 0x74, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, + 0x69, 0x6c, 0x75, 0x72, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x00, 0x52, + 0x0b, 0x69, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x12, 0x29, 0x0a, 0x03, + 0x6c, 0x6f, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x69, 0x6e, 0x69, 0x74, + 0x2e, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, + 0x48, 0x00, 0x52, 0x03, 0x6c, 0x6f, 0x67, 0x42, 0x06, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22, + 0x6f, 0x0a, 0x13, 0x49, 0x6e, 0x69, 0x74, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, + 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, + 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, + 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, + 0x22, 0x2b, 0x0a, 0x13, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x23, 0x0a, + 0x0f, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, + 0x12, 0x10, 0x0a, 0x03, 0x6c, 0x6f, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6c, + 0x6f, 0x67, 0x22, 0x78, 0x0a, 0x13, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, + 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x68, + 0x61, 0x73, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x12, + 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x50, 0x61, + 0x74, 0x68, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x32, 0x36, 0x0a, 0x03, + 0x41, 0x50, 0x49, 0x12, 0x2f, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e, + 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, + 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x30, 0x01, 0x42, 0x40, 0x5a, 0x3e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, + 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, + 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, + 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} var ( file_bootstrapper_initproto_init_proto_rawDescOnce sync.Once - file_bootstrapper_initproto_init_proto_rawDescData []byte + file_bootstrapper_initproto_init_proto_rawDescData = file_bootstrapper_initproto_init_proto_rawDesc ) func file_bootstrapper_initproto_init_proto_rawDescGZIP() []byte { file_bootstrapper_initproto_init_proto_rawDescOnce.Do(func() { - file_bootstrapper_initproto_init_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_bootstrapper_initproto_init_proto_rawDesc), len(file_bootstrapper_initproto_init_proto_rawDesc))) + file_bootstrapper_initproto_init_proto_rawDescData = protoimpl.X.CompressGZIP(file_bootstrapper_initproto_init_proto_rawDescData) }) return file_bootstrapper_initproto_init_proto_rawDescData } @@ -549,7 +585,7 @@ func file_bootstrapper_initproto_init_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_bootstrapper_initproto_init_proto_rawDesc), len(file_bootstrapper_initproto_init_proto_rawDesc)), + RawDescriptor: file_bootstrapper_initproto_init_proto_rawDesc, NumEnums: 0, NumMessages: 6, NumExtensions: 0, @@ -560,6 +596,7 @@ func file_bootstrapper_initproto_init_proto_init() { MessageInfos: file_bootstrapper_initproto_init_proto_msgTypes, }.Build() File_bootstrapper_initproto_init_proto = out.File + file_bootstrapper_initproto_init_proto_rawDesc = nil file_bootstrapper_initproto_init_proto_goTypes = nil file_bootstrapper_initproto_init_proto_depIdxs = nil } diff --git a/bootstrapper/internal/addresses/BUILD.bazel b/bootstrapper/internal/addresses/BUILD.bazel deleted file mode 100644 index 9311c4a61..000000000 --- a/bootstrapper/internal/addresses/BUILD.bazel +++ /dev/null @@ -1,26 +0,0 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_library") -load("//bazel/go:go_test.bzl", "go_test") - -go_library( - name = "interfaces", - srcs = ["interfaces.go"], - importpath = "github.com/edgelesssys/constellation/v2/bootstrapper/internal/interfaces", - visibility = ["//bootstrapper:__subpackages__"], -) - -go_library( - name = "addresses", - srcs = ["addresses.go"], - importpath = "github.com/edgelesssys/constellation/v2/bootstrapper/internal/addresses", - visibility = ["//bootstrapper:__subpackages__"], -) - -go_test( - name = "addresses_test", - srcs = ["addresses_test.go"], - deps = [ - ":addresses", - "@com_github_stretchr_testify//assert", - "@com_github_stretchr_testify//require", - ], -) diff --git a/bootstrapper/internal/addresses/addresses.go b/bootstrapper/internal/addresses/addresses.go deleted file mode 100644 index d17563b4f..000000000 --- a/bootstrapper/internal/addresses/addresses.go +++ /dev/null @@ -1,45 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: BUSL-1.1 -*/ - -package addresses - -import ( - "net" -) - -// GetMachineNetworkAddresses retrieves all network interface addresses. -func GetMachineNetworkAddresses(interfaces []NetInterface) ([]string, error) { - var addresses []string - - for _, i := range interfaces { - addrs, err := i.Addrs() - if err != nil { - return nil, err - } - for _, addr := range addrs { - var ip net.IP - switch v := addr.(type) { - case *net.IPNet: - ip = v.IP - case *net.IPAddr: - ip = v.IP - default: - continue - } - if ip.IsLoopback() { - continue - } - addresses = append(addresses, ip.String()) - } - } - - return addresses, nil -} - -// NetInterface represents a network interface used to get network addresses. -type NetInterface interface { - Addrs() ([]net.Addr, error) -} diff --git a/bootstrapper/internal/addresses/addresses_test.go b/bootstrapper/internal/addresses/addresses_test.go deleted file mode 100644 index ceb881ddf..000000000 --- a/bootstrapper/internal/addresses/addresses_test.go +++ /dev/null @@ -1,67 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: BUSL-1.1 -*/ - -package addresses_test - -import ( - "errors" - "net" - "testing" - - "github.com/edgelesssys/constellation/v2/bootstrapper/internal/addresses" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func TestGetMachineNetworkAddresses(t *testing.T) { - _, someAddr, err := net.ParseCIDR("10.9.0.1/24") - require.NoError(t, err) - - testCases := map[string]struct { - interfaces []addresses.NetInterface - wantErr bool - }{ - "successful": { - interfaces: []addresses.NetInterface{ - &mockNetInterface{ - addrs: []net.Addr{ - someAddr, - }, - }, - }, - }, - "unsuccessful": { - interfaces: []addresses.NetInterface{ - &mockNetInterface{addrs: nil, err: errors.New("someError")}, - }, - wantErr: true, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - - addrs, err := addresses.GetMachineNetworkAddresses(tc.interfaces) - - if tc.wantErr { - assert.Error(err) - } else { - assert.Equal([]string{"10.9.0.0"}, addrs) - assert.NoError(err) - } - }) - } -} - -type mockNetInterface struct { - addrs []net.Addr - err error -} - -func (m *mockNetInterface) Addrs() ([]net.Addr, error) { - return m.addrs, m.err -} diff --git a/bootstrapper/internal/certificate/certificate.go b/bootstrapper/internal/certificate/certificate.go index f99ebae02..e27836bcd 100644 --- a/bootstrapper/internal/certificate/certificate.go +++ b/bootstrapper/internal/certificate/certificate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package certificate provides functions to create a certificate request and matching private key. diff --git a/bootstrapper/internal/clean/clean.go b/bootstrapper/internal/clean/clean.go index 28d9e795d..71d46b4ec 100644 --- a/bootstrapper/internal/clean/clean.go +++ b/bootstrapper/internal/clean/clean.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package clean provides functionality to stop a list of services gracefully and synchronously. diff --git a/bootstrapper/internal/clean/clean_test.go b/bootstrapper/internal/clean/clean_test.go index 5083265e0..f4dd2558c 100644 --- a/bootstrapper/internal/clean/clean_test.go +++ b/bootstrapper/internal/clean/clean_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package clean diff --git a/bootstrapper/internal/diskencryption/diskencryption.go b/bootstrapper/internal/diskencryption/diskencryption.go index 5cd3f543b..e8fbcb4a2 100644 --- a/bootstrapper/internal/diskencryption/diskencryption.go +++ b/bootstrapper/internal/diskencryption/diskencryption.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package diskencryption handles interaction with a node's state disk. diff --git a/bootstrapper/internal/diskencryption/diskencryption_test.go b/bootstrapper/internal/diskencryption/diskencryption_test.go index 7cb5c6483..3de14842a 100644 --- a/bootstrapper/internal/diskencryption/diskencryption_test.go +++ b/bootstrapper/internal/diskencryption/diskencryption_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package diskencryption diff --git a/bootstrapper/internal/etcdio/etcdio.go b/bootstrapper/internal/etcdio/etcdio.go index 0befb22ee..f9caf7dbb 100644 --- a/bootstrapper/internal/etcdio/etcdio.go +++ b/bootstrapper/internal/etcdio/etcdio.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // The etcdio package provides utilities to manage etcd I/O. diff --git a/bootstrapper/internal/etcdio/setioprio_cross.go b/bootstrapper/internal/etcdio/setioprio_cross.go index 68e5f8e1e..6422f0c60 100644 --- a/bootstrapper/internal/etcdio/setioprio_cross.go +++ b/bootstrapper/internal/etcdio/setioprio_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package etcdio diff --git a/bootstrapper/internal/etcdio/setioprio_linux.go b/bootstrapper/internal/etcdio/setioprio_linux.go index ecd1df82d..61d82248f 100644 --- a/bootstrapper/internal/etcdio/setioprio_linux.go +++ b/bootstrapper/internal/etcdio/setioprio_linux.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package etcdio diff --git a/bootstrapper/internal/initserver/BUILD.bazel b/bootstrapper/internal/initserver/BUILD.bazel index c25ec5c4a..3ad04343c 100644 --- a/bootstrapper/internal/initserver/BUILD.bazel +++ b/bootstrapper/internal/initserver/BUILD.bazel @@ -8,11 +8,9 @@ go_library( visibility = ["//bootstrapper:__subpackages__"], deps = [ "//bootstrapper/initproto", - "//bootstrapper/internal/addresses", "//bootstrapper/internal/journald", "//internal/atls", "//internal/attestation", - "//internal/constants", "//internal/crypto", "//internal/file", "//internal/grpc/atlscredentials", @@ -28,7 +26,6 @@ go_library( "@org_golang_google_grpc//keepalive", "@org_golang_google_grpc//status", "@org_golang_x_crypto//bcrypt", - "@org_golang_x_crypto//ssh", ], ) @@ -44,7 +41,6 @@ go_test( "//bootstrapper/initproto", "//internal/atls", "//internal/attestation/variant", - "//internal/constants", "//internal/crypto/testvector", "//internal/file", "//internal/kms/setup", @@ -56,7 +52,6 @@ go_test( "@com_github_stretchr_testify//require", "@org_golang_google_grpc//:grpc", "@org_golang_x_crypto//bcrypt", - "@org_golang_x_crypto//ssh", "@org_uber_go_goleak//:goleak", ], ) diff --git a/bootstrapper/internal/initserver/initserver.go b/bootstrapper/internal/initserver/initserver.go index 4b75c6e3e..a65a5f8b7 100644 --- a/bootstrapper/internal/initserver/initserver.go +++ b/bootstrapper/internal/initserver/initserver.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -20,23 +20,19 @@ package initserver import ( "bufio" "context" - "crypto/ed25519" "errors" "fmt" "io" "log/slog" "net" - "os" "strings" "sync" "time" "github.com/edgelesssys/constellation/v2/bootstrapper/initproto" - "github.com/edgelesssys/constellation/v2/bootstrapper/internal/addresses" "github.com/edgelesssys/constellation/v2/bootstrapper/internal/journald" "github.com/edgelesssys/constellation/v2/internal/atls" "github.com/edgelesssys/constellation/v2/internal/attestation" - "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials" @@ -48,7 +44,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/role" "github.com/edgelesssys/constellation/v2/internal/versions/components" "golang.org/x/crypto/bcrypt" - "golang.org/x/crypto/ssh" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/keepalive" @@ -155,23 +150,35 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe s.kmsURI = req.KmsUri if err := bcrypt.CompareHashAndPassword(s.initSecretHash, req.InitSecret); err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "invalid init secret %s", err))) + if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "invalid init secret %s", err)); e != nil { + err = errors.Join(err, e) + } + return err } cloudKms, err := kmssetup.KMS(stream.Context(), req.StorageUri, req.KmsUri) if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "creating kms client: %s", err))) + if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "creating kms client: %s", err)); e != nil { + err = errors.Join(err, e) + } + return err } // generate values for cluster attestation clusterID, err := deriveMeasurementValues(stream.Context(), req.MeasurementSalt, cloudKms) if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "deriving measurement values: %s", err))) + if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "deriving measurement values: %s", err)); e != nil { + err = errors.Join(err, e) + } + return err } nodeLockAcquired, err := s.nodeLock.TryLockOnce(clusterID) if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "locking node: %s", err))) + if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "locking node: %s", err)); e != nil { + err = errors.Join(err, e) + } + return err } if !nodeLockAcquired { // The join client seems to already have a connection to an @@ -198,7 +205,10 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe }() if err := s.setupDisk(stream.Context(), cloudKms); err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "setting up disk: %s", err))) + if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "setting up disk: %s", err)); e != nil { + err = errors.Join(err, e) + } + return err } state := nodestate.NodeState{ @@ -206,67 +216,10 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe MeasurementSalt: req.MeasurementSalt, } if err := state.ToFile(s.fileHandler); err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "persisting node state: %s", err))) - } - - // Derive the emergency ssh CA key - key, err := cloudKms.GetDEK(stream.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize) - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "retrieving DEK for key derivation: %s", err))) - } - ca, err := crypto.GenerateEmergencySSHCAKey(key) - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "generating emergency SSH CA key: %s", err))) - } - if err := s.fileHandler.Write(constants.SSHCAKeyPath, ssh.MarshalAuthorizedKey(ca.PublicKey()), file.OptMkdirAll); err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "writing ssh CA pubkey: %s", err))) - } - - interfaces, err := net.Interfaces() - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "getting network interfaces: %s", err))) - } - // Needed since go doesn't implicitly convert slices of structs to slices of interfaces - interfacesForFunc := make([]addresses.NetInterface, len(interfaces)) - for i := range interfaces { - interfacesForFunc[i] = &interfaces[i] - } - - principalList, err := addresses.GetMachineNetworkAddresses(interfacesForFunc) - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "failed to get network addresses: %s", err))) - } - hostname, err := os.Hostname() - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "failed to get hostname: %s", err))) - } - - principalList = append(principalList, hostname) - principalList = append(principalList, req.ApiserverCertSans...) - - hostKeyContent, err := s.fileHandler.Read(constants.SSHHostKeyPath) - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "failed to read host SSH key: %s", err))) - } - - hostPrivateKey, err := ssh.ParsePrivateKey(hostKeyContent) - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "failed to parse host SSH key: %s", err))) - } - - hostKeyPubSSH := hostPrivateKey.PublicKey() - - hostCertificate, err := crypto.GenerateSSHHostCertificate(principalList, hostKeyPubSSH, ca) - if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "generating SSH host certificate: %s", err))) - } - - if err := s.fileHandler.Write(constants.SSHAdditionalPrincipalsPath, []byte(strings.Join(req.ApiserverCertSans, ",")), file.OptMkdirAll); err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "writing list of public ssh principals: %s", err))) - } - - if err := s.fileHandler.Write(constants.SSHHostCertificatePath, ssh.MarshalAuthorizedKey(hostCertificate), file.OptMkdirAll); err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "writing ssh host certificate: %s", err))) + if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "persisting node state: %s", err)); e != nil { + err = errors.Join(err, e) + } + return err } clusterName := req.ClusterName @@ -283,7 +236,10 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe req.ServiceCidr, ) if err != nil { - return errors.Join(err, s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "initializing cluster: %s", err))) + if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "initializing cluster: %s", err)); e != nil { + err = errors.Join(err, e) + } + return err } log.Info("Init succeeded") diff --git a/bootstrapper/internal/initserver/initserver_test.go b/bootstrapper/internal/initserver/initserver_test.go index cfecdd018..0d9f25db4 100644 --- a/bootstrapper/internal/initserver/initserver_test.go +++ b/bootstrapper/internal/initserver/initserver_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package initserver @@ -9,12 +9,9 @@ package initserver import ( "bytes" "context" - "crypto/ed25519" - "encoding/pem" "errors" "io" "net" - "os" "strings" "sync" "testing" @@ -23,7 +20,6 @@ import ( "github.com/edgelesssys/constellation/v2/bootstrapper/initproto" "github.com/edgelesssys/constellation/v2/internal/atls" "github.com/edgelesssys/constellation/v2/internal/attestation/variant" - "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/crypto/testvector" "github.com/edgelesssys/constellation/v2/internal/file" kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup" @@ -35,7 +31,6 @@ import ( "github.com/stretchr/testify/require" "go.uber.org/goleak" "golang.org/x/crypto/bcrypt" - "golang.org/x/crypto/ssh" "google.golang.org/grpc" ) @@ -72,7 +67,7 @@ func TestNew(t *testing.T) { assert := assert.New(t) server, err := New( - t.Context(), newFakeLock(), &stubClusterInitializer{}, atls.NewFakeIssuer(variant.Dummy{}), + context.TODO(), newFakeLock(), &stubClusterInitializer{}, atls.NewFakeIssuer(variant.Dummy{}), &stubDisk{}, fh, &tc.metadata, logger.NewTest(t), ) if tc.wantErr { @@ -105,31 +100,17 @@ func TestInit(t *testing.T) { masterSecret := uri.MasterSecret{Key: []byte("secret"), Salt: []byte("salt")} - _, privkey, err := ed25519.GenerateKey(nil) - require.NoError(t, err) - pemHostKey, err := ssh.MarshalPrivateKey(privkey, "") - require.NoError(t, err) - - fsWithHostKey := afero.NewMemMapFs() - hostKeyFile, err := fsWithHostKey.Create(constants.SSHHostKeyPath) - require.NoError(t, err) - _, err = hostKeyFile.Write(pem.EncodeToMemory(pemHostKey)) - require.NoError(t, err) - require.NoError(t, hostKeyFile.Close()) - readOnlyFSWithHostKey := afero.NewReadOnlyFs(fsWithHostKey) - testCases := map[string]struct { - nodeLock *fakeLock - initializer ClusterInitializer - disk encryptedDisk - fileHandler file.Handler - req *initproto.InitRequest - stream stubStream - logCollector stubJournaldCollector - initSecretHash []byte - hostkeyDoesntExist bool - wantErr bool - wantShutdown bool + nodeLock *fakeLock + initializer ClusterInitializer + disk encryptedDisk + fileHandler file.Handler + req *initproto.InitRequest + stream stubStream + logCollector stubJournaldCollector + initSecretHash []byte + wantErr bool + wantShutdown bool }{ "successful init": { nodeLock: newFakeLock(), @@ -193,7 +174,7 @@ func TestInit(t *testing.T) { nodeLock: newFakeLock(), initializer: &stubClusterInitializer{}, disk: &stubDisk{}, - fileHandler: file.NewHandler(readOnlyFSWithHostKey), + fileHandler: file.NewHandler(afero.NewReadOnlyFs(afero.NewMemMapFs())), req: &initproto.InitRequest{InitSecret: initSecret, KmsUri: masterSecret.EncodeToURI(), StorageUri: uri.NoStoreURI}, stream: stubStream{}, logCollector: stubJournaldCollector{logPipe: &stubReadCloser{reader: bytes.NewReader([]byte{})}}, @@ -224,31 +205,11 @@ func TestInit(t *testing.T) { logCollector: stubJournaldCollector{logPipe: &stubReadCloser{reader: bytes.NewReader([]byte{})}}, wantErr: true, }, - "host key doesn't exist": { - nodeLock: newFakeLock(), - initializer: &stubClusterInitializer{}, - disk: &stubDisk{}, - fileHandler: file.NewHandler(afero.NewMemMapFs()), - initSecretHash: initSecretHash, - req: &initproto.InitRequest{InitSecret: initSecret, KmsUri: masterSecret.EncodeToURI(), StorageUri: uri.NoStoreURI}, - stream: stubStream{}, - logCollector: stubJournaldCollector{logPipe: &stubReadCloser{reader: bytes.NewReader([]byte{})}}, - hostkeyDoesntExist: true, - wantShutdown: true, - wantErr: true, - }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) - require := require.New(t) - - if _, err := tc.fileHandler.Stat(constants.SSHHostKeyPath); errors.Is(err, os.ErrNotExist) { - if !tc.hostkeyDoesntExist { - require.NoError(tc.fileHandler.Write(constants.SSHHostKeyPath, pem.EncodeToMemory(pemHostKey), file.OptMkdirAll)) - } - } serveStopper := newStubServeStopper() server := &Server{ @@ -391,9 +352,9 @@ func TestSetupDisk(t *testing.T) { masterSecret := uri.MasterSecret{Key: tc.masterKey, Salt: tc.salt} - cloudKms, err := kmssetup.KMS(t.Context(), uri.NoStoreURI, masterSecret.EncodeToURI()) + cloudKms, err := kmssetup.KMS(context.Background(), uri.NoStoreURI, masterSecret.EncodeToURI()) require.NoError(err) - assert.NoError(server.setupDisk(t.Context(), cloudKms)) + assert.NoError(server.setupDisk(context.Background(), cloudKms)) }) } } diff --git a/bootstrapper/internal/joinclient/BUILD.bazel b/bootstrapper/internal/joinclient/BUILD.bazel index a5424ec2d..048df72ac 100644 --- a/bootstrapper/internal/joinclient/BUILD.bazel +++ b/bootstrapper/internal/joinclient/BUILD.bazel @@ -7,7 +7,6 @@ go_library( importpath = "github.com/edgelesssys/constellation/v2/bootstrapper/internal/joinclient", visibility = ["//bootstrapper:__subpackages__"], deps = [ - "//bootstrapper/internal/addresses", "//bootstrapper/internal/certificate", "//internal/attestation", "//internal/cloud/metadata", @@ -22,7 +21,6 @@ go_library( "@io_k8s_kubernetes//cmd/kubeadm/app/constants", "@io_k8s_utils//clock", "@org_golang_google_grpc//:grpc", - "@org_golang_x_crypto//ssh", ], ) @@ -37,7 +35,6 @@ go_test( deps = [ "//internal/cloud/metadata", "//internal/constants", - "//internal/crypto", "//internal/file", "//internal/grpc/atlscredentials", "//internal/grpc/dialer", @@ -52,7 +49,6 @@ go_test( "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3", "@io_k8s_utils//clock/testing", "@org_golang_google_grpc//:grpc", - "@org_golang_x_crypto//ssh", "@org_uber_go_goleak//:goleak", ], ) diff --git a/bootstrapper/internal/joinclient/joinclient.go b/bootstrapper/internal/joinclient/joinclient.go index 706efe376..37c9e9b8f 100644 --- a/bootstrapper/internal/joinclient/joinclient.go +++ b/bootstrapper/internal/joinclient/joinclient.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -23,12 +23,10 @@ import ( "fmt" "log/slog" "net" - "os" "path/filepath" "strconv" "time" - "github.com/edgelesssys/constellation/v2/bootstrapper/internal/addresses" "github.com/edgelesssys/constellation/v2/bootstrapper/internal/certificate" "github.com/edgelesssys/constellation/v2/internal/attestation" "github.com/edgelesssys/constellation/v2/internal/cloud/metadata" @@ -39,7 +37,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/versions/components" "github.com/edgelesssys/constellation/v2/joinservice/joinproto" "github.com/spf13/afero" - "golang.org/x/crypto/ssh" "google.golang.org/grpc" kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" @@ -212,42 +209,6 @@ func (c *JoinClient) requestJoinTicket(serviceEndpoint string) (ticket *joinprot return nil, nil, err } - interfaces, err := net.Interfaces() - if err != nil { - c.log.With(slog.Any("error", err)).Error("Failed to get network interfaces") - return nil, nil, err - } - // Needed since go doesn't implicitly convert slices of structs to slices of interfaces - interfacesForFunc := make([]addresses.NetInterface, len(interfaces)) - for i := range interfaces { - interfacesForFunc[i] = &interfaces[i] - } - - principalList, err := addresses.GetMachineNetworkAddresses(interfacesForFunc) - if err != nil { - c.log.With(slog.Any("error", err)).Error("Failed to get network addresses") - return nil, nil, err - } - hostname, err := os.Hostname() - if err != nil { - c.log.With(slog.Any("error", err)).Error("Failed to get hostname") - return nil, nil, err - } - principalList = append(principalList, hostname) - - hostKeyData, err := c.fileHandler.Read(constants.SSHHostKeyPath) - if err != nil { - c.log.With(slog.Any("error", err)).Error("Failed to read SSH host key file") - return nil, nil, err - } - - hostKey, err := ssh.ParsePrivateKey(hostKeyData) - if err != nil { - c.log.With(slog.Any("error", err)).Error("Failed to parse SSH host key file") - return nil, nil, err - } - hostKeyPubSSH := hostKey.PublicKey() - conn, err := c.dialer.Dial(serviceEndpoint) if err != nil { c.log.With(slog.String("endpoint", serviceEndpoint), slog.Any("error", err)).Error("Join service unreachable") @@ -257,11 +218,9 @@ func (c *JoinClient) requestJoinTicket(serviceEndpoint string) (ticket *joinprot protoClient := joinproto.NewAPIClient(conn) req := &joinproto.IssueJoinTicketRequest{ - DiskUuid: c.diskUUID, - CertificateRequest: certificateRequest, - IsControlPlane: c.role == role.ControlPlane, - HostPublicKey: hostKeyPubSSH.Marshal(), - HostCertificatePrincipals: principalList, + DiskUuid: c.diskUUID, + CertificateRequest: certificateRequest, + IsControlPlane: c.role == role.ControlPlane, } ticket, err = protoClient.IssueJoinTicket(ctx, req) if err != nil { @@ -312,14 +271,6 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse, return fmt.Errorf("writing kubelet key: %w", err) } - if err := c.fileHandler.Write(constants.SSHCAKeyPath, ticket.AuthorizedCaPublicKey, file.OptMkdirAll); err != nil { - return fmt.Errorf("writing ssh ca key: %w", err) - } - - if err := c.fileHandler.Write(constants.SSHHostCertificatePath, ticket.HostCertificate, file.OptMkdirAll); err != nil { - return fmt.Errorf("writing ssh host certificate: %w", err) - } - state := nodestate.NodeState{ Role: c.role, MeasurementSalt: ticket.MeasurementSalt, diff --git a/bootstrapper/internal/joinclient/joinclient_test.go b/bootstrapper/internal/joinclient/joinclient_test.go index 0f96edaba..6a0b89f4b 100644 --- a/bootstrapper/internal/joinclient/joinclient_test.go +++ b/bootstrapper/internal/joinclient/joinclient_test.go @@ -1,18 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package joinclient import ( "context" - "crypto/ed25519" - "encoding/pem" - "errors" "net" - "os" "strconv" "sync" "testing" @@ -20,7 +16,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/cloud/metadata" "github.com/edgelesssys/constellation/v2/internal/constants" - "github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials" "github.com/edgelesssys/constellation/v2/internal/grpc/dialer" @@ -33,7 +28,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" - "golang.org/x/crypto/ssh" "google.golang.org/grpc" kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" testclock "k8s.io/utils/clock/testing" @@ -56,73 +50,16 @@ func TestClient(t *testing.T) { {Role: role.ControlPlane, Name: "node-4", VPCIP: "192.0.2.2"}, {Role: role.ControlPlane, Name: "node-5", VPCIP: "192.0.2.3"}, } - caDerivationKey := make([]byte, 256) - respCaKey := &joinproto.IssueJoinTicketResponse{AuthorizedCaPublicKey: caDerivationKey} - - // TODO: fix test since keys are generated with systemd service - makeIssueJoinTicketAnswerWithValidCert := func(t *testing.T, originalAnswer issueJoinTicketAnswer, fh file.Handler) issueJoinTicketAnswer { - require := require.New(t) - - sshKeyBytes, err := fh.Read(constants.SSHHostKeyPath) - require.NoError(err) - sshKey, err := ssh.ParsePrivateKey(sshKeyBytes) - require.NoError(err) - _, randomCAKey, err := ed25519.GenerateKey(nil) - require.NoError(err) - randomCA, err := ssh.NewSignerFromSigner(randomCAKey) - require.NoError(err) - - cert, err := crypto.GenerateSSHHostCertificate([]string{"asdf"}, sshKey.PublicKey(), randomCA) - require.NoError(err) - - certBytes := ssh.MarshalAuthorizedKey(cert) - - if originalAnswer.resp == nil { - originalAnswer.resp = &joinproto.IssueJoinTicketResponse{HostCertificate: certBytes} - } else { - originalAnswer.resp.HostCertificate = certBytes - } - - return originalAnswer - } - - makeIssueJoinTicketAnswerWithInvalidCert := func(t *testing.T, originalAnswer issueJoinTicketAnswer) issueJoinTicketAnswer { - require := require.New(t) - _, randomCAKey, err := ed25519.GenerateKey(nil) - require.NoError(err) - randomCA, err := ssh.NewSignerFromSigner(randomCAKey) - require.NoError(err) - - randomKey, _, err := ed25519.GenerateKey(nil) - require.NoError(err) - randomSSHKey, err := ssh.NewPublicKey(randomKey) - require.NoError(err) - - cert, err := crypto.GenerateSSHHostCertificate([]string{"asdf"}, randomSSHKey, randomCA) - require.NoError(err) - - certBytes := ssh.MarshalAuthorizedKey(cert) - - if originalAnswer.resp == nil { - originalAnswer.resp = &joinproto.IssueJoinTicketResponse{HostCertificate: certBytes} - } else { - originalAnswer.resp.HostCertificate = certBytes - } - - return originalAnswer - } testCases := map[string]struct { - role role.Role - clusterJoiner *stubClusterJoiner - disk encryptedDisk - nodeLock *fakeLock - apiAnswers []any - wantLock bool - wantJoin bool - wantNumJoins int - wantNotMatchingCert bool - wantCertNotExisting bool + role role.Role + clusterJoiner *stubClusterJoiner + disk encryptedDisk + nodeLock *fakeLock + apiAnswers []any + wantLock bool + wantJoin bool + wantNumJoins int }{ "on worker: metadata self: errors occur": { role: role.Worker, @@ -132,7 +69,7 @@ func TestClient(t *testing.T) { selfAnswer{err: assert.AnError}, selfAnswer{instance: workerSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -140,23 +77,6 @@ func TestClient(t *testing.T) { wantJoin: true, wantLock: true, }, - "on worker: SSH host cert not matching": { - role: role.Worker, - apiAnswers: []any{ - selfAnswer{err: assert.AnError}, - selfAnswer{err: assert.AnError}, - selfAnswer{err: assert.AnError}, - selfAnswer{instance: workerSelf}, - listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, - }, - clusterJoiner: &stubClusterJoiner{}, - nodeLock: newFakeLock(), - disk: &stubDisk{}, - wantJoin: true, - wantLock: true, - wantNotMatchingCert: true, - }, "on worker: metadata self: invalid answer": { role: role.Worker, apiAnswers: []any{ @@ -165,7 +85,7 @@ func TestClient(t *testing.T) { selfAnswer{instance: metadata.InstanceMetadata{Name: "node-1"}}, selfAnswer{instance: workerSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -181,7 +101,7 @@ func TestClient(t *testing.T) { listAnswer{err: assert.AnError}, listAnswer{err: assert.AnError}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -197,7 +117,7 @@ func TestClient(t *testing.T) { listAnswer{}, listAnswer{}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -214,7 +134,7 @@ func TestClient(t *testing.T) { listAnswer{instances: peers}, issueJoinTicketAnswer{err: assert.AnError}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -231,7 +151,7 @@ func TestClient(t *testing.T) { listAnswer{instances: peers}, issueJoinTicketAnswer{err: assert.AnError}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{}, nodeLock: newFakeLock(), @@ -244,7 +164,7 @@ func TestClient(t *testing.T) { apiAnswers: []any{ selfAnswer{instance: controlSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{numBadCalls: -1, joinClusterErr: assert.AnError}, nodeLock: newFakeLock(), @@ -257,7 +177,7 @@ func TestClient(t *testing.T) { apiAnswers: []any{ selfAnswer{instance: controlSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, clusterJoiner: &stubClusterJoiner{numBadCalls: 1, joinClusterErr: assert.AnError}, nodeLock: newFakeLock(), @@ -271,45 +191,35 @@ func TestClient(t *testing.T) { apiAnswers: []any{ selfAnswer{instance: controlSelf}, listAnswer{instances: peers}, - issueJoinTicketAnswer{resp: respCaKey}, + issueJoinTicketAnswer{}, }, - clusterJoiner: &stubClusterJoiner{}, - nodeLock: lockedLock, - disk: &stubDisk{}, - wantLock: true, - wantCertNotExisting: true, + clusterJoiner: &stubClusterJoiner{}, + nodeLock: lockedLock, + disk: &stubDisk{}, + wantLock: true, }, "on control plane: disk open fails": { - role: role.ControlPlane, - clusterJoiner: &stubClusterJoiner{}, - nodeLock: newFakeLock(), - disk: &stubDisk{openErr: assert.AnError}, - wantCertNotExisting: true, + role: role.ControlPlane, + clusterJoiner: &stubClusterJoiner{}, + nodeLock: newFakeLock(), + disk: &stubDisk{openErr: assert.AnError}, }, "on control plane: disk uuid fails": { - role: role.ControlPlane, - clusterJoiner: &stubClusterJoiner{}, - nodeLock: newFakeLock(), - disk: &stubDisk{uuidErr: assert.AnError}, - wantCertNotExisting: true, + role: role.ControlPlane, + clusterJoiner: &stubClusterJoiner{}, + nodeLock: newFakeLock(), + disk: &stubDisk{uuidErr: assert.AnError}, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) - require := require.New(t) clock := testclock.NewFakeClock(time.Now()) metadataAPI := newStubMetadataAPI() fileHandler := file.NewHandler(afero.NewMemMapFs()) - _, hostKey, err := ed25519.GenerateKey(nil) - require.NoError(err) - hostKeyPEM, err := ssh.MarshalPrivateKey(hostKey, "hostkey") - require.NoError(err) - require.NoError(fileHandler.Write(constants.SSHHostKeyPath, pem.EncodeToMemory(hostKeyPEM), file.OptMkdirAll)) - netDialer := testdialer.NewBufconnDialer() dialer := dialer.New(nil, nil, netDialer) @@ -347,43 +257,13 @@ func TestClient(t *testing.T) { case listAnswer: metadataAPI.listAnswerC <- a case issueJoinTicketAnswer: - var answer issueJoinTicketAnswer - if tc.wantNotMatchingCert { - answer = makeIssueJoinTicketAnswerWithInvalidCert(t, a) - } else { - answer = makeIssueJoinTicketAnswerWithValidCert(t, a, fileHandler) - } - joinserviceAPI.issueJoinTicketAnswerC <- answer + joinserviceAPI.issueJoinTicketAnswerC <- a } clock.Step(time.Second) } client.Stop() - if !tc.wantCertNotExisting { - hostCertBytes, err := fileHandler.Read(constants.SSHHostCertificatePath) - require.NoError(err) - hostKeyBytes, err := fileHandler.Read(constants.SSHHostKeyPath) - require.NoError(err) - - hostCertKey, _, _, _, err := ssh.ParseAuthorizedKey(hostCertBytes) - require.NoError(err) - hostCert, ok := hostCertKey.(*ssh.Certificate) - require.True(ok) - - hostKey, err := ssh.ParsePrivateKey(hostKeyBytes) - require.NoError(err) - - if !tc.wantNotMatchingCert { - assert.Equal(hostKey.PublicKey().Marshal(), hostCert.Key.Marshal()) - } else { - assert.NotEqual(hostKey.PublicKey().Marshal(), hostCert.Key.Marshal()) - } - } else { - _, err := fileHandler.Stat(constants.SSHHostCertificatePath) - require.True(errors.Is(err, os.ErrNotExist)) - } - if tc.wantJoin { assert.Greater(tc.clusterJoiner.joinClusterCalled, 0) } else { diff --git a/bootstrapper/internal/journald/journald.go b/bootstrapper/internal/journald/journald.go index 5e06370b2..bf040a1a0 100644 --- a/bootstrapper/internal/journald/journald.go +++ b/bootstrapper/internal/journald/journald.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/bootstrapper/internal/journald/journald_test.go b/bootstrapper/internal/journald/journald_test.go index b617d10ac..8bf022aec 100644 --- a/bootstrapper/internal/journald/journald_test.go +++ b/bootstrapper/internal/journald/journald_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package journald diff --git a/bootstrapper/internal/kubernetes/cloud_provider.go b/bootstrapper/internal/kubernetes/cloud_provider.go index 8b92826c3..39023ea82 100644 --- a/bootstrapper/internal/kubernetes/cloud_provider.go +++ b/bootstrapper/internal/kubernetes/cloud_provider.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel b/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel index 968a2b011..ef87085bd 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel +++ b/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel @@ -28,7 +28,6 @@ go_library( "@io_k8s_kubelet//config/v1beta1", "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3", "@io_k8s_kubernetes//cmd/kubeadm/app/constants", - "@org_golang_x_mod//semver", ], ) diff --git a/bootstrapper/internal/kubernetes/k8sapi/k8sapi.go b/bootstrapper/internal/kubernetes/k8sapi/k8sapi.go index d5c1c1f35..72565b30a 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/k8sapi.go +++ b/bootstrapper/internal/kubernetes/k8sapi/k8sapi.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package k8sapi is used to interact with the Kubernetes API to create or update required resources. diff --git a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go index 1cbf88a9b..d2ec6e78f 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go +++ b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package k8sapi @@ -87,6 +87,7 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, kubernetesCompon func (k *KubernetesUtil) InitCluster( ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, conformanceMode bool, log *slog.Logger, ) ([]byte, error) { + // TODO(3u13r): audit policy should be user input auditPolicy, err := resources.NewDefaultAuditPolicy().Marshal() if err != nil { return nil, fmt.Errorf("generating default audit policy: %w", err) @@ -185,6 +186,7 @@ func (k *KubernetesUtil) InitCluster( // JoinCluster joins existing Kubernetes cluster using kubeadm join. func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte, log *slog.Logger) error { + // TODO(3u13r): audit policy should be user input auditPolicy, err := resources.NewDefaultAuditPolicy().Marshal() if err != nil { return fmt.Errorf("generating default audit policy: %w", err) diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index ca431441e..430839a46 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package k8sapi @@ -12,7 +12,6 @@ import ( "github.com/edgelesssys/constellation/v2/bootstrapper/internal/certificate" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/kubernetes" - "golang.org/x/mod/semver" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kubeletconf "k8s.io/kubelet/config/v1beta1" @@ -39,7 +38,7 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, cl cloudProvider = "external" } - initConfig := KubeadmInitYAML{ + return KubeadmInitYAML{ InitConfiguration: kubeadm.InitConfiguration{ TypeMeta: metav1.TypeMeta{ APIVersion: kubeadm.SchemeGroupVersion.String(), @@ -158,11 +157,6 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, cl TLSPrivateKeyFile: certificate.KeyFilename, }, } - - if semver.Compare(clusterVersion, "v1.31.0") >= 0 { - initConfig.ClusterConfiguration.FeatureGates = map[string]bool{"ControlPlaneKubeletLocalMode": true} - } - return initConfig } // JoinConfiguration returns a new kubeadm join configuration. diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go index bf9b68a64..6fef72a88 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package k8sapi diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go b/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go index 9968c982f..8d3679d0a 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package resources diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy_test.go b/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy_test.go index 3f9d08914..6889cec05 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy_test.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package resources diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/resources.go b/bootstrapper/internal/kubernetes/k8sapi/resources/resources.go index b7d4bd86f..d7dc58c49 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/resources.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/resources.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package resources contains Kubernetes configs and policies for Constellation. diff --git a/bootstrapper/internal/kubernetes/k8sapi/systemd.go b/bootstrapper/internal/kubernetes/k8sapi/systemd.go index c12484737..7ac800f3a 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/systemd.go +++ b/bootstrapper/internal/kubernetes/k8sapi/systemd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package k8sapi diff --git a/bootstrapper/internal/kubernetes/k8sutil.go b/bootstrapper/internal/kubernetes/k8sutil.go index 3752d8087..1faf6c3cf 100644 --- a/bootstrapper/internal/kubernetes/k8sutil.go +++ b/bootstrapper/internal/kubernetes/k8sutil.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/bootstrapper/internal/kubernetes/kubernetes.go b/bootstrapper/internal/kubernetes/kubernetes.go index 4c09ed783..13c387d23 100644 --- a/bootstrapper/internal/kubernetes/kubernetes.go +++ b/bootstrapper/internal/kubernetes/kubernetes.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package kubernetes provides functionality to bootstrap a Kubernetes cluster, or join an exiting one. diff --git a/bootstrapper/internal/kubernetes/kubernetes_test.go b/bootstrapper/internal/kubernetes/kubernetes_test.go index 02051bd5d..bef50253d 100644 --- a/bootstrapper/internal/kubernetes/kubernetes_test.go +++ b/bootstrapper/internal/kubernetes/kubernetes_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes @@ -201,7 +201,7 @@ func TestInitCluster(t *testing.T) { } _, err := kube.InitCluster( - t.Context(), string(tc.k8sVersion), "kubernetes", + context.Background(), string(tc.k8sVersion), "kubernetes", false, nil, nil, "", ) @@ -384,7 +384,7 @@ func TestJoinCluster(t *testing.T) { log: logger.NewTest(t), } - err := kube.JoinCluster(t.Context(), joinCommand, tc.role, tc.k8sComponents) + err := kube.JoinCluster(context.Background(), joinCommand, tc.role, tc.k8sComponents) if tc.wantErr { assert.Error(err) return diff --git a/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter.go b/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter.go index 956f8dd0d..64ef2abfc 100644 --- a/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter.go +++ b/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package kubewaiter is used to wait for the Kubernetes API to be available. diff --git a/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go b/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go index c284bf3aa..fe51e2dbb 100644 --- a/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go +++ b/bootstrapper/internal/kubernetes/kubewaiter/kubewaiter_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubewaiter @@ -39,7 +39,7 @@ func TestCloudKubeAPIWaiter(t *testing.T) { require := require.New(t) waiter := &CloudKubeAPIWaiter{} - ctx, cancel := context.WithTimeout(t.Context(), 0) + ctx, cancel := context.WithTimeout(context.Background(), 0) defer cancel() err := waiter.Wait(ctx, tc.kubeClient) if tc.wantErr { diff --git a/bootstrapper/internal/logging/logger.go b/bootstrapper/internal/logging/logger.go index a24a5a24f..b14f5668f 100644 --- a/bootstrapper/internal/logging/logger.go +++ b/bootstrapper/internal/logging/logger.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package logging provides an interface for logging information to a non-confidential destination diff --git a/bootstrapper/internal/nodelock/nodelock.go b/bootstrapper/internal/nodelock/nodelock.go index 973877493..2a3865c8d 100644 --- a/bootstrapper/internal/nodelock/nodelock.go +++ b/bootstrapper/internal/nodelock/nodelock.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package nodelock handles locking operations on the node. diff --git a/bootstrapper/internal/nodelock/nodelock_test.go b/bootstrapper/internal/nodelock/nodelock_test.go index 967432d6a..c5738fec1 100644 --- a/bootstrapper/internal/nodelock/nodelock_test.go +++ b/bootstrapper/internal/nodelock/nodelock_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package nodelock diff --git a/bootstrapper/internal/reboot/reboot_cross.go b/bootstrapper/internal/reboot/reboot_cross.go index 48c638c40..708749461 100644 --- a/bootstrapper/internal/reboot/reboot_cross.go +++ b/bootstrapper/internal/reboot/reboot_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package reboot diff --git a/bootstrapper/internal/reboot/reboot_linux.go b/bootstrapper/internal/reboot/reboot_linux.go index 7b2b8847e..c39d1cce9 100644 --- a/bootstrapper/internal/reboot/reboot_linux.go +++ b/bootstrapper/internal/reboot/reboot_linux.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package reboot diff --git a/cli/cmd/root.go b/cli/cmd/root.go index 1826812fa..6baaf3f1f 100644 --- a/cli/cmd/root.go +++ b/cli/cmd/root.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -61,7 +61,6 @@ func NewRootCmd() *cobra.Command { rootCmd.AddCommand(cmd.NewIAMCmd()) rootCmd.AddCommand(cmd.NewVersionCmd()) rootCmd.AddCommand(cmd.NewInitCmd()) - rootCmd.AddCommand(cmd.NewSSHCmd()) rootCmd.AddCommand(cmd.NewMaaPatchCmd()) return rootCmd diff --git a/cli/internal/cloudcmd/apply.go b/cli/internal/cloudcmd/apply.go index c3b9210c1..59e07de51 100644 --- a/cli/internal/cloudcmd/apply.go +++ b/cli/internal/cloudcmd/apply.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/apply_test.go b/cli/internal/cloudcmd/apply_test.go index f64b6afb9..47217362f 100644 --- a/cli/internal/cloudcmd/apply_test.go +++ b/cli/internal/cloudcmd/apply_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd @@ -185,14 +185,14 @@ func TestApplier(t *testing.T) { out: &bytes.Buffer{}, } - diff, err := applier.Plan(t.Context(), tc.config) + diff, err := applier.Plan(context.Background(), tc.config) if err != nil { assert.True(tc.wantErr, "unexpected error: %s", err) return } assert.False(diff) - idFile, err := applier.Apply(t.Context(), tc.provider, tc.config.GetAttestationConfig().GetVariant(), true) + idFile, err := applier.Apply(context.Background(), tc.provider, tc.config.GetAttestationConfig().GetVariant(), true) if tc.wantErr { assert.Error(err) @@ -303,7 +303,7 @@ func TestPlan(t *testing.T) { cfg := config.Default() cfg.RemoveProviderAndAttestationExcept(cloudprovider.Azure) - diff, err := u.Plan(t.Context(), cfg) + diff, err := u.Plan(context.Background(), cfg) if tc.wantErr { require.Error(err) } else { @@ -352,7 +352,7 @@ func TestApply(t *testing.T) { out: io.Discard, } - _, err := u.Apply(t.Context(), cloudprovider.QEMU, variant.QEMUVTPM{}, WithoutRollbackOnError) + _, err := u.Apply(context.Background(), cloudprovider.QEMU, variant.QEMUVTPM{}, WithoutRollbackOnError) if tc.wantErr { assert.Error(err) } else { diff --git a/cli/internal/cloudcmd/clients.go b/cli/internal/cloudcmd/clients.go index 897610f80..75858f19c 100644 --- a/cli/internal/cloudcmd/clients.go +++ b/cli/internal/cloudcmd/clients.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/clients_test.go b/cli/internal/cloudcmd/clients_test.go index fa6985ab1..770907a39 100644 --- a/cli/internal/cloudcmd/clients_test.go +++ b/cli/internal/cloudcmd/clients_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/cloudcmd.go b/cli/internal/cloudcmd/cloudcmd.go index 17ce6bc93..12c6e2879 100644 --- a/cli/internal/cloudcmd/cloudcmd.go +++ b/cli/internal/cloudcmd/cloudcmd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/cli/internal/cloudcmd/iam.go b/cli/internal/cloudcmd/iam.go index c02116775..e73f2854d 100644 --- a/cli/internal/cloudcmd/iam.go +++ b/cli/internal/cloudcmd/iam.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd @@ -91,7 +91,6 @@ type GCPIAMConfig struct { Zone string ProjectID string ServiceAccountID string - NamePrefix string } // AzureIAMConfig holds the necessary values for Azure IAM configuration. @@ -142,7 +141,6 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon vars := terraform.GCPIAMVariables{ ServiceAccountID: opts.GCP.ServiceAccountID, - NamePrefix: opts.GCP.NamePrefix, Project: opts.GCP.ProjectID, Region: opts.GCP.Region, Zone: opts.GCP.Zone, @@ -160,8 +158,7 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon return IAMOutput{ CloudProvider: cloudprovider.GCP, GCPOutput: GCPIAMOutput{ - ServiceAccountKey: iamOutput.GCP.SaKey, - IAMServiceAccountVM: iamOutput.GCP.ServiceAccountVMMailAddress, + ServiceAccountKey: iamOutput.GCP.SaKey, }, }, nil } @@ -235,8 +232,7 @@ type IAMOutput struct { // GCPIAMOutput contains the output information of a GCP IAM configuration. type GCPIAMOutput struct { - ServiceAccountKey string `json:"serviceAccountID,omitempty"` - IAMServiceAccountVM string `json:"iamServiceAccountVM,omitempty"` + ServiceAccountKey string `json:"serviceAccountID,omitempty"` } // AzureIAMOutput contains the output information of a Microsoft Azure IAM configuration. diff --git a/cli/internal/cloudcmd/iam_test.go b/cli/internal/cloudcmd/iam_test.go index be865bbd2..ff198c51c 100644 --- a/cli/internal/cloudcmd/iam_test.go +++ b/cli/internal/cloudcmd/iam_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd @@ -128,7 +128,7 @@ func TestIAMCreator(t *testing.T) { }, } - idFile, err := creator.Create(t.Context(), tc.provider, tc.config) + idFile, err := creator.Create(context.Background(), tc.provider, tc.config) if tc.wantErr { assert.Error(err) @@ -184,7 +184,7 @@ func TestDestroyIAMConfiguration(t *testing.T) { return tc.tfClient, nil }} - err := destroyer.DestroyIAMConfiguration(t.Context(), "", terraform.LogLevelNone) + err := destroyer.DestroyIAMConfiguration(context.Background(), "", terraform.LogLevelNone) if tc.wantErr { assert.Error(err) @@ -278,7 +278,7 @@ func TestGetTfstateServiceAccountKey(t *testing.T) { return tc.cl, nil }} - saKey, err := destroyer.GetTfStateServiceAccountKey(t.Context(), "") + saKey, err := destroyer.GetTfStateServiceAccountKey(context.Background(), "") if tc.wantErr { assert.Error(err) diff --git a/cli/internal/cloudcmd/iamupgrade.go b/cli/internal/cloudcmd/iamupgrade.go index 366b771ca..729af5d29 100644 --- a/cli/internal/cloudcmd/iamupgrade.go +++ b/cli/internal/cloudcmd/iamupgrade.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/rollback.go b/cli/internal/cloudcmd/rollback.go index bdf14e42c..7d894cd2f 100644 --- a/cli/internal/cloudcmd/rollback.go +++ b/cli/internal/cloudcmd/rollback.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/rollback_test.go b/cli/internal/cloudcmd/rollback_test.go index 85ad8d3f7..320dd1745 100644 --- a/cli/internal/cloudcmd/rollback_test.go +++ b/cli/internal/cloudcmd/rollback_test.go @@ -1,13 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd import ( "bytes" + "context" "errors" "testing" @@ -45,7 +46,7 @@ func TestRollbackTerraform(t *testing.T) { } destroyClusterErrOutput := &bytes.Buffer{} - err := rollbacker.rollback(t.Context(), destroyClusterErrOutput, terraform.LogLevelNone) + err := rollbacker.rollback(context.Background(), destroyClusterErrOutput, terraform.LogLevelNone) if tc.wantCleanupErr { assert.Error(err) if tc.tfClient.cleanUpWorkspaceErr == nil { @@ -106,7 +107,7 @@ func TestRollbackQEMU(t *testing.T) { destroyClusterErrOutput := &bytes.Buffer{} - err := rollbacker.rollback(t.Context(), destroyClusterErrOutput, terraform.LogLevelNone) + err := rollbacker.rollback(context.Background(), destroyClusterErrOutput, terraform.LogLevelNone) if tc.wantErr { assert.Error(err) if tc.tfClient.cleanUpWorkspaceErr == nil { diff --git a/cli/internal/cloudcmd/serviceaccount.go b/cli/internal/cloudcmd/serviceaccount.go index 81a15dbe3..7c54a0b9f 100644 --- a/cli/internal/cloudcmd/serviceaccount.go +++ b/cli/internal/cloudcmd/serviceaccount.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/terminate.go b/cli/internal/cloudcmd/terminate.go index 3cb9cccaa..4005afa9a 100644 --- a/cli/internal/cloudcmd/terminate.go +++ b/cli/internal/cloudcmd/terminate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/terminate_test.go b/cli/internal/cloudcmd/terminate_test.go index 1b72b3458..1d9f0232c 100644 --- a/cli/internal/cloudcmd/terminate_test.go +++ b/cli/internal/cloudcmd/terminate_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd @@ -63,7 +63,7 @@ func TestTerminator(t *testing.T) { }, } - err := terminator.Terminate(t.Context(), "", terraform.LogLevelNone) + err := terminator.Terminate(context.Background(), "", terraform.LogLevelNone) if tc.wantErr { assert.Error(err) diff --git a/cli/internal/cloudcmd/tfplan.go b/cli/internal/cloudcmd/tfplan.go index 7fed5de2a..ddcccc72d 100644 --- a/cli/internal/cloudcmd/tfplan.go +++ b/cli/internal/cloudcmd/tfplan.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cloudcmd/tfplan_test.go b/cli/internal/cloudcmd/tfplan_test.go index f4a2b4f5d..3cad299c1 100644 --- a/cli/internal/cloudcmd/tfplan_test.go +++ b/cli/internal/cloudcmd/tfplan_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd @@ -101,7 +101,7 @@ func TestTFPlan(t *testing.T) { fs := tc.prepareFs(require.New(t)) hasDiff, planErr := plan( - t.Context(), tc.tf, fs, io.Discard, terraform.LogLevelDebug, + context.Background(), tc.tf, fs, io.Discard, terraform.LogLevelDebug, &terraform.QEMUVariables{}, templateDir, existingWorkspace, backupDir, ) diff --git a/cli/internal/cloudcmd/tfvars.go b/cli/internal/cloudcmd/tfvars.go index 0bcbb690e..aab752aca 100644 --- a/cli/internal/cloudcmd/tfvars.go +++ b/cli/internal/cloudcmd/tfvars.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd @@ -231,7 +231,6 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste InternalLoadBalancer: conf.InternalLoadBalancer, CCTechnology: ccTech, AdditionalLabels: conf.Tags, - IAMServiceAccountVM: conf.Provider.GCP.IAMServiceAccountVM, } } @@ -241,7 +240,6 @@ func gcpTerraformIAMVars(conf *config.Config, oldVars terraform.GCPIAMVariables) Region: conf.Provider.GCP.Region, Zone: conf.Provider.GCP.Zone, ServiceAccountID: oldVars.ServiceAccountID, - NamePrefix: oldVars.NamePrefix, } } @@ -367,7 +365,7 @@ func qemuTerraformVars( ImagePath: imagePath, ImageFormat: conf.Provider.QEMU.ImageFormat, NodeGroups: nodeGroups, - Machine: "q35", + Machine: "q35", // TODO(elchead): make configurable AB#3225 MetadataAPIImage: conf.Provider.QEMU.MetadataAPIImage, MetadataLibvirtURI: metadataLibvirtURI, NVRAM: conf.Provider.QEMU.NVRAM, diff --git a/cli/internal/cloudcmd/tfvars_test.go b/cli/internal/cloudcmd/tfvars_test.go index dc249bee0..1a6b2a875 100644 --- a/cli/internal/cloudcmd/tfvars_test.go +++ b/cli/internal/cloudcmd/tfvars_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd diff --git a/cli/internal/cmd/BUILD.bazel b/cli/internal/cmd/BUILD.bazel index bc6a71a50..828a63d5b 100644 --- a/cli/internal/cmd/BUILD.bazel +++ b/cli/internal/cmd/BUILD.bazel @@ -37,7 +37,6 @@ go_library( "miniup_linux_amd64.go", "recover.go", "spinner.go", - "ssh.go", "status.go", "terminate.go", "upgrade.go", @@ -117,8 +116,6 @@ go_library( "//internal/attestation/azure/tdx", "@com_github_google_go_sev_guest//proto/sevsnp", "@com_github_google_go_tpm_tools//proto/attest", - "@org_golang_x_crypto//ssh", - "//internal/kms/setup", ] + select({ "@io_bazel_rules_go//go/platform:android_amd64": [ "@org_golang_x_sys//unix", @@ -145,7 +142,6 @@ go_test( "maapatch_test.go", "recover_test.go", "spinner_test.go", - "ssh_test.go", "status_test.go", "terminate_test.go", "upgradeapply_test.go", @@ -205,7 +201,6 @@ go_test( "@org_golang_google_grpc//:grpc", "@org_golang_google_grpc//codes", "@org_golang_google_grpc//status", - "@org_golang_x_crypto//ssh", "@org_golang_x_mod//semver", "@org_uber_go_goleak//:goleak", ], diff --git a/cli/internal/cmd/apply.go b/cli/internal/cmd/apply.go index d65337a0c..d4390db21 100644 --- a/cli/internal/cmd/apply.go +++ b/cli/internal/cmd/apply.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -14,6 +14,7 @@ import ( "io" "io/fs" "log/slog" + "net" "os" "path/filepath" "slices" @@ -228,7 +229,7 @@ func runApply(cmd *cobra.Command, _ []string) error { } newDialer := func(validator atls.Validator) *dialer.Dialer { - return dialer.New(nil, validator, nil) + return dialer.New(nil, validator, &net.Dialer{}) } upgradeID := generateUpgradeID(upgradeCmdKindApply) @@ -367,7 +368,7 @@ func (a *applyCmd) apply( // Check current Terraform state, if it exists and infrastructure upgrades are not skipped, // and apply migrations if necessary. if !a.flags.skipPhases.contains(skipInfrastructurePhase) { - if err := a.runTerraformApply(cmd, conf, stateFile, upgradeDir, a.flags.yes); err != nil { + if err := a.runTerraformApply(cmd, conf, stateFile, upgradeDir); err != nil { return fmt.Errorf("applying Terraform configuration: %w", err) } } diff --git a/cli/internal/cmd/apply_test.go b/cli/internal/cmd/apply_test.go index 9df359668..17c03f33f 100644 --- a/cli/internal/cmd/apply_test.go +++ b/cli/internal/cmd/apply_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -199,7 +199,7 @@ func TestBackupHelmCharts(t *testing.T) { log: logger.NewTest(t), } - err := a.backupHelmCharts(t.Context(), tc.helmApplier, tc.includesUpgrades, "") + err := a.backupHelmCharts(context.Background(), tc.helmApplier, tc.includesUpgrades, "") if tc.wantErr { assert.Error(err) return @@ -256,7 +256,6 @@ func TestValidateInputs(t *testing.T) { ClientX509CertURL: "client_cert", })) cfg.Provider.GCP.ServiceAccountKeyPath = "saKey.json" - cfg.Provider.GCP.IAMServiceAccountVM = "example@example.com" } require.NoError(fh.WriteYAML(constants.ConfigFilename, cfg)) diff --git a/cli/internal/cmd/applyhelm.go b/cli/internal/cmd/applyhelm.go index 2626da306..9b6ba7d69 100644 --- a/cli/internal/cmd/applyhelm.go +++ b/cli/internal/cmd/applyhelm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/applyinit.go b/cli/internal/cmd/applyinit.go index 2bdaa32f8..e3e99b0b4 100644 --- a/cli/internal/cmd/applyinit.go +++ b/cli/internal/cmd/applyinit.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/applyterraform.go b/cli/internal/cmd/applyterraform.go index 14cba64e4..668ad0eed 100644 --- a/cli/internal/cmd/applyterraform.go +++ b/cli/internal/cmd/applyterraform.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -22,7 +22,7 @@ import ( ) // runTerraformApply checks if changes to Terraform are required and applies them. -func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, stateFile *state.State, upgradeDir string, yesFlag bool) error { +func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, stateFile *state.State, upgradeDir string) error { a.log.Debug("Checking if Terraform migrations are required") terraformClient, removeClient, err := a.newInfraApplier(cmd.Context()) if err != nil { @@ -36,20 +36,6 @@ func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, st return fmt.Errorf("checking if Terraform workspace is empty: %w", err) } - if !isNewCluster && cloudcmd.UpgradeRequiresIAMMigration(conf.GetProvider()) { - cmd.Println("WARNING: This upgrade requires an IAM migration. Please make sure you have applied the IAM migration using `iam upgrade apply` before continuing.") - if !yesFlag { - yes, err := askToConfirm(cmd, "Did you upgrade the IAM resources?") - if err != nil { - return fmt.Errorf("asking for confirmation: %w", err) - } - if !yes { - cmd.Println("Skipping upgrade.") - return nil - } - } - } - if changesRequired, err := a.planTerraformChanges(cmd, conf, terraformClient); err != nil { return fmt.Errorf("planning Terraform migrations: %w", err) } else if !changesRequired { diff --git a/cli/internal/cmd/cloud.go b/cli/internal/cmd/cloud.go index e16e2331e..82a699a7f 100644 --- a/cli/internal/cmd/cloud.go +++ b/cli/internal/cmd/cloud.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/cloud_test.go b/cli/internal/cmd/cloud_test.go index 20ba89808..d4844d092 100644 --- a/cli/internal/cmd/cloud_test.go +++ b/cli/internal/cmd/cloud_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/cmd.go b/cli/internal/cmd/cmd.go index 69b542d89..a5997b941 100644 --- a/cli/internal/cmd/cmd.go +++ b/cli/internal/cmd/cmd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/cli/internal/cmd/config.go b/cli/internal/cmd/config.go index 9386a8838..3392df473 100644 --- a/cli/internal/cmd/config.go +++ b/cli/internal/cmd/config.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/configfetchmeasurements.go b/cli/internal/cmd/configfetchmeasurements.go index a9b777973..83a8e55c2 100644 --- a/cli/internal/cmd/configfetchmeasurements.go +++ b/cli/internal/cmd/configfetchmeasurements.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/configfetchmeasurements_test.go b/cli/internal/cmd/configfetchmeasurements_test.go index 5eca25c1c..12fd761ae 100644 --- a/cli/internal/cmd/configfetchmeasurements_test.go +++ b/cli/internal/cmd/configfetchmeasurements_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/configgenerate.go b/cli/internal/cmd/configgenerate.go index f5cc297e4..fd9796e2c 100644 --- a/cli/internal/cmd/configgenerate.go +++ b/cli/internal/cmd/configgenerate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/configgenerate_test.go b/cli/internal/cmd/configgenerate_test.go index cbb1349e9..952c43f8f 100644 --- a/cli/internal/cmd/configgenerate_test.go +++ b/cli/internal/cmd/configgenerate_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/configinstancetypes.go b/cli/internal/cmd/configinstancetypes.go index 0c4c4a73d..555ad5bb2 100644 --- a/cli/internal/cmd/configinstancetypes.go +++ b/cli/internal/cmd/configinstancetypes.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/configkubernetesversions.go b/cli/internal/cmd/configkubernetesversions.go index 4cc24da6a..54183039d 100644 --- a/cli/internal/cmd/configkubernetesversions.go +++ b/cli/internal/cmd/configkubernetesversions.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/configmigrate.go b/cli/internal/cmd/configmigrate.go index 2534ae3df..f8bf7190a 100644 --- a/cli/internal/cmd/configmigrate.go +++ b/cli/internal/cmd/configmigrate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/create.go b/cli/internal/cmd/create.go index 824ea1a2a..994c7e840 100644 --- a/cli/internal/cmd/create.go +++ b/cli/internal/cmd/create.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/create_test.go b/cli/internal/cmd/create_test.go index 126ec80f8..f6290cce8 100644 --- a/cli/internal/cmd/create_test.go +++ b/cli/internal/cmd/create_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/iam.go b/cli/internal/cmd/iam.go index 1208ad84f..229a0b2ee 100644 --- a/cli/internal/cmd/iam.go +++ b/cli/internal/cmd/iam.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/iamcreate.go b/cli/internal/cmd/iamcreate.go index 85f18b91d..b2e44f4a2 100644 --- a/cli/internal/cmd/iamcreate.go +++ b/cli/internal/cmd/iamcreate.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -29,9 +29,6 @@ var ( regionRegex = regexp.MustCompile(`^\w+-\w+[0-9]$`) // Source: https://cloud.google.com/resource-manager/reference/rest/v1/projects. gcpIDRegex = regexp.MustCompile(`^[a-z][-a-z0-9]{4,28}[a-z0-9]$`) - - // We currently append 6 characters to the prefix, therefore we remove 6 characters from the gcpIDRegex. - gcpPrefixRegex = regexp.MustCompile(`^[a-z][-a-z0-9]{4,22}[a-z0-9]$`) ) // newIAMCreateCmd returns a new cobra.Command for the iam create parent command. It needs another verb, and does nothing on its own. diff --git a/cli/internal/cmd/iamcreate_test.go b/cli/internal/cmd/iamcreate_test.go index 427a0a262..3a9c83051 100644 --- a/cli/internal/cmd/iamcreate_test.go +++ b/cli/internal/cmd/iamcreate_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -456,7 +456,6 @@ func TestIAMCreateGCP(t *testing.T) { creator *stubIAMCreator zoneFlag string serviceAccountIDFlag string - namePrefixFlag string projectIDFlag string yesFlag bool updateConfigFlag bool @@ -467,14 +466,6 @@ func TestIAMCreateGCP(t *testing.T) { wantErr bool }{ "iam create gcp": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - }, - "iam create gcp with deprecated serice account flag": { setupFs: defaultFs, creator: &stubIAMCreator{id: validIAMIDFile}, zoneFlag: "europe-west1-a", @@ -483,91 +474,91 @@ func TestIAMCreateGCP(t *testing.T) { yesFlag: true, }, "iam create gcp with existing config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + yesFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "iam create gcp --update-config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - updateConfigFlag: true, - yesFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + updateConfigFlag: true, + yesFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "iam create gcp existing terraform dir": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", existingDirs: []string{constants.TerraformIAMWorkingDir}, yesFlag: true, wantErr: true, }, "iam create gcp invalid b64": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: invalidIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - wantErr: true, + setupFs: defaultFs, + creator: &stubIAMCreator{id: invalidIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + yesFlag: true, + wantErr: true, }, "interactive": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "yes\n", + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "yes\n", }, "interactive update config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "yes\n", - updateConfigFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "yes\n", + updateConfigFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "interactive abort": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "no\n", - wantAbort: true, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "no\n", + wantAbort: true, }, "interactive abort update config": { - setupFs: defaultFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - stdin: "no\n", - wantAbort: true, - updateConfigFlag: true, - existingConfigFiles: []string{constants.ConfigFilename}, + setupFs: defaultFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + stdin: "no\n", + wantAbort: true, + updateConfigFlag: true, + existingConfigFiles: []string{constants.ConfigFilename}, }, "unwritable fs": { - setupFs: readOnlyFs, - creator: &stubIAMCreator{id: validIAMIDFile}, - zoneFlag: "europe-west1-a", - namePrefixFlag: "constell-test", - projectIDFlag: "constell-1234", - yesFlag: true, - updateConfigFlag: true, - wantErr: true, + setupFs: readOnlyFs, + creator: &stubIAMCreator{id: validIAMIDFile}, + zoneFlag: "europe-west1-a", + serviceAccountIDFlag: "constell-test", + projectIDFlag: "constell-1234", + yesFlag: true, + updateConfigFlag: true, + wantErr: true, }, } @@ -599,7 +590,6 @@ func TestIAMCreateGCP(t *testing.T) { flags: gcpIAMCreateFlags{ zone: tc.zoneFlag, serviceAccountID: tc.serviceAccountIDFlag, - namePrefix: tc.serviceAccountIDFlag, projectID: tc.projectIDFlag, }, }, diff --git a/cli/internal/cmd/iamcreateaws.go b/cli/internal/cmd/iamcreateaws.go index 1a29076c5..b648b87fc 100644 --- a/cli/internal/cmd/iamcreateaws.go +++ b/cli/internal/cmd/iamcreateaws.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/iamcreateazure.go b/cli/internal/cmd/iamcreateazure.go index f2ee7982b..26e6ed82a 100644 --- a/cli/internal/cmd/iamcreateazure.go +++ b/cli/internal/cmd/iamcreateazure.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/iamcreategcp.go b/cli/internal/cmd/iamcreategcp.go index f2c6c6ead..b6c55e5d1 100644 --- a/cli/internal/cmd/iamcreategcp.go +++ b/cli/internal/cmd/iamcreategcp.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -31,19 +31,13 @@ func newIAMCreateGCPCmd() *cobra.Command { cmd.Flags().String("zone", "", "GCP zone the cluster will be deployed in (required)\n"+ "Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available") must(cobra.MarkFlagRequired(cmd.Flags(), "zone")) - - cmd.Flags().String("serviceAccountID", "", "[Deprecated use \"--prefix\"]ID for the service account that will be created (required)\n"+ - "Must be 6 to 30 lowercase letters, digits, or hyphens. This flag is mutually exclusive with --prefix.") - cmd.Flags().String("prefix", "", "Prefix for the service account ID and VM ID that will be created (required)\n"+ - "Must be letters, digits, or hyphens.") - + cmd.Flags().String("serviceAccountID", "", "ID for the service account that will be created (required)\n"+ + "Must be 6 to 30 lowercase letters, digits, or hyphens.") + must(cobra.MarkFlagRequired(cmd.Flags(), "serviceAccountID")) cmd.Flags().String("projectID", "", "ID of the GCP project the configuration will be created in (required)\n"+ "Find it on the welcome screen of your project: https://console.cloud.google.com/welcome") must(cobra.MarkFlagRequired(cmd.Flags(), "projectID")) - cmd.MarkFlagsMutuallyExclusive([]string{"prefix", "serviceAccountID"}...) - must(cmd.Flags().MarkDeprecated("serviceAccountID", "use --prefix instead")) - return cmd } @@ -59,7 +53,6 @@ func runIAMCreateGCP(cmd *cobra.Command, _ []string) error { type gcpIAMCreateFlags struct { rootFlags serviceAccountID string - namePrefix string zone string region string projectID string @@ -98,18 +91,9 @@ func (f *gcpIAMCreateFlags) parse(flags *pflag.FlagSet) error { if err != nil { return fmt.Errorf("getting 'serviceAccountID' flag: %w", err) } - if f.serviceAccountID != "" && !gcpIDRegex.MatchString(f.serviceAccountID) { + if !gcpIDRegex.MatchString(f.serviceAccountID) { return fmt.Errorf("serviceAccountID %q doesn't match %s", f.serviceAccountID, gcpIDRegex) } - - f.namePrefix, err = flags.GetString("prefix") - if err != nil { - return fmt.Errorf("getting 'prefix' flag: %w", err) - } - if f.namePrefix != "" && !gcpPrefixRegex.MatchString(f.namePrefix) { - return fmt.Errorf("prefix %q doesn't match %s", f.namePrefix, gcpIDRegex) - } - return nil } @@ -125,19 +109,13 @@ func (c *gcpIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions { Region: c.flags.region, ProjectID: c.flags.projectID, ServiceAccountID: c.flags.serviceAccountID, - NamePrefix: c.flags.namePrefix, }, } } func (c *gcpIAMCreator) printConfirmValues(cmd *cobra.Command) { cmd.Printf("Project ID:\t\t%s\n", c.flags.projectID) - if c.flags.namePrefix != "" { - cmd.Printf("Name Prefix:\t\t%s\n", c.flags.namePrefix) - } - if c.flags.serviceAccountID != "" { - cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID) - } + cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID) cmd.Printf("Region:\t\t\t%s\n", c.flags.region) cmd.Printf("Zone:\t\t\t%s\n\n", c.flags.zone) } @@ -149,12 +127,11 @@ func (c *gcpIAMCreator) printOutputValues(cmd *cobra.Command, _ cloudcmd.IAMOutp cmd.Printf("serviceAccountKeyPath:\t%s\n\n", c.flags.pathPrefixer.PrefixPrintablePath(constants.GCPServiceAccountKeyFilename)) } -func (c *gcpIAMCreator) writeOutputValuesToConfig(conf *config.Config, out cloudcmd.IAMOutput) { +func (c *gcpIAMCreator) writeOutputValuesToConfig(conf *config.Config, _ cloudcmd.IAMOutput) { conf.Provider.GCP.Project = c.flags.projectID conf.Provider.GCP.ServiceAccountKeyPath = constants.GCPServiceAccountKeyFilename // File was created in workspace, so only the filename is needed. conf.Provider.GCP.Region = c.flags.region conf.Provider.GCP.Zone = c.flags.zone - conf.Provider.GCP.IAMServiceAccountVM = out.GCPOutput.IAMServiceAccountVM for groupName, group := range conf.NodeGroups { group.Zone = c.flags.zone conf.NodeGroups[groupName] = group diff --git a/cli/internal/cmd/iamdestroy.go b/cli/internal/cmd/iamdestroy.go index abcf9290f..f89c939a5 100644 --- a/cli/internal/cmd/iamdestroy.go +++ b/cli/internal/cmd/iamdestroy.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/iamdestroy_test.go b/cli/internal/cmd/iamdestroy_test.go index 675f8df5a..e6dd4feb2 100644 --- a/cli/internal/cmd/iamdestroy_test.go +++ b/cli/internal/cmd/iamdestroy_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/iamupgradeapply.go b/cli/internal/cmd/iamupgradeapply.go index bf8f7b275..0a3485d27 100644 --- a/cli/internal/cmd/iamupgradeapply.go +++ b/cli/internal/cmd/iamupgradeapply.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/iamupgradeapply_test.go b/cli/internal/cmd/iamupgradeapply_test.go index 32074f56c..786c24857 100644 --- a/cli/internal/cmd/iamupgradeapply_test.go +++ b/cli/internal/cmd/iamupgradeapply_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/init.go b/cli/internal/cmd/init.go index ce10f67e3..138f22392 100644 --- a/cli/internal/cmd/init.go +++ b/cli/internal/cmd/init.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/init_test.go b/cli/internal/cmd/init_test.go index 63ee594fe..568c31ff8 100644 --- a/cli/internal/cmd/init_test.go +++ b/cli/internal/cmd/init_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -217,7 +217,7 @@ func TestInitialize(t *testing.T) { require.NoError(fileHandler.WriteJSON(serviceAccPath, tc.serviceAccKey, file.OptNone)) } - ctx := t.Context() + ctx := context.Background() ctx, cancel := context.WithTimeout(ctx, 4*time.Second) defer cancel() cmd.SetContext(ctx) @@ -539,7 +539,6 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs conf.Provider.GCP.Project = "test-project" conf.Provider.GCP.Zone = "test-zone" conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path" - conf.Provider.GCP.IAMServiceAccountVM = "example@example.com" conf.Attestation.GCPSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength) conf.Attestation.GCPSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength) conf.Attestation.GCPSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength) diff --git a/cli/internal/cmd/license_enterprise.go b/cli/internal/cmd/license_enterprise.go index 399de4524..d4afe973e 100644 --- a/cli/internal/cmd/license_enterprise.go +++ b/cli/internal/cmd/license_enterprise.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/license_oss.go b/cli/internal/cmd/license_oss.go index 7d584a78c..fd14d35bc 100644 --- a/cli/internal/cmd/license_oss.go +++ b/cli/internal/cmd/license_oss.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/log.go b/cli/internal/cmd/log.go index d112fcc37..d86f1686f 100644 --- a/cli/internal/cmd/log.go +++ b/cli/internal/cmd/log.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/maapatch.go b/cli/internal/cmd/maapatch.go index 11e86051a..bb7ea381a 100644 --- a/cli/internal/cmd/maapatch.go +++ b/cli/internal/cmd/maapatch.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/maapatch_test.go b/cli/internal/cmd/maapatch_test.go index bca2d0ee7..bbd0e165f 100644 --- a/cli/internal/cmd/maapatch_test.go +++ b/cli/internal/cmd/maapatch_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/mini.go b/cli/internal/cmd/mini.go index 7d6fe087d..4b4774f67 100644 --- a/cli/internal/cmd/mini.go +++ b/cli/internal/cmd/mini.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/minidown.go b/cli/internal/cmd/minidown.go index 525b8539f..594312e28 100644 --- a/cli/internal/cmd/minidown.go +++ b/cli/internal/cmd/minidown.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/miniup.go b/cli/internal/cmd/miniup.go index 1b8c0984a..dfd297d93 100644 --- a/cli/internal/cmd/miniup.go +++ b/cli/internal/cmd/miniup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/miniup_cross.go b/cli/internal/cmd/miniup_cross.go index 2abd7c3b3..4668cc8f3 100644 --- a/cli/internal/cmd/miniup_cross.go +++ b/cli/internal/cmd/miniup_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/miniup_linux_amd64.go b/cli/internal/cmd/miniup_linux_amd64.go index c2c5a052e..c9885d801 100644 --- a/cli/internal/cmd/miniup_linux_amd64.go +++ b/cli/internal/cmd/miniup_linux_amd64.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/pathprefix/pathprefix.go b/cli/internal/cmd/pathprefix/pathprefix.go index 823406232..a70ccfee3 100644 --- a/cli/internal/cmd/pathprefix/pathprefix.go +++ b/cli/internal/cmd/pathprefix/pathprefix.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/cli/internal/cmd/recover.go b/cli/internal/cmd/recover.go index ab5d3ef14..17ffa4c32 100644 --- a/cli/internal/cmd/recover.go +++ b/cli/internal/cmd/recover.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -11,6 +11,7 @@ import ( "errors" "fmt" "io" + "net" "sync" "time" @@ -77,7 +78,7 @@ func runRecover(cmd *cobra.Command, _ []string) error { } fileHandler := file.NewHandler(afero.NewOsFs()) newDialer := func(validator atls.Validator) *dialer.Dialer { - return dialer.New(nil, validator, nil) + return dialer.New(nil, validator, &net.Dialer{}) } r := &recoverCmd{log: log, configFetcher: attestationconfigapi.NewFetcher()} if err := r.flags.parse(cmd.Flags()); err != nil { diff --git a/cli/internal/cmd/recover_test.go b/cli/internal/cmd/recover_test.go index af0817597..41ca89817 100644 --- a/cli/internal/cmd/recover_test.go +++ b/cli/internal/cmd/recover_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -138,7 +138,7 @@ func TestRecover(t *testing.T) { require := require.New(t) cmd := NewRecoverCmd() - cmd.SetContext(t.Context()) + cmd.SetContext(context.Background()) out := &bytes.Buffer{} cmd.SetOut(out) cmd.SetErr(out) @@ -225,7 +225,7 @@ func TestDoRecovery(t *testing.T) { log: r.log, } - err := recoverDoer.Do(t.Context()) + err := recoverDoer.Do(context.Background()) if tc.wantErr { assert.Error(err) } else { diff --git a/cli/internal/cmd/spinner.go b/cli/internal/cmd/spinner.go index f979459c3..4184291a8 100644 --- a/cli/internal/cmd/spinner.go +++ b/cli/internal/cmd/spinner.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/spinner_test.go b/cli/internal/cmd/spinner_test.go index 4cbf40d34..fab3ffa87 100644 --- a/cli/internal/cmd/spinner_test.go +++ b/cli/internal/cmd/spinner_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/ssh.go b/cli/internal/cmd/ssh.go deleted file mode 100644 index 84f9ed67a..000000000 --- a/cli/internal/cmd/ssh.go +++ /dev/null @@ -1,118 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: BUSL-1.1 -*/ - -package cmd - -import ( - "crypto/ed25519" - "crypto/rand" - "fmt" - "time" - - "github.com/edgelesssys/constellation/v2/internal/constants" - "github.com/edgelesssys/constellation/v2/internal/crypto" - "github.com/edgelesssys/constellation/v2/internal/file" - "github.com/edgelesssys/constellation/v2/internal/kms/setup" - "github.com/edgelesssys/constellation/v2/internal/kms/uri" - "github.com/spf13/afero" - "github.com/spf13/cobra" - - "golang.org/x/crypto/ssh" -) - -// NewSSHCmd returns a new cobra.Command for the ssh command. -func NewSSHCmd() *cobra.Command { - cmd := &cobra.Command{ - Use: "ssh", - Short: "Generate a certificate for emergency SSH access", - Long: "Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster.", - Args: cobra.ExactArgs(0), - RunE: runSSH, - } - cmd.Flags().String("key", "", "the path to an existing SSH public key") - must(cmd.MarkFlagRequired("key")) - return cmd -} - -func runSSH(cmd *cobra.Command, _ []string) error { - fh := file.NewHandler(afero.NewOsFs()) - debugLogger, err := newDebugFileLogger(cmd, fh) - if err != nil { - return err - } - - keyPath, err := cmd.Flags().GetString("key") - if err != nil { - return fmt.Errorf("retrieving path to public key from flags: %s", err) - } - - return writeCertificateForKey(cmd, keyPath, fh, debugLogger) -} - -func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, debugLogger debugLog) error { - // NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly. - var mastersecret uri.MasterSecret - if err := fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil { - return fmt.Errorf("reading master secret (does %q exist?): %w", constants.MasterSecretFilename, err) - } - - mastersecretURI := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt} - kms, err := setup.KMS(cmd.Context(), uri.NoStoreURI, mastersecretURI.EncodeToURI()) - if err != nil { - return fmt.Errorf("setting up KMS: %s", err) - } - sshCAKeySeed, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize) - if err != nil { - return fmt.Errorf("retrieving key from KMS: %s", err) - } - - ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed) - if err != nil { - return fmt.Errorf("generating SSH emergency CA key: %s", err) - } - - marshalledKey := string(ssh.MarshalAuthorizedKey(ca.PublicKey())) - debugLogger.Debug("SSH CA KEY generated", "public-key", marshalledKey) - knownHostsContent := fmt.Sprintf("@cert-authority * %s", marshalledKey) - if err := fh.Write("./known_hosts", []byte(knownHostsContent), file.OptMkdirAll); err != nil { - return fmt.Errorf("writing known hosts file: %w", err) - } - - keyBuffer, err := fh.Read(keyPath) - if err != nil { - return fmt.Errorf("reading public key %q: %s", keyPath, err) - } - - pub, _, _, _, err := ssh.ParseAuthorizedKey(keyBuffer) - if err != nil { - return fmt.Errorf("parsing public key %q: %s", keyPath, err) - } - - certificate := ssh.Certificate{ - Key: pub, - CertType: ssh.UserCert, - ValidAfter: uint64(time.Now().Unix()), - ValidBefore: uint64(time.Now().Add(24 * time.Hour).Unix()), - ValidPrincipals: []string{"root"}, - Permissions: ssh.Permissions{ - Extensions: map[string]string{ - "permit-port-forwarding": "", - "permit-pty": "", - }, - }, - } - if err := certificate.SignCert(rand.Reader, ca); err != nil { - return fmt.Errorf("signing certificate: %s", err) - } - - debugLogger.Debug("Signed certificate", "certificate", string(ssh.MarshalAuthorizedKey(&certificate))) - if err := fh.Write("constellation_cert.pub", ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil { - return fmt.Errorf("writing certificate: %s", err) - } - cmd.Printf("You can now connect to a node using the \"constellation_cert.pub\" certificate.\nLook at the documentation for a how-to guide:\n\n\thttps://docs.edgeless.systems/constellation/workflows/troubleshooting#emergency-ssh-access\n") - - return nil -} diff --git a/cli/internal/cmd/ssh_test.go b/cli/internal/cmd/ssh_test.go deleted file mode 100644 index c5ba77c2c..000000000 --- a/cli/internal/cmd/ssh_test.go +++ /dev/null @@ -1,95 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: BUSL-1.1 -*/ - -package cmd - -import ( - "bytes" - "testing" - - "github.com/edgelesssys/constellation/v2/internal/constants" - "github.com/edgelesssys/constellation/v2/internal/file" - "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/spf13/afero" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "golang.org/x/crypto/ssh" -) - -func TestSSH(t *testing.T) { - someSSHPubKey := "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDA1yYg1PIJNjAGjyuv66r8AJtpfBDFLdp3u9lVwkgbVKv1AzcaeTF/NEw+nhNJOjuCZ61LTPj12LZ8Wy/oSm0A= motte@lolcatghost" - someSSHPubKeyPath := "some-key.pub" - someMasterSecret := ` - { - "key": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK", - "salt": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK" - } - ` - testCases := map[string]struct { - fh file.Handler - pubKey string - masterSecret string - wantErr bool - }{ - "everything exists": { - fh: file.NewHandler(afero.NewMemMapFs()), - pubKey: someSSHPubKey, - masterSecret: someMasterSecret, - }, - "no public key": { - fh: file.NewHandler(afero.NewMemMapFs()), - masterSecret: someMasterSecret, - wantErr: true, - }, - "no master secret": { - fh: file.NewHandler(afero.NewMemMapFs()), - pubKey: someSSHPubKey, - wantErr: true, - }, - "malformed public key": { - fh: file.NewHandler(afero.NewMemMapFs()), - pubKey: "asdf", - masterSecret: someMasterSecret, - wantErr: true, - }, - "malformed master secret": { - fh: file.NewHandler(afero.NewMemMapFs()), - masterSecret: "asdf", - pubKey: someSSHPubKey, - wantErr: true, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - require := require.New(t) - - if tc.pubKey != "" { - require.NoError(tc.fh.Write(someSSHPubKeyPath, []byte(tc.pubKey))) - } - if tc.masterSecret != "" { - require.NoError(tc.fh.Write(constants.MasterSecretFilename, []byte(tc.masterSecret))) - } - - cmd := NewSSHCmd() - cmd.SetOut(&bytes.Buffer{}) - cmd.SetErr(&bytes.Buffer{}) - cmd.SetIn(&bytes.Buffer{}) - - err := writeCertificateForKey(cmd, someSSHPubKeyPath, tc.fh, logger.NewTest(t)) - if tc.wantErr { - assert.Error(err) - } else { - assert.NoError(err) - cert, err := tc.fh.Read("constellation_cert.pub") - require.NoError(err) - _, _, _, _, err = ssh.ParseAuthorizedKey(cert) - require.NoError(err) - } - }) - } -} diff --git a/cli/internal/cmd/status.go b/cli/internal/cmd/status.go index 5d9051c63..c2e83ef3a 100644 --- a/cli/internal/cmd/status.go +++ b/cli/internal/cmd/status.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/status_test.go b/cli/internal/cmd/status_test.go index e46bae917..813391bf0 100644 --- a/cli/internal/cmd/status_test.go +++ b/cli/internal/cmd/status_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/terminate.go b/cli/internal/cmd/terminate.go index a194358ea..c20c3fe2c 100644 --- a/cli/internal/cmd/terminate.go +++ b/cli/internal/cmd/terminate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/terminate_test.go b/cli/internal/cmd/terminate_test.go index 24c9ee717..1999290e9 100644 --- a/cli/internal/cmd/terminate_test.go +++ b/cli/internal/cmd/terminate_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/upgrade.go b/cli/internal/cmd/upgrade.go index 6c7db4966..21addcb06 100644 --- a/cli/internal/cmd/upgrade.go +++ b/cli/internal/cmd/upgrade.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/upgradeapply.go b/cli/internal/cmd/upgradeapply.go index 8f2465cbd..a87e4b2c5 100644 --- a/cli/internal/cmd/upgradeapply.go +++ b/cli/internal/cmd/upgradeapply.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/upgradeapply_test.go b/cli/internal/cmd/upgradeapply_test.go index 0062d444d..db4012596 100644 --- a/cli/internal/cmd/upgradeapply_test.go +++ b/cli/internal/cmd/upgradeapply_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/upgradecheck.go b/cli/internal/cmd/upgradecheck.go index 570f5375f..a782ebef2 100644 --- a/cli/internal/cmd/upgradecheck.go +++ b/cli/internal/cmd/upgradecheck.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/upgradecheck_test.go b/cli/internal/cmd/upgradecheck_test.go index 19020fc0d..5e6f8329a 100644 --- a/cli/internal/cmd/upgradecheck_test.go +++ b/cli/internal/cmd/upgradecheck_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -139,7 +139,7 @@ func TestGetCompatibleImageMeasurements(t *testing.T) { } }) - upgrades, err := getCompatibleImageMeasurements(t.Context(), &bytes.Buffer{}, client, &stubCosignVerifier{}, singleUUIDVerifier(), csp, attestationVariant, versionZero, logger.NewTest(t)) + upgrades, err := getCompatibleImageMeasurements(context.Background(), &bytes.Buffer{}, client, &stubCosignVerifier{}, singleUUIDVerifier(), csp, attestationVariant, versionZero, logger.NewTest(t)) assert.NoError(err) for _, measurement := range upgrades { @@ -344,7 +344,7 @@ func TestNewCLIVersions(t *testing.T) { t.Run(name, func(t *testing.T) { require := require.New(t) - _, err := tc.verCollector.newCLIVersions(t.Context()) + _, err := tc.verCollector.newCLIVersions(context.Background()) if tc.wantErr { require.Error(err) return @@ -385,7 +385,7 @@ func TestFilterCompatibleCLIVersions(t *testing.T) { t.Run(name, func(t *testing.T) { require := require.New(t) - _, err := tc.verCollector.filterCompatibleCLIVersions(t.Context(), tc.cliPatchVersions, consemver.NewFromInt(1, 24, 5, "")) + _, err := tc.verCollector.filterCompatibleCLIVersions(context.Background(), tc.cliPatchVersions, consemver.NewFromInt(1, 24, 5, "")) if tc.wantErr { require.Error(err) return diff --git a/cli/internal/cmd/userinteraction.go b/cli/internal/cmd/userinteraction.go index cef1921a4..4fef6256e 100644 --- a/cli/internal/cmd/userinteraction.go +++ b/cli/internal/cmd/userinteraction.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/userinteraction_test.go b/cli/internal/cmd/userinteraction_test.go index 91472c08b..3222be8d7 100644 --- a/cli/internal/cmd/userinteraction_test.go +++ b/cli/internal/cmd/userinteraction_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/validargs.go b/cli/internal/cmd/validargs.go index 1c83ae3bf..6b6573612 100644 --- a/cli/internal/cmd/validargs.go +++ b/cli/internal/cmd/validargs.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/validargs_test.go b/cli/internal/cmd/validargs_test.go index f29d179e6..63d783e9e 100644 --- a/cli/internal/cmd/validargs_test.go +++ b/cli/internal/cmd/validargs_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/verifier_test.go b/cli/internal/cmd/verifier_test.go index fcb27ab2b..b55c0ab15 100644 --- a/cli/internal/cmd/verifier_test.go +++ b/cli/internal/cmd/verifier_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/verify.go b/cli/internal/cmd/verify.go index 2e9afba11..523920a20 100644 --- a/cli/internal/cmd/verify.go +++ b/cli/internal/cmd/verify.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -108,7 +108,7 @@ func runVerify(cmd *cobra.Command, _ []string) error { fileHandler := file.NewHandler(afero.NewOsFs()) verifyClient := &constellationVerifier{ - dialer: dialer.New(nil, nil, nil), + dialer: dialer.New(nil, nil, &net.Dialer{}), log: log, } diff --git a/cli/internal/cmd/verify_test.go b/cli/internal/cmd/verify_test.go index 4a140d8ed..3e161c8c8 100644 --- a/cli/internal/cmd/verify_test.go +++ b/cli/internal/cmd/verify_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd @@ -235,7 +235,7 @@ func TestFormatDefault(t *testing.T) { for name, tc := range testCases { t.Run(name, func(t *testing.T) { - _, err := formatDefault(t.Context(), tc.doc, tc.attCfg, logger.NewTest(t)) + _, err := formatDefault(context.Background(), tc.doc, tc.attCfg, logger.NewTest(t)) if tc.wantErr { assert.Error(t, err) } else { @@ -313,7 +313,7 @@ func TestVerifyClient(t *testing.T) { Nonce: tc.nonce, } - _, err = verifier.Verify(t.Context(), addr, request, atls.NewFakeValidator(variant.Dummy{})) + _, err = verifier.Verify(context.Background(), addr, request, atls.NewFakeValidator(variant.Dummy{})) if tc.wantErr { assert.Error(err) diff --git a/cli/internal/cmd/version.go b/cli/internal/cmd/version.go index 30ce98245..a61aee437 100644 --- a/cli/internal/cmd/version.go +++ b/cli/internal/cmd/version.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/cmd/version_test.go b/cli/internal/cmd/version_test.go index f68041c66..646244423 100644 --- a/cli/internal/cmd/version_test.go +++ b/cli/internal/cmd/version_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/cli/internal/libvirt/libvirt.go b/cli/internal/libvirt/libvirt.go index 5815ebfc5..9498b173c 100644 --- a/cli/internal/libvirt/libvirt.go +++ b/cli/internal/libvirt/libvirt.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/cli/internal/terraform/loader.go b/cli/internal/terraform/loader.go index a3ad04482..d6e448ce9 100644 --- a/cli/internal/terraform/loader.go +++ b/cli/internal/terraform/loader.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package terraform diff --git a/cli/internal/terraform/loader_test.go b/cli/internal/terraform/loader_test.go index 70a50240b..4734bba1d 100644 --- a/cli/internal/terraform/loader_test.go +++ b/cli/internal/terraform/loader_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package terraform diff --git a/cli/internal/terraform/logging.go b/cli/internal/terraform/logging.go index 18378d9f9..6a400fb03 100644 --- a/cli/internal/terraform/logging.go +++ b/cli/internal/terraform/logging.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package terraform diff --git a/cli/internal/terraform/terraform.go b/cli/internal/terraform/terraform.go index c9b536109..f48d36e02 100644 --- a/cli/internal/terraform/terraform.go +++ b/cli/internal/terraform/terraform.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -103,18 +103,9 @@ func (c *Client) ShowIAM(ctx context.Context, provider cloudprovider.Provider) ( if !ok { return IAMOutput{}, errors.New("invalid type in service_account_key output: not a string") } - IAMServiceAccountVMOutputRaw, ok := tfState.Values.Outputs["service_account_mail_vm"] - if !ok { - return IAMOutput{}, errors.New("no service_account_mail_vm output found") - } - IAMServiceAccountVMOutput, ok := IAMServiceAccountVMOutputRaw.Value.(string) - if !ok { - return IAMOutput{}, errors.New("invalid type in service_account_mail_vm output: not a string") - } return IAMOutput{ GCP: GCPIAMOutput{ - SaKey: saKeyOutput, - ServiceAccountVMMailAddress: IAMServiceAccountVMOutput, + SaKey: saKeyOutput, }, }, nil case cloudprovider.Azure: @@ -548,8 +539,7 @@ type IAMOutput struct { // GCPIAMOutput contains the output information of the Terraform IAM operation on GCP. type GCPIAMOutput struct { - SaKey string - ServiceAccountVMMailAddress string + SaKey string } // AzureIAMOutput contains the output information of the Terraform IAM operation on Microsoft Azure. diff --git a/cli/internal/terraform/terraform_test.go b/cli/internal/terraform/terraform_test.go index 07ea919e6..103f0e959 100644 --- a/cli/internal/terraform/terraform_test.go +++ b/cli/internal/terraform/terraform_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package terraform @@ -120,7 +120,6 @@ func TestPrepareIAM(t *testing.T) { Region: "europe-west1", Zone: "europe-west1-a", ServiceAccountID: "const-test-case", - NamePrefix: "test_iam", } azureVars := &AzureIAMVariables{ Location: "westus", @@ -483,7 +482,7 @@ func TestCreateCluster(t *testing.T) { path := path.Join(tc.pathBase, strings.ToLower(tc.provider.String())) require.NoError(c.PrepareWorkspace(path, tc.vars)) - infraState, err := c.ApplyCluster(t.Context(), tc.provider, LogLevelDebug) + infraState, err := c.ApplyCluster(context.Background(), tc.provider, LogLevelDebug) if tc.wantErr { assert.Error(err) @@ -510,9 +509,6 @@ func TestCreateIAM(t *testing.T) { "service_account_key": { Value: "12345678_abcdefg", }, - "service_account_mail_vm": { - Value: "test_iam_service_account_vm", - }, "subscription_id": { Value: "test_subscription_id", }, @@ -585,7 +581,7 @@ func TestCreateIAM(t *testing.T) { vars: gcpVars, tf: &stubTerraform{showState: newTestState()}, fs: afero.NewMemMapFs(), - want: IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg", ServiceAccountVMMailAddress: "test_iam_service_account_vm"}}, + want: IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg"}}, }, "gcp init fails": { pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"), @@ -618,25 +614,7 @@ func TestCreateIAM(t *testing.T) { tf: &stubTerraform{ showState: &tfjson.State{ Values: &tfjson.StateValues{ - Outputs: map[string]*tfjson.StateOutput{ - "service_account_mail_vm": {Value: "test_iam_service_account_vm"}, - }, - }, - }, - }, - fs: afero.NewMemMapFs(), - wantErr: true, - }, - "gcp no service_account_mail_vm": { - pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"), - provider: cloudprovider.GCP, - vars: gcpVars, - tf: &stubTerraform{ - showState: &tfjson.State{ - Values: &tfjson.StateValues{ - Outputs: map[string]*tfjson.StateOutput{ - "service_account_key": {Value: "12345678_abcdefg"}, - }, + Outputs: map[string]*tfjson.StateOutput{}, }, }, }, @@ -799,7 +777,7 @@ func TestCreateIAM(t *testing.T) { path := path.Join(tc.pathBase, strings.ToLower(tc.provider.String())) require.NoError(c.PrepareWorkspace(path, tc.vars)) - IAMoutput, err := c.ApplyIAM(t.Context(), tc.provider, LogLevelDebug) + IAMoutput, err := c.ApplyIAM(context.Background(), tc.provider, LogLevelDebug) if tc.wantErr { assert.Error(err) @@ -841,7 +819,7 @@ func TestDestroyInstances(t *testing.T) { tf: tc.tf, } - err := c.Destroy(t.Context(), LogLevelDebug) + err := c.Destroy(context.Background(), LogLevelDebug) if tc.wantErr { assert.Error(err) return @@ -1073,7 +1051,7 @@ func TestPlan(t *testing.T) { workingDir: tc.pathBase, } - _, err := c.Plan(t.Context(), LogLevelDebug) + _, err := c.Plan(context.Background(), LogLevelDebug) if tc.wantErr { require.Error(err) } else { @@ -1132,7 +1110,7 @@ func TestShowPlan(t *testing.T) { workingDir: tc.pathBase, } - err := c.ShowPlan(t.Context(), LogLevelDebug, bytes.NewBuffer(nil)) + err := c.ShowPlan(context.Background(), LogLevelDebug, bytes.NewBuffer(nil)) if tc.wantErr { require.Error(err) } else { @@ -1151,8 +1129,7 @@ func TestShowIAM(t *testing.T) { "GCP success": { tf: &stubTerraform{ showState: getTfjsonState(map[string]any{ - "service_account_key": "key", - "service_account_mail_vm": "example@example.com", + "service_account_key": "key", }), }, csp: cloudprovider.GCP, @@ -1160,8 +1137,7 @@ func TestShowIAM(t *testing.T) { "GCP wrong data type": { tf: &stubTerraform{ showState: getTfjsonState(map[string]any{ - "service_account_key": map[string]any{}, - "service_account_mail_vm": "example@example.com", + "service_account_key": map[string]any{}, }), }, csp: cloudprovider.GCP, @@ -1169,9 +1145,7 @@ func TestShowIAM(t *testing.T) { }, "GCP missing key": { tf: &stubTerraform{ - showState: getTfjsonState(map[string]any{ - "service_account_mail_vm": "example@example.com", - }), + showState: getTfjsonState(map[string]any{}), }, csp: cloudprovider.GCP, wantErr: true, @@ -1320,7 +1294,7 @@ func TestShowIAM(t *testing.T) { tf: tc.tf, } - _, err := c.ShowIAM(t.Context(), tc.csp) + _, err := c.ShowIAM(context.Background(), tc.csp) if tc.wantErr { assert.Error(err) return diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go index d25b2e026..86af569e0 100644 --- a/cli/internal/terraform/variables.go +++ b/cli/internal/terraform/variables.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package terraform @@ -24,6 +24,11 @@ type Variables interface { // ClusterVariables should be used in places where a cluster is created. type ClusterVariables interface { Variables + // TODO(derpsteb): Rename this function once we have introduced an interface for config.Config. + // GetCreateMAA does not follow Go's naming convention because we need to keep the CreateMAA property public for now. + // There are functions creating Variables objects outside of this package. + // These functions can only be moved into this package once we have introduced an interface for config.Config, + // since we do not want to introduce a dependency on config.Config in this package. GetCreateMAA() bool } @@ -70,6 +75,7 @@ type AWSClusterVariables struct { } // GetCreateMAA gets the CreateMAA variable. +// TODO(derpsteb): Rename this function once we have introduced an interface for config.Config. func (a *AWSClusterVariables) GetCreateMAA() bool { return false } @@ -135,13 +141,12 @@ type GCPClusterVariables struct { InternalLoadBalancer bool `hcl:"internal_load_balancer" cty:"internal_load_balancer"` // CCTechnology is the confidential computing technology to use on the VMs. (`SEV` or `SEV_SNP`) CCTechnology string `hcl:"cc_technology" cty:"cc_technology"` - // IAMServiceAccountControlPlane is the IAM service account mail address to attach to VMs. - IAMServiceAccountVM string `hcl:"iam_service_account_vm" cty:"iam_service_account_vm"` // AdditionalLables are (optional) additional labels that should be applied to created resources. AdditionalLabels cloudprovider.Tags `hcl:"additional_labels" cty:"additional_labels"` } // GetCreateMAA gets the CreateMAA variable. +// TODO(derpsteb): Rename this function once we have introduced an interface for config.Config. func (g *GCPClusterVariables) GetCreateMAA() bool { return false } @@ -177,8 +182,6 @@ type GCPIAMVariables struct { Zone string `hcl:"zone" cty:"zone"` // ServiceAccountID is the ID of the service account to use. ServiceAccountID string `hcl:"service_account_id" cty:"service_account_id"` - // NamePrefix is a prefix applied to the service account ID and VM ID created by this configuration. - NamePrefix string `hcl:"name_prefix,optional" cty:"name_prefix"` } // String returns a string representation of the IAM-specific variables, formatted as Terraform variables. @@ -223,6 +226,7 @@ type AzureClusterVariables struct { } // GetCreateMAA gets the CreateMAA variable. +// TODO(derpsteb): Rename this function once we have introduced an interface for config.Config. func (a *AzureClusterVariables) GetCreateMAA() bool { if a.CreateMAA == nil { return false @@ -307,6 +311,7 @@ type OpenStackClusterVariables struct { } // GetCreateMAA gets the CreateMAA variable. +// TODO(derpsteb): Rename this function once we have introduced an interface for config.Config. func (o *OpenStackClusterVariables) GetCreateMAA() bool { return false } @@ -379,6 +384,7 @@ type QEMUVariables struct { } // GetCreateMAA gets the CreateMAA variable. +// TODO(derpsteb): Rename this function once we have introduced an interface for config.Config. func (q *QEMUVariables) GetCreateMAA() bool { return false } diff --git a/cli/internal/terraform/variables_test.go b/cli/internal/terraform/variables_test.go index dc8f79b2d..02567c314 100644 --- a/cli/internal/terraform/variables_test.go +++ b/cli/internal/terraform/variables_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package terraform @@ -122,9 +122,8 @@ func TestGCPClusterVariables(t *testing.T) { DiskType: "pd-ssd", }, }, - CustomEndpoint: "example.com", - CCTechnology: "SEV_SNP", - IAMServiceAccountVM: "example@example.com", + CustomEndpoint: "example.com", + CCTechnology: "SEV_SNP", } // test that the variables are correctly rendered @@ -152,11 +151,10 @@ node_groups = { zone = "eu-central-1b" } } -custom_endpoint = "example.com" -internal_load_balancer = false -cc_technology = "SEV_SNP" -iam_service_account_vm = "example@example.com" -additional_labels = null +custom_endpoint = "example.com" +internal_load_balancer = false +cc_technology = "SEV_SNP" +additional_labels = null ` got := vars.String() assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences @@ -175,27 +173,9 @@ func TestGCPIAMVariables(t *testing.T) { region = "eu-central-1" zone = "eu-central-1a" service_account_id = "my-service-account" -name_prefix = "" ` got := vars.String() assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences - - vars = GCPIAMVariables{ - Project: "my-project", - Region: "eu-central-1", - Zone: "eu-central-1a", - NamePrefix: "my-prefix", - } - - // test that the variables are correctly rendered - want = `project_id = "my-project" -region = "eu-central-1" -zone = "eu-central-1a" -service_account_id = "" -name_prefix = "my-prefix" -` - got = vars.String() - assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences } func TestAzureClusterVariables(t *testing.T) { diff --git a/cli/main.go b/cli/main.go index 0d479766d..7687463bd 100644 --- a/cli/main.go +++ b/cli/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/csi/cryptmapper/cryptmapper.go b/csi/cryptmapper/cryptmapper.go index 44757d703..90ece1df2 100644 --- a/csi/cryptmapper/cryptmapper.go +++ b/csi/cryptmapper/cryptmapper.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package cryptmapper provides a wrapper around libcryptsetup to manage dm-crypt volumes for CSI drivers. diff --git a/csi/cryptmapper/cryptmapper_cgo.go b/csi/cryptmapper/cryptmapper_cgo.go index 0ba881d6d..f03a48bbb 100644 --- a/csi/cryptmapper/cryptmapper_cgo.go +++ b/csi/cryptmapper/cryptmapper_cgo.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cryptmapper diff --git a/csi/cryptmapper/cryptmapper_cross.go b/csi/cryptmapper/cryptmapper_cross.go index 0e6f6ba34..ddc4f4adc 100644 --- a/csi/cryptmapper/cryptmapper_cross.go +++ b/csi/cryptmapper/cryptmapper_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cryptmapper diff --git a/csi/cryptmapper/cryptmapper_test.go b/csi/cryptmapper/cryptmapper_test.go index 56c44e8ee..cef34cd18 100644 --- a/csi/cryptmapper/cryptmapper_test.go +++ b/csi/cryptmapper/cryptmapper_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cryptmapper @@ -202,7 +202,7 @@ func TestOpenCryptDevice(t *testing.T) { getDiskFormat: tc.diskInfo, } - out, err := mapper.OpenCryptDevice(t.Context(), tc.source, tc.volumeID, tc.integrity) + out, err := mapper.OpenCryptDevice(context.Background(), tc.source, tc.volumeID, tc.integrity) if tc.wantErr { assert.Error(err) } else { @@ -223,7 +223,7 @@ func TestOpenCryptDevice(t *testing.T) { kms: &fakeKMS{}, getDiskFormat: getDiskFormat, } - _, err := mapper.OpenCryptDevice(t.Context(), "/dev/some-device", "volume01", false) + _, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false) assert.NoError(t, err) } @@ -270,7 +270,7 @@ func TestResizeCryptDevice(t *testing.T) { mapper: testMapper(tc.device), } - res, err := mapper.ResizeCryptDevice(t.Context(), tc.volumeID) + res, err := mapper.ResizeCryptDevice(context.Background(), tc.volumeID) if tc.wantErr { assert.Error(err) } else { diff --git a/csi/kms/constellation.go b/csi/kms/constellation.go index 95e4f848e..9ae1733ae 100644 --- a/csi/kms/constellation.go +++ b/csi/kms/constellation.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kms diff --git a/csi/kms/constellation_test.go b/csi/kms/constellation_test.go index 134404491..3b82a8c1c 100644 --- a/csi/kms/constellation_test.go +++ b/csi/kms/constellation_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kms @@ -57,7 +57,7 @@ func TestConstellationKMS(t *testing.T) { endpoint: listener.Addr().String(), kms: tc.kms, } - res, err := kms.GetDEK(t.Context(), "data-key", 64) + res, err := kms.GetDEK(context.Background(), "data-key", 64) if tc.wantErr { assert.Error(err) diff --git a/csi/test/BUILD.bazel b/csi/test/BUILD.bazel index c2c5b1071..5a27fdf89 100644 --- a/csi/test/BUILD.bazel +++ b/csi/test/BUILD.bazel @@ -42,14 +42,14 @@ go_test( "//csi/cryptmapper", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "@io_bazel_rules_go//go/platform:linux": [ "//csi/cryptmapper", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "//conditions:default": [], diff --git a/csi/test/mount_integration_test.go b/csi/test/mount_integration_test.go index c22371c2e..36e9f7b15 100644 --- a/csi/test/mount_integration_test.go +++ b/csi/test/mount_integration_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package integration @@ -105,7 +105,7 @@ func TestOpenAndClose(t *testing.T) { mapper := cryptmapper.New(&fakeKMS{}) - newPath, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, false) + newPath, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, false) require.NoError(err) defer func() { _ = mapper.CloseCryptDevice(deviceName) @@ -119,14 +119,14 @@ func TestOpenAndClose(t *testing.T) { assert.True(os.IsNotExist(err)) // Opening the same device should return the same path and not error - newPath2, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, false) + newPath2, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, false) require.NoError(err) assert.Equal(newPath, newPath2) // Resize the device resize(devicePath) - resizedPath, err := mapper.ResizeCryptDevice(t.Context(), deviceName) + resizedPath, err := mapper.ResizeCryptDevice(context.Background(), deviceName) require.NoError(err) assert.Equal("/dev/mapper/"+deviceName, resizedPath) @@ -137,7 +137,7 @@ func TestOpenAndClose(t *testing.T) { assert.True(os.IsNotExist(err)) // check if we can reopen the device - _, err = mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + _, err = mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) assert.NoError(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) } @@ -150,7 +150,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) { mapper := cryptmapper.New(&fakeKMS{}) - newPath, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + newPath, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) require.NoError(err) assert.Equal("/dev/mapper/"+deviceName, newPath) @@ -162,13 +162,13 @@ func TestOpenAndCloseIntegrity(t *testing.T) { assert.NoError(err) // Opening the same device should return the same path and not error - newPath2, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + newPath2, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) require.NoError(err) assert.Equal(newPath, newPath2) // integrity devices do not support resizing resize(devicePath) - _, err = mapper.ResizeCryptDevice(t.Context(), deviceName) + _, err = mapper.ResizeCryptDevice(context.Background(), deviceName) assert.Error(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) @@ -181,7 +181,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) { assert.True(os.IsNotExist(err)) // check if we can reopen the device - _, err = mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, true) + _, err = mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, true) assert.NoError(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) } @@ -194,13 +194,13 @@ func TestDeviceCloning(t *testing.T) { mapper := cryptmapper.New(&dynamicKMS{}) - _, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, false) + _, err := mapper.OpenCryptDevice(context.Background(), devicePath, deviceName, false) assert.NoError(err) require.NoError(cp(devicePath, devicePath+"-copy")) defer teardown(devicePath + "-copy") - _, err = mapper.OpenCryptDevice(t.Context(), devicePath+"-copy", deviceName+"-copy", false) + _, err = mapper.OpenCryptDevice(context.Background(), devicePath+"-copy", deviceName+"-copy", false) assert.NoError(err) assert.NoError(mapper.CloseCryptDevice(deviceName)) @@ -220,7 +220,7 @@ func TestConcurrency(t *testing.T) { wg := sync.WaitGroup{} runTest := func(path, name string) { - newPath, err := mapper.OpenCryptDevice(t.Context(), path, name, false) + newPath, err := mapper.OpenCryptDevice(context.Background(), path, name, false) assert.NoError(err) defer func() { _ = mapper.CloseCryptDevice(name) diff --git a/debugd/cmd/cdbg/cdbg.go b/debugd/cmd/cdbg/cdbg.go index d7962a8c4..24d00f21f 100644 --- a/debugd/cmd/cdbg/cdbg.go +++ b/debugd/cmd/cdbg/cdbg.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/debugd/cmd/debugd/debugd.go b/debugd/cmd/debugd/debugd.go index 02ebfc96e..4140687f7 100644 --- a/debugd/cmd/debugd/debugd.go +++ b/debugd/cmd/debugd/debugd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/debugd/filebeat/Dockerfile b/debugd/filebeat/Dockerfile index f5badcf9a..2aa6f6b4c 100644 --- a/debugd/filebeat/Dockerfile +++ b/debugd/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release RUN dnf install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-x86_64.rpm diff --git a/debugd/filebeat/assets.go b/debugd/filebeat/assets.go index 204b1a3ec..744ef3799 100644 --- a/debugd/filebeat/assets.go +++ b/debugd/filebeat/assets.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package filebeat diff --git a/debugd/internal/cdbg/cmd/deploy.go b/debugd/internal/cdbg/cmd/deploy.go index ea7569d28..d66cf10b7 100644 --- a/debugd/internal/cdbg/cmd/deploy.go +++ b/debugd/internal/cdbg/cmd/deploy.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/debugd/internal/cdbg/cmd/root.go b/debugd/internal/cdbg/cmd/root.go index 436b524a8..b9b3fae67 100644 --- a/debugd/internal/cdbg/cmd/root.go +++ b/debugd/internal/cdbg/cmd/root.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package cmd contains the cdbg CLI. diff --git a/debugd/internal/debugd/constants.go b/debugd/internal/debugd/constants.go index e831fc8cb..ae3aab8b3 100644 --- a/debugd/internal/debugd/constants.go +++ b/debugd/internal/debugd/constants.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package debugd diff --git a/debugd/internal/debugd/debugd.go b/debugd/internal/debugd/debugd.go index 645447c0a..d5453dbf8 100644 --- a/debugd/internal/debugd/debugd.go +++ b/debugd/internal/debugd/debugd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package debugd contains internal packages for the debugd. diff --git a/debugd/internal/debugd/deploy/deploy.go b/debugd/internal/debugd/deploy/deploy.go index 7e43f70cd..d91e0243f 100644 --- a/debugd/internal/debugd/deploy/deploy.go +++ b/debugd/internal/debugd/deploy/deploy.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/debugd/internal/debugd/deploy/download.go b/debugd/internal/debugd/deploy/download.go index 0409389f3..96ae8fd2f 100644 --- a/debugd/internal/debugd/deploy/download.go +++ b/debugd/internal/debugd/deploy/download.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy diff --git a/debugd/internal/debugd/deploy/download_test.go b/debugd/internal/debugd/deploy/download_test.go index 0cd800124..8477377c5 100644 --- a/debugd/internal/debugd/deploy/download_test.go +++ b/debugd/internal/debugd/deploy/download_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy @@ -123,7 +123,7 @@ func TestDownloadDeployment(t *testing.T) { serviceManager: serviceMgr, } - err := download.DownloadDeployment(t.Context(), ip) + err := download.DownloadDeployment(context.Background(), ip) if tc.wantErr { assert.Error(err) @@ -194,7 +194,7 @@ func TestDownloadInfo(t *testing.T) { info: &tc.infoSetter, } - err := download.DownloadInfo(t.Context(), ip) + err := download.DownloadInfo(context.Background(), ip) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/deploy/service.go b/debugd/internal/debugd/deploy/service.go index 618875989..114e5da58 100644 --- a/debugd/internal/debugd/deploy/service.go +++ b/debugd/internal/debugd/deploy/service.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy diff --git a/debugd/internal/debugd/deploy/service_test.go b/debugd/internal/debugd/deploy/service_test.go index 06d9820cd..f0b398333 100644 --- a/debugd/internal/debugd/deploy/service_test.go +++ b/debugd/internal/debugd/deploy/service_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy @@ -108,7 +108,7 @@ func TestSystemdAction(t *testing.T) { fs: fs, systemdUnitFilewriteLock: sync.Mutex{}, } - err := manager.SystemdAction(t.Context(), ServiceManagerRequest{ + err := manager.SystemdAction(context.Background(), ServiceManagerRequest{ Unit: unitName, Action: tc.action, }) @@ -188,7 +188,7 @@ func TestWriteSystemdUnitFile(t *testing.T) { fs: fs, systemdUnitFilewriteLock: sync.Mutex{}, } - err := manager.WriteSystemdUnitFile(t.Context(), tc.unit) + err := manager.WriteSystemdUnitFile(context.Background(), tc.unit) if tc.wantErr { assert.Error(err) @@ -302,7 +302,7 @@ func TestOverrideServiceUnitExecStart(t *testing.T) { fs: fs, systemdUnitFilewriteLock: sync.Mutex{}, } - err := manager.OverrideServiceUnitExecStart(t.Context(), tc.unitName, tc.execStart) + err := manager.OverrideServiceUnitExecStart(context.Background(), tc.unitName, tc.execStart) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/deploy/wrappers.go b/debugd/internal/debugd/deploy/wrappers.go index 57391d6a6..1c5acaee3 100644 --- a/debugd/internal/debugd/deploy/wrappers.go +++ b/debugd/internal/debugd/deploy/wrappers.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy diff --git a/debugd/internal/debugd/info/info.go b/debugd/internal/debugd/info/info.go index a9a193734..06df4c71c 100644 --- a/debugd/internal/debugd/info/info.go +++ b/debugd/internal/debugd/info/info.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package info implements the info map that is diff --git a/debugd/internal/debugd/info/info_test.go b/debugd/internal/debugd/info/info_test.go index a2b38422d..9c129ff6a 100644 --- a/debugd/internal/debugd/info/info_test.go +++ b/debugd/internal/debugd/info/info_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package info diff --git a/debugd/internal/debugd/logcollector/credentials.go b/debugd/internal/debugd/logcollector/credentials.go index 03b94b174..3ada029e1 100644 --- a/debugd/internal/debugd/logcollector/credentials.go +++ b/debugd/internal/debugd/logcollector/credentials.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package logcollector diff --git a/debugd/internal/debugd/logcollector/credentials_test.go b/debugd/internal/debugd/logcollector/credentials_test.go index 4bef5d86f..19d113c99 100644 --- a/debugd/internal/debugd/logcollector/credentials_test.go +++ b/debugd/internal/debugd/logcollector/credentials_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package logcollector @@ -67,7 +67,7 @@ func TestGetOpensearchCredentialsGCP(t *testing.T) { g := &gcpCloudCredentialGetter{secretsAPI: tc.gcpAPI} - gotCreds, err := g.GetOpensearchCredentials(t.Context()) + gotCreds, err := g.GetOpensearchCredentials(context.Background()) if tc.wantErr { assert.Error(err) @@ -127,7 +127,7 @@ func TestGetOpensearchCredentialsAzure(t *testing.T) { a := &azureCloudCredentialGetter{secretsAPI: tc.azureAPI} - gotCreds, err := a.GetOpensearchCredentials(t.Context()) + gotCreds, err := a.GetOpensearchCredentials(context.Background()) if tc.wantErr { assert.Error(err) @@ -184,7 +184,7 @@ func TestGetOpensearchCredentialsAWS(t *testing.T) { a := &awsCloudCredentialGetter{secretmanager: tc.awsAPI} - gotCreds, err := a.GetOpensearchCredentials(t.Context()) + gotCreds, err := a.GetOpensearchCredentials(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/logcollector/fields.go b/debugd/internal/debugd/logcollector/fields.go index e35864c72..1de7de844 100644 --- a/debugd/internal/debugd/logcollector/fields.go +++ b/debugd/internal/debugd/logcollector/fields.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package logcollector diff --git a/debugd/internal/debugd/logcollector/logcollector.go b/debugd/internal/debugd/logcollector/logcollector.go index 809133ad0..152a79894 100644 --- a/debugd/internal/debugd/logcollector/logcollector.go +++ b/debugd/internal/debugd/logcollector/logcollector.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package logcollector uses podman to deploy logstash and filebeat containers diff --git a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go index 52a7d09d3..64a19aa3d 100644 --- a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go +++ b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package cloudprovider implements a metadata service for cloud providers. diff --git a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go index 52c29e1b3..e7cbf23e5 100644 --- a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go +++ b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudprovider @@ -56,7 +56,7 @@ func TestRole(t *testing.T) { fetcher := Fetcher{tc.meta} - role, err := fetcher.Role(t.Context()) + role, err := fetcher.Role(context.Background()) if tc.wantErr { assert.Error(err) @@ -110,7 +110,7 @@ func TestDiscoverDebugIPs(t *testing.T) { fetcher := Fetcher{ metaAPI: &tc.meta, } - ips, err := fetcher.DiscoverDebugdIPs(t.Context()) + ips, err := fetcher.DiscoverDebugdIPs(context.Background()) if tc.wantErr { assert.Error(err) @@ -149,7 +149,7 @@ func TestDiscoverLoadBalancerIP(t *testing.T) { metaAPI: tc.metaAPI, } - ip, err := fetcher.DiscoverLoadBalancerIP(t.Context()) + ip, err := fetcher.DiscoverLoadBalancerIP(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/debugd/internal/debugd/metadata/fallback/fallback.go b/debugd/internal/debugd/metadata/fallback/fallback.go index 9b60a1a77..39308390f 100644 --- a/debugd/internal/debugd/metadata/fallback/fallback.go +++ b/debugd/internal/debugd/metadata/fallback/fallback.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package fallback implements a fake metadata backend. diff --git a/debugd/internal/debugd/metadata/fallback/fallback_test.go b/debugd/internal/debugd/metadata/fallback/fallback_test.go index c00fb5893..9ec2d4e0b 100644 --- a/debugd/internal/debugd/metadata/fallback/fallback_test.go +++ b/debugd/internal/debugd/metadata/fallback/fallback_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package fallback import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/role" @@ -22,19 +23,19 @@ func TestDiscoverDebugdIPs(t *testing.T) { assert := assert.New(t) fetcher := NewFallbackFetcher() - ips, err := fetcher.DiscoverDebugdIPs(t.Context()) + ips, err := fetcher.DiscoverDebugdIPs(context.Background()) assert.NoError(err) assert.Empty(ips) - rol, err := fetcher.Role(t.Context()) + rol, err := fetcher.Role(context.Background()) assert.NoError(err) assert.Equal(rol, role.Unknown) - uid, err := fetcher.UID(t.Context()) + uid, err := fetcher.UID(context.Background()) assert.NoError(err) assert.Empty(uid) - self, err := fetcher.Self(t.Context()) + self, err := fetcher.Self(context.Background()) assert.NoError(err) assert.Empty(self) } diff --git a/debugd/internal/debugd/metadata/metadata.go b/debugd/internal/debugd/metadata/metadata.go index 814e3d7f4..cecbff67a 100644 --- a/debugd/internal/debugd/metadata/metadata.go +++ b/debugd/internal/debugd/metadata/metadata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package metadata schedules the discovery of other debugd instances diff --git a/debugd/internal/debugd/metadata/scheduler.go b/debugd/internal/debugd/metadata/scheduler.go index e7352fb73..bf6705fec 100644 --- a/debugd/internal/debugd/metadata/scheduler.go +++ b/debugd/internal/debugd/metadata/scheduler.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package metadata diff --git a/debugd/internal/debugd/metadata/scheduler_test.go b/debugd/internal/debugd/metadata/scheduler_test.go index 165022837..13f9d4707 100644 --- a/debugd/internal/debugd/metadata/scheduler_test.go +++ b/debugd/internal/debugd/metadata/scheduler_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package metadata @@ -91,7 +91,7 @@ func TestSchedulerStart(t *testing.T) { } wg := &sync.WaitGroup{} - scheduler.Start(t.Context(), wg) + scheduler.Start(context.Background(), wg) wg.Wait() assert.Equal(tc.wantDeploymentDownloads, tc.downloader.downloadDeploymentIPs) diff --git a/debugd/internal/debugd/server/server.go b/debugd/internal/debugd/server/server.go index ef0763a10..64bbbc042 100644 --- a/debugd/internal/debugd/server/server.go +++ b/debugd/internal/debugd/server/server.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package server implements the gRPC endpoint of Constellation's debugd. diff --git a/debugd/internal/debugd/server/server_test.go b/debugd/internal/debugd/server/server_test.go index a340c425f..30d2a2c9e 100644 --- a/debugd/internal/debugd/server/server_test.go +++ b/debugd/internal/debugd/server/server_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package server @@ -79,7 +79,7 @@ func TestSetInfo(t *testing.T) { defer conn.Close() client := pb.NewDebugdClient(conn) - setInfoStatus, err := client.SetInfo(t.Context(), &pb.SetInfoRequest{Info: tc.setInfo}) + setInfoStatus, err := client.SetInfo(context.Background(), &pb.SetInfoRequest{Info: tc.setInfo}) grpcServ.GracefulStop() assert.NoError(err) @@ -137,7 +137,7 @@ func TestGetInfo(t *testing.T) { defer conn.Close() client := pb.NewDebugdClient(conn) - resp, err := client.GetInfo(t.Context(), &pb.GetInfoRequest{}) + resp, err := client.GetInfo(context.Background(), &pb.GetInfoRequest{}) grpcServ.GracefulStop() if tc.wantErr { @@ -201,7 +201,7 @@ func TestUploadFiles(t *testing.T) { require.NoError(err) defer conn.Close() client := pb.NewDebugdClient(conn) - stream, err := client.UploadFiles(t.Context()) + stream, err := client.UploadFiles(context.Background()) require.NoError(err) resp, err := stream.CloseAndRecv() @@ -245,7 +245,7 @@ func TestDownloadFiles(t *testing.T) { require.NoError(err) defer conn.Close() client := pb.NewDebugdClient(conn) - stream, err := client.DownloadFiles(t.Context(), tc.request) + stream, err := client.DownloadFiles(context.Background(), tc.request) require.NoError(err) _, recvErr := stream.Recv() if tc.wantRecvErr { @@ -324,7 +324,7 @@ func TestUploadSystemServiceUnits(t *testing.T) { require.NoError(err) defer conn.Close() client := pb.NewDebugdClient(conn) - resp, err := client.UploadSystemServiceUnits(t.Context(), tc.request) + resp, err := client.UploadSystemServiceUnits(context.Background(), tc.request) grpcServ.GracefulStop() diff --git a/debugd/internal/filetransfer/chunkstream.go b/debugd/internal/filetransfer/chunkstream.go index 5fea59a15..9c36b968f 100644 --- a/debugd/internal/filetransfer/chunkstream.go +++ b/debugd/internal/filetransfer/chunkstream.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package filetransfer diff --git a/debugd/internal/filetransfer/chunkstream_test.go b/debugd/internal/filetransfer/chunkstream_test.go index e09e144de..f01cbc136 100644 --- a/debugd/internal/filetransfer/chunkstream_test.go +++ b/debugd/internal/filetransfer/chunkstream_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package filetransfer diff --git a/debugd/internal/filetransfer/filetransfer.go b/debugd/internal/filetransfer/filetransfer.go index c15c5d0e4..04c784be1 100644 --- a/debugd/internal/filetransfer/filetransfer.go +++ b/debugd/internal/filetransfer/filetransfer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package filetransfer implements the exchange of files between cdgb <-> debugd diff --git a/debugd/internal/filetransfer/filetransfer_test.go b/debugd/internal/filetransfer/filetransfer_test.go index 7628edc3e..fed9d9d05 100644 --- a/debugd/internal/filetransfer/filetransfer_test.go +++ b/debugd/internal/filetransfer/filetransfer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package filetransfer diff --git a/debugd/internal/filetransfer/streamer/streamer.go b/debugd/internal/filetransfer/streamer/streamer.go index f48276ee9..3648bb4d5 100644 --- a/debugd/internal/filetransfer/streamer/streamer.go +++ b/debugd/internal/filetransfer/streamer/streamer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package streamer implements streaming of files over gRPC. diff --git a/debugd/internal/filetransfer/streamer/streamer_test.go b/debugd/internal/filetransfer/streamer/streamer_test.go index 06e95324d..ec64b8ba9 100644 --- a/debugd/internal/filetransfer/streamer/streamer_test.go +++ b/debugd/internal/filetransfer/streamer/streamer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package streamer diff --git a/debugd/logstash/Dockerfile b/debugd/logstash/Dockerfile index 8d538596a..e0db1695a 100644 --- a/debugd/logstash/Dockerfile +++ b/debugd/logstash/Dockerfile @@ -1,11 +1,11 @@ -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS build +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS build ARG LOGSTASH_VER=8.6.1 RUN curl -fsSLO https://artifacts.opensearch.org/logstash/logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz RUN tar -zxvf logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release COPY --from=build logstash-* /usr/share/logstash diff --git a/debugd/logstash/assets.go b/debugd/logstash/assets.go index 4fda7bb88..e49e1f60d 100644 --- a/debugd/logstash/assets.go +++ b/debugd/logstash/assets.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package logstash diff --git a/debugd/metricbeat/Dockerfile b/debugd/metricbeat/Dockerfile index 11694af43..108882355 100644 --- a/debugd/metricbeat/Dockerfile +++ b/debugd/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release +FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release RUN dnf install -y https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-8.9.2-x86_64.rpm diff --git a/debugd/metricbeat/assets.go b/debugd/metricbeat/assets.go index faa3dc8fa..8f3f954f1 100644 --- a/debugd/metricbeat/assets.go +++ b/debugd/metricbeat/assets.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package metricbeat diff --git a/debugd/service/debugd.pb.go b/debugd/service/debugd.pb.go index 8414c895f..ac419ec40 100644 --- a/debugd/service/debugd.pb.go +++ b/debugd/service/debugd.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: debugd/service/debugd.proto package service @@ -15,7 +15,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -173,10 +172,11 @@ func (UploadSystemdServiceUnitsStatus) EnumDescriptor() ([]byte, []int) { } type SetInfoRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` } func (x *SetInfoRequest) Reset() { @@ -217,10 +217,11 @@ func (x *SetInfoRequest) GetInfo() []*Info { } type SetInfoResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Status SetInfoStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.SetInfoStatus" json:"status,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Status SetInfoStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.SetInfoStatus" json:"status,omitempty"` } func (x *SetInfoResponse) Reset() { @@ -261,9 +262,9 @@ func (x *SetInfoResponse) GetStatus() SetInfoStatus { } type GetInfoRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields } func (x *GetInfoRequest) Reset() { @@ -297,10 +298,11 @@ func (*GetInfoRequest) Descriptor() ([]byte, []int) { } type GetInfoResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Info []*Info `protobuf:"bytes,1,rep,name=info,proto3" json:"info,omitempty"` } func (x *GetInfoResponse) Reset() { @@ -341,11 +343,12 @@ func (x *GetInfoResponse) GetInfo() []*Info { } type Info struct { - state protoimpl.MessageState `protogen:"open.v1"` - Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` - Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` + Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` } func (x *Info) Reset() { @@ -393,9 +396,9 @@ func (x *Info) GetValue() string { } type DownloadFilesRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields } func (x *DownloadFilesRequest) Reset() { @@ -429,14 +432,15 @@ func (*DownloadFilesRequest) Descriptor() ([]byte, []int) { } type FileTransferMessage struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Types that are valid to be assigned to Kind: + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Kind: // // *FileTransferMessage_Header // *FileTransferMessage_Chunk - Kind isFileTransferMessage_Kind `protobuf_oneof:"kind"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Kind isFileTransferMessage_Kind `protobuf_oneof:"kind"` } func (x *FileTransferMessage) Reset() { @@ -469,27 +473,23 @@ func (*FileTransferMessage) Descriptor() ([]byte, []int) { return file_debugd_service_debugd_proto_rawDescGZIP(), []int{6} } -func (x *FileTransferMessage) GetKind() isFileTransferMessage_Kind { - if x != nil { - return x.Kind +func (m *FileTransferMessage) GetKind() isFileTransferMessage_Kind { + if m != nil { + return m.Kind } return nil } func (x *FileTransferMessage) GetHeader() *FileTransferHeader { - if x != nil { - if x, ok := x.Kind.(*FileTransferMessage_Header); ok { - return x.Header - } + if x, ok := x.GetKind().(*FileTransferMessage_Header); ok { + return x.Header } return nil } func (x *FileTransferMessage) GetChunk() *Chunk { - if x != nil { - if x, ok := x.Kind.(*FileTransferMessage_Chunk); ok { - return x.Chunk - } + if x, ok := x.GetKind().(*FileTransferMessage_Chunk); ok { + return x.Chunk } return nil } @@ -511,12 +511,13 @@ func (*FileTransferMessage_Header) isFileTransferMessage_Kind() {} func (*FileTransferMessage_Chunk) isFileTransferMessage_Kind() {} type FileTransferHeader struct { - state protoimpl.MessageState `protogen:"open.v1"` - TargetPath string `protobuf:"bytes,1,opt,name=targetPath,proto3" json:"targetPath,omitempty"` - Mode uint32 `protobuf:"varint,3,opt,name=mode,proto3" json:"mode,omitempty"` - OverrideServiceUnit *string `protobuf:"bytes,4,opt,name=overrideServiceUnit,proto3,oneof" json:"overrideServiceUnit,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + TargetPath string `protobuf:"bytes,1,opt,name=targetPath,proto3" json:"targetPath,omitempty"` + Mode uint32 `protobuf:"varint,3,opt,name=mode,proto3" json:"mode,omitempty"` + OverrideServiceUnit *string `protobuf:"bytes,4,opt,name=overrideServiceUnit,proto3,oneof" json:"overrideServiceUnit,omitempty"` } func (x *FileTransferHeader) Reset() { @@ -571,11 +572,12 @@ func (x *FileTransferHeader) GetOverrideServiceUnit() string { } type Chunk struct { - state protoimpl.MessageState `protogen:"open.v1"` - Content []byte `protobuf:"bytes,1,opt,name=content,proto3" json:"content,omitempty"` - Last bool `protobuf:"varint,2,opt,name=last,proto3" json:"last,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Content []byte `protobuf:"bytes,1,opt,name=content,proto3" json:"content,omitempty"` + Last bool `protobuf:"varint,2,opt,name=last,proto3" json:"last,omitempty"` } func (x *Chunk) Reset() { @@ -623,11 +625,12 @@ func (x *Chunk) GetLast() bool { } type UploadFilesResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Status UploadFilesStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadFilesStatus" json:"status,omitempty"` - Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Status UploadFilesStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadFilesStatus" json:"status,omitempty"` + Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"` } func (x *UploadFilesResponse) Reset() { @@ -675,11 +678,12 @@ func (x *UploadFilesResponse) GetError() string { } type ServiceUnit struct { - state protoimpl.MessageState `protogen:"open.v1"` - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - Contents string `protobuf:"bytes,2,opt,name=contents,proto3" json:"contents,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + Contents string `protobuf:"bytes,2,opt,name=contents,proto3" json:"contents,omitempty"` } func (x *ServiceUnit) Reset() { @@ -727,10 +731,11 @@ func (x *ServiceUnit) GetContents() string { } type UploadSystemdServiceUnitsRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - Units []*ServiceUnit `protobuf:"bytes,1,rep,name=units,proto3" json:"units,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Units []*ServiceUnit `protobuf:"bytes,1,rep,name=units,proto3" json:"units,omitempty"` } func (x *UploadSystemdServiceUnitsRequest) Reset() { @@ -771,10 +776,11 @@ func (x *UploadSystemdServiceUnitsRequest) GetUnits() []*ServiceUnit { } type UploadSystemdServiceUnitsResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Status UploadSystemdServiceUnitsStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadSystemdServiceUnitsStatus" json:"status,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Status UploadSystemdServiceUnitsStatus `protobuf:"varint,1,opt,name=status,proto3,enum=debugd.UploadSystemdServiceUnitsStatus" json:"status,omitempty"` } func (x *UploadSystemdServiceUnitsResponse) Reset() { @@ -816,71 +822,130 @@ func (x *UploadSystemdServiceUnitsResponse) GetStatus() UploadSystemdServiceUnit var File_debugd_service_debugd_proto protoreflect.FileDescriptor -const file_debugd_service_debugd_proto_rawDesc = "" + - "\n" + - "\x1bdebugd/service/debugd.proto\x12\x06debugd\"2\n" + - "\x0eSetInfoRequest\x12 \n" + - "\x04info\x18\x01 \x03(\v2\f.debugd.InfoR\x04info\"@\n" + - "\x0fSetInfoResponse\x12-\n" + - "\x06status\x18\x01 \x01(\x0e2\x15.debugd.SetInfoStatusR\x06status\"\x10\n" + - "\x0eGetInfoRequest\"3\n" + - "\x0fGetInfoResponse\x12 \n" + - "\x04info\x18\x01 \x03(\v2\f.debugd.InfoR\x04info\".\n" + - "\x04Info\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value\"\x16\n" + - "\x14DownloadFilesRequest\"z\n" + - "\x13FileTransferMessage\x124\n" + - "\x06header\x18\x01 \x01(\v2\x1a.debugd.FileTransferHeaderH\x00R\x06header\x12%\n" + - "\x05chunk\x18\x02 \x01(\v2\r.debugd.ChunkH\x00R\x05chunkB\x06\n" + - "\x04kind\"\x97\x01\n" + - "\x12FileTransferHeader\x12\x1e\n" + - "\n" + - "targetPath\x18\x01 \x01(\tR\n" + - "targetPath\x12\x12\n" + - "\x04mode\x18\x03 \x01(\rR\x04mode\x125\n" + - "\x13overrideServiceUnit\x18\x04 \x01(\tH\x00R\x13overrideServiceUnit\x88\x01\x01B\x16\n" + - "\x14_overrideServiceUnit\"5\n" + - "\x05Chunk\x12\x18\n" + - "\acontent\x18\x01 \x01(\fR\acontent\x12\x12\n" + - "\x04last\x18\x02 \x01(\bR\x04last\"^\n" + - "\x13UploadFilesResponse\x121\n" + - "\x06status\x18\x01 \x01(\x0e2\x19.debugd.UploadFilesStatusR\x06status\x12\x14\n" + - "\x05error\x18\x02 \x01(\tR\x05error\"=\n" + - "\vServiceUnit\x12\x12\n" + - "\x04name\x18\x01 \x01(\tR\x04name\x12\x1a\n" + - "\bcontents\x18\x02 \x01(\tR\bcontents\"M\n" + - " UploadSystemdServiceUnitsRequest\x12)\n" + - "\x05units\x18\x01 \x03(\v2\x13.debugd.ServiceUnitR\x05units\"d\n" + - "!UploadSystemdServiceUnitsResponse\x12?\n" + - "\x06status\x18\x01 \x01(\x0e2'.debugd.UploadSystemdServiceUnitsStatusR\x06status*?\n" + - "\rSetInfoStatus\x12\x14\n" + - "\x10SET_INFO_SUCCESS\x10\x00\x12\x18\n" + - "\x14SET_INFO_ALREADY_SET\x10\x01*\xb1\x01\n" + - "\x11UploadFilesStatus\x12\x18\n" + - "\x14UPLOAD_FILES_SUCCESS\x10\x00\x12\x1e\n" + - "\x1aUPLOAD_FILES_UPLOAD_FAILED\x10\x01\x12 \n" + - "\x1cUPLOAD_FILES_ALREADY_STARTED\x10\x02\x12!\n" + - "\x1dUPLOAD_FILES_ALREADY_FINISHED\x10\x03\x12\x1d\n" + - "\x19UPLOAD_FILES_START_FAILED\x10\x04*u\n" + - "\x1fUploadSystemdServiceUnitsStatus\x12(\n" + - "$UPLOAD_SYSTEMD_SERVICE_UNITS_SUCCESS\x10\x00\x12(\n" + - "$UPLOAD_SYSTEMD_SERVICE_UNITS_FAILURE\x10\x012\x94\x03\n" + - "\x06Debugd\x12<\n" + - "\aSetInfo\x12\x16.debugd.SetInfoRequest\x1a\x17.debugd.SetInfoResponse\"\x00\x12<\n" + - "\aGetInfo\x12\x16.debugd.GetInfoRequest\x1a\x17.debugd.GetInfoResponse\"\x00\x12K\n" + - "\vUploadFiles\x12\x1b.debugd.FileTransferMessage\x1a\x1b.debugd.UploadFilesResponse\"\x00(\x01\x12N\n" + - "\rDownloadFiles\x12\x1c.debugd.DownloadFilesRequest\x1a\x1b.debugd.FileTransferMessage\"\x000\x01\x12q\n" + - "\x18UploadSystemServiceUnits\x12(.debugd.UploadSystemdServiceUnitsRequest\x1a).debugd.UploadSystemdServiceUnitsResponse\"\x00B8Z6github.com/edgelesssys/constellation/v2/debugd/serviceb\x06proto3" +var file_debugd_service_debugd_proto_rawDesc = []byte{ + 0x0a, 0x1b, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x64, + 0x65, 0x62, 0x75, 0x67, 0x64, 0x22, 0x32, 0x0a, 0x0e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x18, + 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x49, + 0x6e, 0x66, 0x6f, 0x52, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x22, 0x40, 0x0a, 0x0f, 0x53, 0x65, 0x74, + 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2d, 0x0a, 0x06, + 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x64, + 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x10, 0x0a, 0x0e, 0x47, + 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x33, 0x0a, + 0x0f, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x20, 0x0a, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c, + 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x04, 0x69, 0x6e, + 0x66, 0x6f, 0x22, 0x2e, 0x0a, 0x04, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, + 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, + 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x7a, 0x0a, 0x13, 0x46, 0x69, + 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, + 0x65, 0x12, 0x34, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, + 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, + 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x25, 0x0a, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, + 0x43, 0x68, 0x75, 0x6e, 0x6b, 0x48, 0x00, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x42, 0x06, + 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22, 0x97, 0x01, 0x0a, 0x12, 0x46, 0x69, 0x6c, 0x65, 0x54, + 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x1e, 0x0a, + 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, + 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x6d, 0x6f, 0x64, + 0x65, 0x12, 0x35, 0x0a, 0x13, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, + 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, + 0x52, 0x13, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x55, 0x6e, 0x69, 0x74, 0x88, 0x01, 0x01, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x6f, 0x76, 0x65, + 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, + 0x22, 0x35, 0x0a, 0x05, 0x43, 0x68, 0x75, 0x6e, 0x6b, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, + 0x74, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, + 0x65, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x61, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x04, 0x6c, 0x61, 0x73, 0x74, 0x22, 0x5e, 0x0a, 0x13, 0x55, 0x70, 0x6c, 0x6f, 0x61, + 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x31, + 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19, + 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, + 0x6c, 0x65, 0x73, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, + 0x73, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x3d, 0x0a, 0x0b, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x6f, + 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x6f, + 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x4d, 0x0a, 0x20, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, + 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, + 0x69, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x29, 0x0a, 0x05, 0x75, 0x6e, + 0x69, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x64, 0x65, 0x62, 0x75, + 0x67, 0x64, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x52, 0x05, + 0x75, 0x6e, 0x69, 0x74, 0x73, 0x22, 0x64, 0x0a, 0x21, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, + 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, + 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x06, 0x73, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x62, + 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, + 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2a, 0x3f, 0x0a, 0x0d, 0x53, + 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x10, + 0x53, 0x45, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, + 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x45, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x5f, 0x41, + 0x4c, 0x52, 0x45, 0x41, 0x44, 0x59, 0x5f, 0x53, 0x45, 0x54, 0x10, 0x01, 0x2a, 0xb1, 0x01, 0x0a, + 0x11, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x53, 0x74, 0x61, 0x74, + 0x75, 0x73, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, + 0x45, 0x53, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x1e, 0x0a, 0x1a, + 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x55, 0x50, 0x4c, + 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c, + 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x41, 0x4c, 0x52, + 0x45, 0x41, 0x44, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x52, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x21, + 0x0a, 0x1d, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x41, + 0x4c, 0x52, 0x45, 0x41, 0x44, 0x59, 0x5f, 0x46, 0x49, 0x4e, 0x49, 0x53, 0x48, 0x45, 0x44, 0x10, + 0x03, 0x12, 0x1d, 0x0a, 0x19, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, + 0x53, 0x5f, 0x53, 0x54, 0x41, 0x52, 0x54, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04, + 0x2a, 0x75, 0x0a, 0x1f, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, + 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x24, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x53, 0x59, + 0x53, 0x54, 0x45, 0x4d, 0x44, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, + 0x49, 0x54, 0x53, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x28, 0x0a, + 0x24, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x53, 0x59, 0x53, 0x54, 0x45, 0x4d, 0x44, 0x5f, + 0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, 0x49, 0x54, 0x53, 0x5f, 0x46, 0x41, + 0x49, 0x4c, 0x55, 0x52, 0x45, 0x10, 0x01, 0x32, 0x94, 0x03, 0x0a, 0x06, 0x44, 0x65, 0x62, 0x75, + 0x67, 0x64, 0x12, 0x3c, 0x0a, 0x07, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x16, 0x2e, + 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, + 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, + 0x12, 0x3c, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x16, 0x2e, 0x64, 0x65, + 0x62, 0x75, 0x67, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x47, 0x65, 0x74, + 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b, + 0x0a, 0x0b, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x1b, 0x2e, + 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, + 0x66, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1b, 0x2e, 0x64, 0x65, 0x62, + 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x12, 0x4e, 0x0a, 0x0d, 0x44, + 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x1c, 0x2e, 0x64, + 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, + 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x64, 0x65, 0x62, + 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, + 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x71, 0x0a, 0x18, 0x55, + 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x12, 0x28, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, + 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x29, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, + 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, + 0x6e, 0x69, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x38, + 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, + 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, + 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, + 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} var ( file_debugd_service_debugd_proto_rawDescOnce sync.Once - file_debugd_service_debugd_proto_rawDescData []byte + file_debugd_service_debugd_proto_rawDescData = file_debugd_service_debugd_proto_rawDesc ) func file_debugd_service_debugd_proto_rawDescGZIP() []byte { file_debugd_service_debugd_proto_rawDescOnce.Do(func() { - file_debugd_service_debugd_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_debugd_service_debugd_proto_rawDesc), len(file_debugd_service_debugd_proto_rawDesc))) + file_debugd_service_debugd_proto_rawDescData = protoimpl.X.CompressGZIP(file_debugd_service_debugd_proto_rawDescData) }) return file_debugd_service_debugd_proto_rawDescData } @@ -945,7 +1010,7 @@ func file_debugd_service_debugd_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_debugd_service_debugd_proto_rawDesc), len(file_debugd_service_debugd_proto_rawDesc)), + RawDescriptor: file_debugd_service_debugd_proto_rawDesc, NumEnums: 3, NumMessages: 13, NumExtensions: 0, @@ -957,6 +1022,7 @@ func file_debugd_service_debugd_proto_init() { MessageInfos: file_debugd_service_debugd_proto_msgTypes, }.Build() File_debugd_service_debugd_proto = out.File + file_debugd_service_debugd_proto_rawDesc = nil file_debugd_service_debugd_proto_goTypes = nil file_debugd_service_debugd_proto_depIdxs = nil } diff --git a/dev-docs/howto/longhorn.md b/dev-docs/howto/longhorn.md index 61e791a74..6c13c9d6e 100644 --- a/dev-docs/howto/longhorn.md +++ b/dev-docs/howto/longhorn.md @@ -1,6 +1,6 @@ # Longhorn on Constellatioin -To build Longhorn compatible images, apply the following changes. Those stem from [their installation guide](https://longhorn.io/docs/1.7.2/deploy/install/#installation-requirements). +To build Longhorn compatible images, apply the following changes. Those stem from [their installation guide](https://longhorn.io/docs/1.5.3/deploy/install/#installation-requirements). ```diff diff --git a/image/mkosi.conf.d/azure.conf b/image/mkosi.conf.d/azure.conf diff --git a/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl b/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl index a4e090c0d..0e0fc1026 100644 --- a/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl +++ b/dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl @@ -2,62 +2,62 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/dev-docs/howto/vpn/on-prem-terraform/main.tf b/dev-docs/howto/vpn/on-prem-terraform/main.tf index b22ed0fd8..b6a021c0e 100644 --- a/dev-docs/howto/vpn/on-prem-terraform/main.tf +++ b/dev-docs/howto/vpn/on-prem-terraform/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl b/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl index 84170c34d..d22432c94 100644 --- a/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl +++ b/dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl @@ -2,121 +2,121 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.7" - constraints = "2.3.7" + version = "2.3.5" + constraints = "2.3.5" hashes = [ - "h1:/hny5kXmhcnuJDD1V+5XCrZOYDIqja2U47VM4DPEnBA=", - "h1:A9COAUjeBJ+fgYAI/PKtDs4Wzs50srFSY+KkfpSVGLw=", - "h1:Lt8lqrdNgZRlkOTwSXZTyuJkiVXnpwTsWAqHQPL6sIY=", - "h1:M9TpQxKAE/hyOwytdX9MUNZw30HoD/OXqYIug5fkqH8=", - "h1:coZHiZww6hWZoOoWw0p+6oeYb/tMh1uTvX1Y2ZzzXqE=", - "h1:dgBaiMxxU61piW30emM6251LMFW66TbKR+p5ylPZvqc=", - "h1:h1Pr6uNwq+iDEGrnQJEHzOTz+yVTW0AJgZrGXuoO4Qs=", - "h1:ht83gEvyri0BD3sata7BDhx31N/KbCECIozG7UM/kC8=", - "h1:iZ27qylcH/2bs685LJTKOKcQ+g7cF3VwN3kHMrzm4Ow=", - "h1:ll35IR++uaXwfwqZFFRWrvS0idO1mX43Y/embsaOe4k=", - "h1:rafNPmTutVTO2Horq45DG9Pjqrs+vx42oc7b/3aVGEc=", - "zh:06f1c54e919425c3139f8aeb8fcf9bceca7e560d48c9f0c1e3bb0a8ad9d9da1e", - "zh:0e1e4cf6fd98b019e764c28586a386dc136129fef50af8c7165a067e7e4a31d5", - "zh:1871f4337c7c57287d4d67396f633d224b8938708b772abfc664d1f80bd67edd", - "zh:2b9269d91b742a71b2248439d5e9824f0447e6d261bfb86a8a88528609b136d1", - "zh:3d8ae039af21426072c66d6a59a467d51f2d9189b8198616888c1b7fc42addc7", - "zh:3ef4e2db5bcf3e2d915921adced43929214e0946a6fb11793085d9a48995ae01", - "zh:42ae54381147437c83cbb8790cc68935d71b6357728a154109d3220b1beb4dc9", - "zh:4496b362605ae4cbc9ef7995d102351e2fe311897586ffc7a4a262ccca0c782a", - "zh:652a2401257a12706d32842f66dac05a735693abcb3e6517d6b5e2573729ba13", - "zh:7406c30806f5979eaed5f50c548eced2ea18ea121e01801d2f0d4d87a04f6a14", - "zh:7848429fd5a5bcf35f6fee8487df0fb64b09ec071330f3ff240c0343fe2a5224", + "h1:C//ncldNugV8TpMQaj9ygoPXRVYOqltIxNB8LKrpzgU=", + "h1:HCoabXm6NQwCivl1q24+l9VUufc2mFqNeulsQBA9iFg=", + "h1:NCYXIt7zhG0pRLV9UAlBrKi4Rty/jRhRRHIZFEigUm8=", + "h1:Sf1Lt21oTADbzsnlU38ylpkl8YXP0Beznjcy5F/Yx64=", + "h1:TUljFfEUFn6szDfglwv150tNRUKPgqa5YiCTdF9Tc6c=", + "h1:W+6XNutLOfQxlm8XWg4wKAYvyDt/eoE1roSeFkn/KA4=", + "h1:cKe6NmJzRHiK0n73R5Dzkw8nK5i0nC4SedZhanMbQD0=", + "h1:jPzwR4Um4NU8EE6o5AIx2SoeGZG5bW9aAeFpcbodjHQ=", + "h1:sfaNIqomGVkYy6gGHbaFS2ehzh5CqoeBwR4QYae+cBY=", + "h1:wbw64JlCobcQCAdlzHpxksQ1GabewTW1yxnACBVZh4A=", + "h1:y0qqdBKvRt2MMcga7AVMkUb/vmJSKVBaimHaIHKLucs=", + "zh:17c20574de8eb925b0091c9b6a4d859e9d6e399cd890b44cfbc028f4f312ac7a", + "zh:348664d9a900f7baf7b091cf94d657e4c968b240d31d9e162086724e6afc19d5", + "zh:5a876a468ffabff0299f8348e719cb704daf81a4867f8c6892f3c3c4add2c755", + "zh:6ef97ee4c8c6a69a3d36746ba5c857cf4f4d78f32aa3d0e1ce68f2ece6a5dba5", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8283e5a785e3c518a440f6ac6e7cc4fc07fe266bf34974246f4e2ef05762feda", + "zh:a44eb5077950168b571b7eb65491246c00f45409110f0f172cc3a7605f19dba9", + "zh:aa0806cbff72b49c1b389c0b8e6904586e5259c08dabb7cb5040418568146530", + "zh:bec4613c3beaad9a7be7ca99cdb2852073f782355b272892e6ee97a22856aec1", + "zh:d7fe368577b6c8d1ae44c751ed42246754c10305c7f001cc0109833e95aa107d", + "zh:df2409fc6a364b1f0a0f8a9cd8a86e61e80307996979ce3790243c4ce88f2915", + "zh:ed3c263396ff1f4d29639cc43339b655235acf4d06296a7c120a80e4e0fd6409", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } provider "registry.terraform.io/hashicorp/tls" { - version = "4.1.0" - constraints = "4.1.0" + version = "4.0.6" + constraints = "4.0.6" hashes = [ - "h1:4gd/jiOS0zJxjTd5Q4o/gOp24RxcuwQ/TxwjTYQNPz4=", - "h1:C0J7AsrVHVqnDT9tICDNaKvA9iH6WTLS2EYzCEegpx0=", - "h1:Ka8mEwRFXBabR33iN/WTIEW6RP0z13vFsDlwn11Pf2I=", - "h1:ReNkTkCM64bktu54eGwQc29rhIejMLQsYA6kYNyBWno=", - "h1:UklaKJOCynnEJbpCVN0zJKIJ3SvO7RQJ00/6grBatnw=", - "h1:ZHcr1WIomuU6ZV+dzEwAG1+52JP0e0d/+l7bo3N5p88=", - "h1:eZa3vbx1pbiwnajuKvGWE7jWK+nHQ8lcLc/mO6Rhf4o=", - "h1:iSgnCUoLGMkt31RlflnL09NyjpAH0DX6bb9QBw5IE9Y=", - "h1:uDtqTpFJOseNUlPDx4TT/lXf6ie3CarsimL7sYCiVH4=", - "h1:y9cHrgcuaZt592In6xQzz1lx7k/B9EeWrAb8K7QqOgU=", - "h1:zEv9tY1KR5vaLSyp2lkrucNJ+Vq3c+sTFK9GyQGLtFs=", - "zh:14c35d89307988c835a7f8e26f1b83ce771e5f9b41e407f86a644c0152089ac2", - "zh:2fb9fe7a8b5afdbd3e903acb6776ef1be3f2e587fb236a8c60f11a9fa165faa8", - "zh:35808142ef850c0c60dd93dc06b95c747720ed2c40c89031781165f0c2baa2fc", - "zh:35b5dc95bc75f0b3b9c5ce54d4d7600c1ebc96fbb8dfca174536e8bf103c8cdc", - "zh:38aa27c6a6c98f1712aa5cc30011884dc4b128b4073a4a27883374bfa3ec9fac", - "zh:51fb247e3a2e88f0047cb97bb9df7c228254a3b3021c5534e4563b4007e6f882", - "zh:62b981ce491e38d892ba6364d1d0cdaadcee37cc218590e07b310b1dfa34be2d", - "zh:bc8e47efc611924a79f947ce072a9ad698f311d4a60d0b4dfff6758c912b7298", - "zh:c149508bd131765d1bc085c75a870abb314ff5a6d7f5ac1035a8892d686b6297", - "zh:d38d40783503d278b63858978d40e07ac48123a2925e1a6b47e62179c046f87a", + "h1:/GYlCthGsP6ooHpCFuMkjnuFoBX0xnvCNohf3suVw2A=", + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "h1:17Y+vdYNKgphpe1/SU5PBnGuYKEJkJZ7MZCnmAwsAGQ=", + "h1:3hTE3Ifpfh4ogQN60xa3Dw2Cbk2QyK8rJ5Zi2f5cYTo=", + "h1:N7VxdRDiNZoRS9dnXJ+QuKWKn514ahS+U6f9K3cF44s=", + "h1:QAuzEStYipyCgx5On0Rym6EiFfqXnBQOrgUjBY7MIbU=", + "h1:W1r1GqxtFMYVCcqFpN7U8WGjbpvpA/YPcqjZbx5THG8=", + "h1:dYSb3V94K5dDMtrBRLPzBpkMTPn+3cXZ/kIJdtFL+2M=", + "h1:dr3jNQWLXzZ2IJ1XH2XIHScQd4HGKo+7ZoyoEP9hRpY=", + "h1:irxVvxMIETCpSsiJKpu4A3htA0v2ohIkpPNXVt++pio=", + "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fb07f708e3316615f6d218cec198504984c0ce7000b9f1eebff7516e384f4b54", ] } diff --git a/dev-docs/miniconstellation/azure-terraform/main.tf b/dev-docs/miniconstellation/azure-terraform/main.tf index 9aeeebe21..8e0c2ac1d 100644 --- a/dev-docs/miniconstellation/azure-terraform/main.tf +++ b/dev-docs/miniconstellation/azure-terraform/main.tf @@ -2,19 +2,19 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } tls = { source = "hashicorp/tls" - version = "4.1.0" + version = "4.0.6" } cloudinit = { source = "hashicorp/cloudinit" - version = "2.3.7" + version = "2.3.5" } } } diff --git a/dev-docs/miniconstellation/setup-miniconstellation.sh b/dev-docs/miniconstellation/setup-miniconstellation.sh index cbbd5d266..fcc15d429 100755 --- a/dev-docs/miniconstellation/setup-miniconstellation.sh +++ b/dev-docs/miniconstellation/setup-miniconstellation.sh @@ -5,6 +5,7 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-linux-amd64 /usr/local/bin/constellation # Start docker service and auto start on boot +# TODO(elchead) should be done in cloud-init but was not done in my test case sudo systemctl start docker.service && sudo systemctl enable docker.service echo "Waiting for docker service to be active..." # Wait at most 20min diff --git a/dev-docs/security-overview.md b/dev-docs/security-overview.md index 90393c182..a2b03ab0e 100644 --- a/dev-docs/security-overview.md +++ b/dev-docs/security-overview.md @@ -79,16 +79,12 @@ Abstractly, a remote-attestation statement `R` from a CVM looks as follows: R = Sig-CPU(, , ) ``` -The field `payload` is controlled by the software running inside the CVM. +The `payload` is controlled by the software running inside the CVM. In the case of a Constellation node, the `payload` is always the public key of the respective Bootstrapper running inside the CVM. Thus, `R` can be seen as a certificate for that public key issued by the CPU. Based on this, nodes establish attested TLS (aTLS) connections. aTLS is used during [cluster creation](#cluster-creation) and when [growing a cluster](#cluster-growth). -The field `auxiliary data` is populated automatically by the CVM platform and, among others, includes information like CPU firmware versions. - -Note that this description of `R` is highly abstract. - ### Measurements In the ideal case, the underlying CVM platform does not inject any of its own software into a CVM. @@ -101,26 +97,16 @@ In this case, the launch digest is the only measurement that's required to verif However, currently, all supported CVM platforms (AWS, Azure, and GCP) inject custom firmware into CVMs. Thus, in practice, Constellation relies on conventional [measured boot](https://docs.edgeless.systems/constellation/architecture/images#measured-boot) to reflect the identity and integrity of nodes. -In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 platform configuration registers (PCRs) of a Trusted Platform Module (TPM). +In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 registers of a Trusted Platform Module (TPM). The values of these registers are also called "runtime measurements". -All supported CVM platforms provide TPMs to CVMs. - -With measured boot, Constellation relies on TPM-based remote attestation for nodes. -TPM-based remote attestation is similar to confidential computing-based remote attestation. Instead of the value `R`, the value `R'` is used. - -``` -R' = Sig-TPM(, ) -``` - -The field `auxiliary data` is populated automatically by the TPM and most notably contains the 16 PCRs. -Constellation uses the field `payload` as usual and sets it to the public key of the respective CVM's Bootstrapper. -When verifying `R'`, Constellation compares the 16 PCRs to those given in the attestation config. - -#### Differences between CVM platforms - -Each supported CVM platform populates the 16 PCRs in different ways. Details can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements). -Sig-TPM itself is also verified differently for each cloud. +All supported CVM platforms provide TPMs to CVMs. +Constellation nodes use these to measure their boot process. +They include the 16 runtime measurements as `auxiliary data` in `R`. +On each CVM platform, runtime measurements are taken differently. +Details on this are given in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements). +With measured boot, Constellation only checks the 16 runtime measurements during the verification of a node's remote-attestation statement. +The launch digest is not considered, because it only covers the firmware injected by the CVM platform and may change whenever the CVM platform is updated. Currently, on AWS and GCP the TPM implementation resides outside the CVM. On Azure, the TPM implementation is part of the injected firmware and resides inside the CVM. More information can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/overview/clouds). diff --git a/dev-docs/workflows/attestationconfigapi.md b/dev-docs/workflows/attestationconfigapi.md index 4881497ce..5da8eda35 100644 --- a/dev-docs/workflows/attestationconfigapi.md +++ b/dev-docs/workflows/attestationconfigapi.md @@ -8,10 +8,10 @@ This estimate might make manual intervention necessary when a global rollout did ### Manually delete a version ``` -COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli -- delete azure-sev-snp attestation-report 2025-01-18-09-15 +COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli delete -- --version 2023-09-02-12-52 ``` ### Manually upload a version ``` -COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli -- upload azure-sev-snp attestation-report 2025-01-18-09-15 --force +COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY="$(cat $PATH_TO_KEY)" AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY bazel run //internal/api/attestationconfigapi/cli -- --force --version 2023-09-02-12-52 --maa-claims-path "${path}" ``` diff --git a/dev-docs/workflows/bump-go-version.md b/dev-docs/workflows/bump-go-version.md index f2736179b..09b3fad81 100644 --- a/dev-docs/workflows/bump-go-version.md +++ b/dev-docs/workflows/bump-go-version.md @@ -17,7 +17,7 @@ go_sdk.download( ``` -Replace `go-version: "1.xx.x"` with the new version in all GitHub actions/workflows, our go.mod files and Containerfiles. +Replace `go-version: "1.xx.x"` with the new version in all GitHub actions and workflows. You can use the following command to find replace all instances of `go-version: "1.xx.x"` in the `.github` directory: ```bash @@ -25,9 +25,7 @@ OLD_VERSION="1.xx.x" NEW_VERSION="1.xx.y" find .github -type f -exec sed -i "s/go-version: \"${OLD_VERSION}\"/go-version: \"${NEW_VERSION}\"/g" {} \; sed -i "s/go ${OLD_VERSION}/go ${NEW_VERSION}/g" go.mod -sed -i "s/go ${OLD_VERSION}/go ${NEW_VERSION}/g" hack/tools/go.mod sed -i "s/${OLD_VERSION}/${NEW_VERSION}/g" go.work -sed -i "s/GO_VER=${OLD_VERSION}/GO_VER=${NEW_VERSION}/g" 3rdparty/gcp-guest-agent/Dockerfile ``` Or manually: diff --git a/dev-docs/workflows/marketplace-publishing.md b/dev-docs/workflows/marketplace-publishing.md deleted file mode 100644 index aa0513b2f..000000000 --- a/dev-docs/workflows/marketplace-publishing.md +++ /dev/null @@ -1,33 +0,0 @@ -# Publishing Marketplace Images - -Constellation release images need to be manually published to AWS and Azure marketplaces due to the lack of automation features. -On GCP, marketplace image publishing is automated and takes place on release. - -This document explains how to perform the uploading on AWS and Azure. - -## AWS - -1. Log in to the [AWS marketplace management portal](https://aws.amazon.com/marketplace/management/) with your regular developer AWS account. -2. Select "Products -> Server -> Constellation" in the top menu. -3. Select "Versions" in the main menu and press "Add version". -4. Fill in the form. - 1. Enter the semantic version of the release (i.e. `vX.Y.Z`) as "Version title". - 2. Set the version tag in "Release notes" to the same version. - 3. For the "Amazon Machine Image (AMI) ID", enter the AMI ID of the release (SEV-SNP) image. This can be found in the regular - [AWS console](https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#Images:visibility=owned-by-me;search=:constellation-v;v=3;$case=tags:false%5C,client:false;$regex=tags:false%5C,client:false;sort=desc:creationDate). - 4. For "IAM access role ARN", enter `arn:aws:iam::795746500882:role/constellation-marketplace-ingest`. -5. Leave the other fields as they are and press "Add version". -6. Wait for the [request](https://aws.amazon.com/marketplace/management/requests) to be processed and available before publishing the release. - -## Azure - -1. Log in to the [Microsoft partner center](https://partner.microsoft.com/en-us/dashboard/home) with your regular developer Microsoft account. -2. Select "Marketplace offers -> Constellation -> Constellation Node" in the main menu. -3. Select "Technical configuration" in the sidebar on the left. -4. Select "Add VM Image". - 1. For the "Version number", enter the semantic version of the release without the `v` prefix. If the release version is `vX.Y.Z`, enter `X.Y.Z`. - 2. Press "Add a gallery image" and select the corresponding "Constellation_CVM" image version in the menu. - 3. Press "Save VM image". -5. **IMPORTANT**: Hit **Save draft**. Do **NOT** hit "Review and publish" directly. -6. **After** saving the draft, hit "Review and publish". -7. Go back to the [offer's home page](https://partner.microsoft.com/en-us/dashboard/commercial-marketplace/offers/a53ac90b-06f7-4a20-a845-8607ca352e61/overview) and wait for the process to complete before publishing the release. diff --git a/dev-docs/workflows/release.md b/dev-docs/workflows/release.md index 619d28744..be873d563 100644 --- a/dev-docs/workflows/release.md +++ b/dev-docs/workflows/release.md @@ -86,7 +86,15 @@ Releases should be performed using [the automated release pipeline](https://gith 1. Publish the [provider release](https://github.com/edgelesssys/terraform-provider-constellation/releases) 2. Merge the automated post release PR -3. Publish the [AWS and Azure marketplace images](./marketplace-publishing.md). +3. Write an email to STACKIT to inform them of the new release. For this, you require the name and UUID of the release image. You can find the email address in our internal [wiki](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/stackit.md): + + ```shell-session + export OS_CLOUD=stackit + openstack image list | grep constellation + # the output should look similar to this, where the first column is the UUID and the second column is the name + # | 25edf48d-161f-452b-b420-963c3a80abd8 | constellation-stable-v2.16.4-qemu-vtpm | active | + ``` + 4. Close fixed "known issues" 5. Move open issues and PRs from this release's closed milestone to next milestone 6. Reset `UpgradeRequiresIAMMigration` in [`iamupgrade.go`](https://github.com/edgelesssys/constellation/blob/a88a731576184e3c5ee8527741c4a0cdaa4e9b24/cli/internal/cloudcmd/iamupgrade.go#L23). diff --git a/disk-mapper/cmd/main.go b/disk-mapper/cmd/main.go index 8d4e8eee7..f20bf9cfa 100644 --- a/disk-mapper/cmd/main.go +++ b/disk-mapper/cmd/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/disk-mapper/internal/diskencryption/diskencryption.go b/disk-mapper/internal/diskencryption/diskencryption.go index c642bb158..6bed71bfe 100644 --- a/disk-mapper/internal/diskencryption/diskencryption.go +++ b/disk-mapper/internal/diskencryption/diskencryption.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/disk-mapper/internal/recoveryserver/recoveryserver.go b/disk-mapper/internal/recoveryserver/recoveryserver.go index 5852b859b..f4a58724e 100644 --- a/disk-mapper/internal/recoveryserver/recoveryserver.go +++ b/disk-mapper/internal/recoveryserver/recoveryserver.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/disk-mapper/internal/recoveryserver/recoveryserver_test.go b/disk-mapper/internal/recoveryserver/recoveryserver_test.go index 5676de7f0..1a7722bb7 100644 --- a/disk-mapper/internal/recoveryserver/recoveryserver_test.go +++ b/disk-mapper/internal/recoveryserver/recoveryserver_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package recoveryserver @@ -40,7 +40,7 @@ func TestServe(t *testing.T) { server := New(atls.NewFakeIssuer(variant.Dummy{}), newStubKMS(nil, nil), log) dialer := testdialer.NewBufconnDialer() listener := dialer.GetListener("192.0.2.1:1234") - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) var wg sync.WaitGroup // Serve method returns when context is canceled @@ -62,7 +62,7 @@ func TestServe(t *testing.T) { wg.Add(1) go func() { defer wg.Done() - _, _, err := server.Serve(t.Context(), listener, uuid) + _, _, err := server.Serve(context.Background(), listener, uuid) assert.NoError(err) }() time.Sleep(100 * time.Millisecond) @@ -70,7 +70,7 @@ func TestServe(t *testing.T) { wg.Wait() // Serve method returns an error when serving is unsuccessful - _, _, err := server.Serve(t.Context(), listener, uuid) + _, _, err := server.Serve(context.Background(), listener, uuid) assert.Error(err) } @@ -104,7 +104,7 @@ func TestRecover(t *testing.T) { assert := assert.New(t) require := require.New(t) - ctx := t.Context() + ctx := context.Background() serverUUID := "uuid" server := New(atls.NewFakeIssuer(variant.Dummy{}), tc.factory, logger.NewTest(t)) netDialer := testdialer.NewBufconnDialer() diff --git a/disk-mapper/internal/rejoinclient/rejoinclient.go b/disk-mapper/internal/rejoinclient/rejoinclient.go index bbd511971..ac0e17871 100644 --- a/disk-mapper/internal/rejoinclient/rejoinclient.go +++ b/disk-mapper/internal/rejoinclient/rejoinclient.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/disk-mapper/internal/rejoinclient/rejoinclient_test.go b/disk-mapper/internal/rejoinclient/rejoinclient_test.go index 51e3a6bd1..18bf15df1 100644 --- a/disk-mapper/internal/rejoinclient/rejoinclient_test.go +++ b/disk-mapper/internal/rejoinclient/rejoinclient_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package rejoinclient @@ -71,7 +71,7 @@ func TestStartCancel(t *testing.T) { go rejoinServer.Serve(listener) defer rejoinServer.GracefulStop() - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) var wg sync.WaitGroup wg.Add(1) @@ -294,7 +294,7 @@ func TestStart(t *testing.T) { client := New(dialer, tc.nodeInfo, meta, logger.NewTest(t)) - passphrase, secret := client.Start(t.Context(), "uuid") + passphrase, secret := client.Start(context.Background(), "uuid") assert.Equal(diskKey, passphrase) assert.Equal(measurementSecret, secret) }) diff --git a/disk-mapper/internal/setup/interface.go b/disk-mapper/internal/setup/interface.go index 6f4e02c86..50bd008a7 100644 --- a/disk-mapper/internal/setup/interface.go +++ b/disk-mapper/internal/setup/interface.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package setup diff --git a/disk-mapper/internal/setup/mount_cross.go b/disk-mapper/internal/setup/mount_cross.go index 1c8015ee8..271a467d0 100644 --- a/disk-mapper/internal/setup/mount_cross.go +++ b/disk-mapper/internal/setup/mount_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package setup diff --git a/disk-mapper/internal/setup/mount_linux.go b/disk-mapper/internal/setup/mount_linux.go index f0ba7dff0..d3ee2d229 100644 --- a/disk-mapper/internal/setup/mount_linux.go +++ b/disk-mapper/internal/setup/mount_linux.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package setup diff --git a/disk-mapper/internal/setup/setup.go b/disk-mapper/internal/setup/setup.go index 47b82a348..26dd5e9c8 100644 --- a/disk-mapper/internal/setup/setup.go +++ b/disk-mapper/internal/setup/setup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/disk-mapper/internal/setup/setup_test.go b/disk-mapper/internal/setup/setup_test.go index a21416101..1678b6bbf 100644 --- a/disk-mapper/internal/setup/setup_test.go +++ b/disk-mapper/internal/setup/setup_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package setup diff --git a/disk-mapper/internal/systemd/systemd.go b/disk-mapper/internal/systemd/systemd.go index 7520c39fe..843f26c7b 100644 --- a/disk-mapper/internal/systemd/systemd.go +++ b/disk-mapper/internal/systemd/systemd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package systemd configures systemd units for encrypted volumes. diff --git a/disk-mapper/internal/systemd/systemd_test.go b/disk-mapper/internal/systemd/systemd_test.go index 7accd2f58..a85e52eba 100644 --- a/disk-mapper/internal/systemd/systemd_test.go +++ b/disk-mapper/internal/systemd/systemd_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package systemd diff --git a/disk-mapper/internal/test/BUILD.bazel b/disk-mapper/internal/test/BUILD.bazel index 38e3ac89c..8d39f1a03 100644 --- a/disk-mapper/internal/test/BUILD.bazel +++ b/disk-mapper/internal/test/BUILD.bazel @@ -29,7 +29,7 @@ go_test( "@com_github_martinjungblut_go_cryptsetup//:go-cryptsetup", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "@io_bazel_rules_go//go/platform:linux": [ @@ -39,7 +39,7 @@ go_test( "@com_github_martinjungblut_go_cryptsetup//:go-cryptsetup", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@org_uber_go_goleak//:goleak", ], "//conditions:default": [], diff --git a/disk-mapper/internal/test/benchmark_test.go b/disk-mapper/internal/test/benchmark_test.go index 419b79608..8581fb8a3 100644 --- a/disk-mapper/internal/test/benchmark_test.go +++ b/disk-mapper/internal/test/benchmark_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package integration diff --git a/disk-mapper/internal/test/integration_test.go b/disk-mapper/internal/test/integration_test.go index 364c97088..5f0478839 100644 --- a/disk-mapper/internal/test/integration_test.go +++ b/disk-mapper/internal/test/integration_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package integration diff --git a/disk-mapper/recoverproto/recover.pb.go b/disk-mapper/recoverproto/recover.pb.go index cf62209b3..51fd53b2b 100644 --- a/disk-mapper/recoverproto/recover.pb.go +++ b/disk-mapper/recoverproto/recover.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: disk-mapper/recoverproto/recover.proto package recoverproto @@ -15,7 +15,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -26,11 +25,12 @@ const ( ) type RecoverMessage struct { - state protoimpl.MessageState `protogen:"open.v1"` - KmsUri string `protobuf:"bytes,3,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"` - StorageUri string `protobuf:"bytes,4,opt,name=storage_uri,json=storageUri,proto3" json:"storage_uri,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + KmsUri string `protobuf:"bytes,3,opt,name=kms_uri,json=kmsUri,proto3" json:"kms_uri,omitempty"` + StorageUri string `protobuf:"bytes,4,opt,name=storage_uri,json=storageUri,proto3" json:"storage_uri,omitempty"` } func (x *RecoverMessage) Reset() { @@ -78,9 +78,9 @@ func (x *RecoverMessage) GetStorageUri() string { } type RecoverResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields } func (x *RecoverResponse) Reset() { @@ -115,25 +115,37 @@ func (*RecoverResponse) Descriptor() ([]byte, []int) { var File_disk_mapper_recoverproto_recover_proto protoreflect.FileDescriptor -const file_disk_mapper_recoverproto_recover_proto_rawDesc = "" + - "\n" + - "&disk-mapper/recoverproto/recover.proto\x12\frecoverproto\"J\n" + - "\x0eRecoverMessage\x12\x17\n" + - "\akms_uri\x18\x03 \x01(\tR\x06kmsUri\x12\x1f\n" + - "\vstorage_uri\x18\x04 \x01(\tR\n" + - "storageUri\"\x11\n" + - "\x0fRecoverResponse2O\n" + - "\x03API\x12H\n" + - "\aRecover\x12\x1c.recoverproto.RecoverMessage\x1a\x1d.recoverproto.RecoverResponse\"\x00BBZ@github.com/edgelesssys/constellation/v2/disk-mapper/recoverprotob\x06proto3" +var file_disk_mapper_recoverproto_recover_proto_rawDesc = []byte{ + 0x0a, 0x26, 0x64, 0x69, 0x73, 0x6b, 0x2d, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x72, 0x65, + 0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x72, 0x65, 0x63, 0x6f, 0x76, + 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0c, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, + 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x4a, 0x0a, 0x0e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, + 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f, + 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x55, 0x72, + 0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x5f, 0x75, 0x72, 0x69, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x55, + 0x72, 0x69, 0x22, 0x11, 0x0a, 0x0f, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x4f, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x48, 0x0a, 0x07, + 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x12, 0x1c, 0x2e, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, + 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x4d, 0x65, + 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1d, 0x2e, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x42, 0x5a, 0x40, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, + 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x32, 0x2f, 0x64, 0x69, 0x73, 0x6b, 0x2d, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x72, 0x65, + 0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} var ( file_disk_mapper_recoverproto_recover_proto_rawDescOnce sync.Once - file_disk_mapper_recoverproto_recover_proto_rawDescData []byte + file_disk_mapper_recoverproto_recover_proto_rawDescData = file_disk_mapper_recoverproto_recover_proto_rawDesc ) func file_disk_mapper_recoverproto_recover_proto_rawDescGZIP() []byte { file_disk_mapper_recoverproto_recover_proto_rawDescOnce.Do(func() { - file_disk_mapper_recoverproto_recover_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_disk_mapper_recoverproto_recover_proto_rawDesc), len(file_disk_mapper_recoverproto_recover_proto_rawDesc))) + file_disk_mapper_recoverproto_recover_proto_rawDescData = protoimpl.X.CompressGZIP(file_disk_mapper_recoverproto_recover_proto_rawDescData) }) return file_disk_mapper_recoverproto_recover_proto_rawDescData } @@ -162,7 +174,7 @@ func file_disk_mapper_recoverproto_recover_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_disk_mapper_recoverproto_recover_proto_rawDesc), len(file_disk_mapper_recoverproto_recover_proto_rawDesc)), + RawDescriptor: file_disk_mapper_recoverproto_recover_proto_rawDesc, NumEnums: 0, NumMessages: 2, NumExtensions: 0, @@ -173,6 +185,7 @@ func file_disk_mapper_recoverproto_recover_proto_init() { MessageInfos: file_disk_mapper_recoverproto_recover_proto_msgTypes, }.Build() File_disk_mapper_recoverproto_recover_proto = out.File + file_disk_mapper_recoverproto_recover_proto_rawDesc = nil file_disk_mapper_recoverproto_recover_proto_goTypes = nil file_disk_mapper_recoverproto_recover_proto_depIdxs = nil } diff --git a/docs/docs/architecture/versions.md b/docs/docs/architecture/versions.md index 931e4660f..9d5a064e0 100644 --- a/docs/docs/architecture/versions.md +++ b/docs/docs/architecture/versions.md @@ -16,6 +16,6 @@ Subsequent Constellation releases drop support for the oldest (and deprecated) K The following Kubernetes versions are currently supported: -* v1.29.15 -* v1.30.13 -* v1.31.9 +* v1.28.15 +* v1.29.11 +* v1.30.7 diff --git a/docs/docs/getting-started/first-steps.md b/docs/docs/getting-started/first-steps.md index fb8437a06..128ac2849 100644 --- a/docs/docs/getting-started/first-steps.md +++ b/docs/docs/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. @@ -117,12 +117,6 @@ If you encounter any problem with the following steps, make sure to use the [lat * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md index f072407d8..fa481d9b8 100644 --- a/docs/docs/getting-started/install.md +++ b/docs/docs/getting-started/install.md @@ -234,9 +234,6 @@ Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/co To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: -* `iam.roles.create` -* `iam.roles.delete` -* `iam.roles.get` * `iam.serviceAccountKeys.create` * `iam.serviceAccountKeys.delete` * `iam.serviceAccountKeys.get` @@ -263,11 +260,6 @@ To [create a Constellation cluster](../workflows/create.md), you need the follow * `compute.firewalls.delete` * `compute.firewalls.get` * `compute.firewalls.update` -* `compute.forwardingRules.create` -* `compute.forwardingRules.delete` -* `compute.forwardingRules.get` -* `compute.forwardingRules.setLabels` -* `compute.forwardingRules.list` * `compute.globalAddresses.create` * `compute.globalAddresses.delete` * `compute.globalAddresses.get` @@ -416,7 +408,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 username: REPLACE_WITH_UAT_USERNAME password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID + project_id: REPLACE_WITH_STACKIT_PROJECT_ID project_name: REPLACE_WITH_STACKIT_PROJECT_NAME user_domain_name: portal_mvp project_domain_name: portal_mvp @@ -426,7 +418,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se :::caution -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. +`project_id` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `clouds.yaml` file. It's of the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. ::: diff --git a/docs/docs/overview/license.md b/docs/docs/overview/license.md index 98a9cbf94..34122c025 100644 --- a/docs/docs/overview/license.md +++ b/docs/docs/overview/license.md @@ -1,12 +1,30 @@ # License -Constellation is available under the [Business Source License 1.1](https://github.com/edgelesssys/constellation/blob/main/LICENSE). +## Source code -You may use it free of charge for non-production use ("Community License"). +Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). + +## Binaries + +Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). + +These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. + +The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. + +## Terraform provider + +Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. + +You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. + +## Community License + +You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. ## Enterprise License -Enterprise Licenses permit production use and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). +Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. diff --git a/docs/docs/reference/cli.md b/docs/docs/reference/cli.md index 7cbc0be8d..99acef520 100644 --- a/docs/docs/reference/cli.md +++ b/docs/docs/reference/cli.md @@ -39,7 +39,6 @@ Commands: * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile * [version](#constellation-version): Display version of this CLI * [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Generate a certificate for emergency SSH access ## constellation config @@ -81,7 +80,7 @@ constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] ``` -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") + -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.29") -t, --tags strings additional tags for created resources given a list of key=value ``` @@ -685,13 +684,13 @@ constellation iam create gcp [flags] ### Options ``` - -h, --help help for gcp - --prefix string Prefix for the service account ID and VM ID that will be created (required) - Must be letters, digits, or hyphens. - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available + -h, --help help for gcp + --projectID string ID of the GCP project the configuration will be created in (required) + Find it on the welcome screen of your project: https://console.cloud.google.com/welcome + --serviceAccountID string ID for the service account that will be created (required) + Must be 6 to 30 lowercase letters, digits, or hyphens. + --zone string GCP zone the cluster will be deployed in (required) + Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available ``` ### Options inherited from parent commands @@ -843,31 +842,3 @@ constellation init [flags] -C, --workspace string path to the Constellation workspace ``` -## constellation ssh - -Generate a certificate for emergency SSH access - -### Synopsis - -Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing SSH public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/docs/reference/migration.md b/docs/docs/reference/migration.md index eb55d650b..0252c409f 100644 --- a/docs/docs/reference/migration.md +++ b/docs/docs/reference/migration.md @@ -3,12 +3,6 @@ This document describes breaking changes and migrations between Constellation releases. Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. -## Migrations to v2.23.0 - -### GCP - -GCP will require the additional permission `compute.forwardingRules.list`. Please update your IAM roles using `constellation iam upgrade apply`. - ## Migrations to v2.19.1 ### Azure @@ -42,13 +36,7 @@ done echo "All specified rules have been deleted." ``` -## Migrating from CLI versions before 2.21.1 - -### AWS - -* AWS clusters that use `LoadBalancer` resources require more IAM permissions. Please upgrade your IAM roles using `constellation iam upgrade apply`. This will show necessary changes and apply them, if desired. - -## Migrating from CLI versions before 2.19.0 +## Migrations to v2.19.0 ### Azure @@ -58,7 +46,7 @@ echo "All specified rules have been deleted." If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them afterward. -## Migrating from CLI versions before 2.18.0 +## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0) * The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. * To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md index 7868ff1be..95f791acd 100644 --- a/docs/docs/workflows/config.md +++ b/docs/docs/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/docs/workflows/troubleshooting.md b/docs/docs/workflows/troubleshooting.md index 7ed26ae7f..195bce1cc 100644 --- a/docs/docs/workflows/troubleshooting.md +++ b/docs/docs/workflows/troubleshooting.md @@ -149,54 +149,3 @@ Debugging via a shell on a node is [directly supported by Kubernetes](https://ku ```bash kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj ``` - -### Emergency SSH access - -Emergency SSH access to nodes can be useful to diagnose issues or download important data even if the Kubernetes API isn't reachable anymore. - -1. Enter the `constellation-terraform` directory in your Constellation workspace and enable emergency SSH access to the cluster: - - ```bash - cd constellation-terraform - echo "emergency_ssh = true" >> ./terraform.tfvars - terraform apply - ``` - -2. Sign an existing SSH key with your master secret: - - ```bash - cd ../ # go back to your Constellation workspace - constellation ssh --key your_public_key.pub - ``` - - A certificate is written to `constellation_cert.pub`. - - The certificate is valid for 24 hours and enables you to access your Constellation nodes using - [certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication). - -3. Now you can connect to any Constellation node using your certificate and your private key. - - ```bash - ssh -o CertificateFile=constellation_cert.pub -o UserKnownHostsFile=./known_hosts -i root@ - ``` - - Normally, you don't have access to the Constellation nodes since they reside in a private network. - To access those nodes anyways, you can use your Constellation load balancer as a proxy jump host. - For this, use something along the following SSH client configuration: - - ```text - Host - ProxyJump none - - Host * - IdentityFile - PreferredAuthentications publickey - CertificateFile=constellation_cert.pub - UserKnownHostsFile=./known_hosts - User root - ProxyJump - ``` - - With this configuration you can connect to a Constellation node using `ssh -F `. - You can obtain the private node IP and the public IP of the load balancer using your CSP's web UI. Note that if - you use the load balancers domain name, ssh host certificate verification doesn't work, so using the public IP is recommended. diff --git a/docs/package-lock.json b/docs/package-lock.json index cb381bcac..41c393918 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -9,19 +9,19 @@ "version": "2.0.0", "dependencies": { "@cmfcmf/docusaurus-search-local": "1.2.0", - "@docusaurus/core": "3.8.0", - "@docusaurus/preset-classic": "3.8.0", - "@docusaurus/theme-mermaid": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/preset-classic": "3.6.2", + "@docusaurus/theme-mermaid": "3.6.2", "@mdx-js/react": "3.1.0", - "asciinema-player": "3.10.0", + "asciinema-player": "3.8.1", "clsx": "2.1.1", - "prism-react-renderer": "2.4.1", + "prism-react-renderer": "2.4.0", "react": "18.3.1", "react-dom": "18.3.1" }, "devDependencies": { - "@docusaurus/module-type-aliases": "3.8.0", - "@docusaurus/types": "3.8.0" + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/types": "3.6.2" }, "engines": { "node": ">=16.14" @@ -120,48 +120,48 @@ } }, "node_modules/@algolia/client-abtesting": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-abtesting/-/client-abtesting-5.19.0.tgz", - "integrity": "sha512-dMHwy2+nBL0SnIsC1iHvkBao64h4z+roGelOz11cxrDBrAdASxLxmfVMop8gmodQ2yZSacX0Rzevtxa+9SqxCw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-abtesting/-/client-abtesting-5.15.0.tgz", + "integrity": "sha512-FaEM40iuiv1mAipYyiptP4EyxkJ8qHfowCpEeusdHUC4C7spATJYArD2rX3AxkVeREkDIgYEOuXcwKUbDCr7Nw==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-abtesting/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-abtesting/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-abtesting/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -201,48 +201,48 @@ } }, "node_modules/@algolia/client-insights": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-insights/-/client-insights-5.19.0.tgz", - "integrity": "sha512-xPOiGjo6I9mfjdJO7Y+p035aWePcbsItizIp+qVyfkfZiGgD+TbNxM12g7QhFAHIkx/mlYaocxPY/TmwPzTe+A==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-insights/-/client-insights-5.15.0.tgz", + "integrity": "sha512-bDDEQGfFidDi0UQUCbxXOCdphbVAgbVmxvaV75cypBTQkJ+ABx/Npw7LkFGw1FsoVrttlrrQbwjvUB6mLVKs/w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-insights/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-insights/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-insights/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -260,48 +260,48 @@ } }, "node_modules/@algolia/client-query-suggestions": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-query-suggestions/-/client-query-suggestions-5.19.0.tgz", - "integrity": "sha512-6fcP8d4S8XRDtVogrDvmSM6g5g6DndLc0pEm1GCKe9/ZkAzCmM3ZmW1wFYYPxdjMeifWy1vVEDMJK7sbE4W7MA==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-query-suggestions/-/client-query-suggestions-5.15.0.tgz", + "integrity": "sha512-wu8GVluiZ5+il8WIRsGKu8VxMK9dAlr225h878GGtpTL6VBvwyJvAyLdZsfFIpY0iN++jiNb31q2C1PlPL+n/A==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-query-suggestions/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-query-suggestions/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/client-query-suggestions/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -325,48 +325,48 @@ "license": "MIT" }, "node_modules/@algolia/ingestion": { - "version": "1.19.0", - "resolved": "https://registry.npmjs.org/@algolia/ingestion/-/ingestion-1.19.0.tgz", - "integrity": "sha512-LO7w1MDV+ZLESwfPmXkp+KLeYeFrYEgtbCZG6buWjddhYraPQ9MuQWLhLLiaMlKxZ/sZvFTcZYuyI6Jx4WBhcg==", + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/@algolia/ingestion/-/ingestion-1.15.0.tgz", + "integrity": "sha512-MkqkAxBQxtQ5if/EX2IPqFA7LothghVyvPoRNA/meS2AW2qkHwcxjuiBxv4H6mnAVEPfJlhu9rkdVz9LgCBgJg==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/ingestion/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/ingestion/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/ingestion/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -388,48 +388,48 @@ } }, "node_modules/@algolia/monitoring": { - "version": "1.19.0", - "resolved": "https://registry.npmjs.org/@algolia/monitoring/-/monitoring-1.19.0.tgz", - "integrity": "sha512-Mg4uoS0aIKeTpu6iv6O0Hj81s8UHagi5TLm9k2mLIib4vmMtX7WgIAHAcFIaqIZp5D6s5EVy1BaDOoZ7buuJHA==", + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/@algolia/monitoring/-/monitoring-1.15.0.tgz", + "integrity": "sha512-QPrFnnGLMMdRa8t/4bs7XilPYnoUXDY8PMQJ1sf9ZFwhUysYYhQNX34/enoO0LBjpoOY6rLpha39YQEFbzgKyQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/monitoring/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/monitoring/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/monitoring/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" @@ -470,21 +470,21 @@ "license": "MIT" }, "node_modules/@algolia/requester-fetch": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-fetch/-/requester-fetch-5.19.0.tgz", - "integrity": "sha512-oyTt8ZJ4T4fYvW5avAnuEc6Laedcme9fAFryMD9ndUTIUe/P0kn3BuGcCLFjN3FDmdrETHSFkgPPf1hGy3sLCw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-fetch/-/requester-fetch-5.15.0.tgz", + "integrity": "sha512-rOZ+c0P7ajmccAvpeeNrUmEKoliYFL8aOR5qGW5pFq3oj3Iept7Y5mEtEsOBYsRt6qLnaXn4zUKf+N8nvJpcIw==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.19.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@algolia/requester-fetch/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" @@ -3450,26 +3450,26 @@ } }, "node_modules/@docsearch/css": { - "version": "3.9.0", - "resolved": "https://registry.npmjs.org/@docsearch/css/-/css-3.9.0.tgz", - "integrity": "sha512-cQbnVbq0rrBwNAKegIac/t6a8nWoUAn8frnkLFW6YARaRmAQr5/Eoe6Ln2fqkUCZ40KpdrKbpSAmgrkviOxuWA==", + "version": "3.8.0", + "resolved": "https://registry.npmjs.org/@docsearch/css/-/css-3.8.0.tgz", + "integrity": "sha512-pieeipSOW4sQ0+bE5UFC51AOZp9NGxg89wAlZ1BAQFaiRAGK1IKUaPQ0UGZeNctJXyqZ1UvBtOQh2HH+U5GtmA==", "license": "MIT" }, "node_modules/@docsearch/react": { - "version": "3.9.0", - "resolved": "https://registry.npmjs.org/@docsearch/react/-/react-3.9.0.tgz", - "integrity": "sha512-mb5FOZYZIkRQ6s/NWnM98k879vu5pscWqTLubLFBO87igYYT4VzVazh4h5o/zCvTIZgEt3PvsCOMOswOUo9yHQ==", + "version": "3.8.0", + "resolved": "https://registry.npmjs.org/@docsearch/react/-/react-3.8.0.tgz", + "integrity": "sha512-WnFK720+iwTVt94CxY3u+FgX6exb3BfN5kE9xUY6uuAH/9W/UFboBZFLlrw/zxFRHoHZCOXRtOylsXF+6LHI+Q==", "license": "MIT", "dependencies": { - "@algolia/autocomplete-core": "1.17.9", - "@algolia/autocomplete-preset-algolia": "1.17.9", - "@docsearch/css": "3.9.0", - "algoliasearch": "^5.14.2" + "@algolia/autocomplete-core": "1.17.7", + "@algolia/autocomplete-preset-algolia": "1.17.7", + "@docsearch/css": "3.8.0", + "algoliasearch": "^5.12.0" }, "peerDependencies": { - "@types/react": ">= 16.8.0 < 20.0.0", - "react": ">= 16.8.0 < 20.0.0", - "react-dom": ">= 16.8.0 < 20.0.0", + "@types/react": ">= 16.8.0 < 19.0.0", + "react": ">= 16.8.0 < 19.0.0", + "react-dom": ">= 16.8.0 < 19.0.0", "search-insights": ">= 1 < 3" }, "peerDependenciesMeta": { @@ -3487,259 +3487,127 @@ } } }, - "node_modules/@docsearch/react/node_modules/@algolia/autocomplete-core": { - "version": "1.17.9", - "resolved": "https://registry.npmjs.org/@algolia/autocomplete-core/-/autocomplete-core-1.17.9.tgz", - "integrity": "sha512-O7BxrpLDPJWWHv/DLA9DRFWs+iY1uOJZkqUwjS5HSZAGcl0hIVCQ97LTLewiZmZ402JYUrun+8NqFP+hCknlbQ==", - "license": "MIT", - "dependencies": { - "@algolia/autocomplete-plugin-algolia-insights": "1.17.9", - "@algolia/autocomplete-shared": "1.17.9" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/autocomplete-plugin-algolia-insights": { - "version": "1.17.9", - "resolved": "https://registry.npmjs.org/@algolia/autocomplete-plugin-algolia-insights/-/autocomplete-plugin-algolia-insights-1.17.9.tgz", - "integrity": "sha512-u1fEHkCbWF92DBeB/KHeMacsjsoI0wFhjZtlCq2ddZbAehshbZST6Hs0Avkc0s+4UyBGbMDnSuXHLuvRWK5iDQ==", - "license": "MIT", - "dependencies": { - "@algolia/autocomplete-shared": "1.17.9" - }, - "peerDependencies": { - "search-insights": ">= 1 < 3" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/autocomplete-preset-algolia": { - "version": "1.17.9", - "resolved": "https://registry.npmjs.org/@algolia/autocomplete-preset-algolia/-/autocomplete-preset-algolia-1.17.9.tgz", - "integrity": "sha512-Na1OuceSJeg8j7ZWn5ssMu/Ax3amtOwk76u4h5J4eK2Nx2KB5qt0Z4cOapCsxot9VcEN11ADV5aUSlQF4RhGjQ==", - "license": "MIT", - "dependencies": { - "@algolia/autocomplete-shared": "1.17.9" - }, - "peerDependencies": { - "@algolia/client-search": ">= 4.9.1 < 6", - "algoliasearch": ">= 4.9.1 < 6" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/autocomplete-shared": { - "version": "1.17.9", - "resolved": "https://registry.npmjs.org/@algolia/autocomplete-shared/-/autocomplete-shared-1.17.9.tgz", - "integrity": "sha512-iDf05JDQ7I0b7JEA/9IektxN/80a2MZ1ToohfmNS3rfeuQnIKI3IJlIafD0xu4StbtQTghx9T3Maa97ytkXenQ==", - "license": "MIT", - "peerDependencies": { - "@algolia/client-search": ">= 4.9.1 < 6", - "algoliasearch": ">= 4.9.1 < 6" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/client-abtesting": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/client-abtesting/-/client-abtesting-5.25.0.tgz", - "integrity": "sha512-1pfQulNUYNf1Tk/svbfjfkLBS36zsuph6m+B6gDkPEivFmso/XnRgwDvjAx80WNtiHnmeNjIXdF7Gos8+OLHqQ==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, "node_modules/@docsearch/react/node_modules/@algolia/client-analytics": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-5.25.0.tgz", - "integrity": "sha512-AFbG6VDJX/o2vDd9hqncj1B6B4Tulk61mY0pzTtzKClyTDlNP0xaUiEKhl6E7KO9I/x0FJF5tDCm0Hn6v5x18A==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-5.15.0.tgz", + "integrity": "sha512-lho0gTFsQDIdCwyUKTtMuf9nCLwq9jOGlLGIeQGKDxXF7HbiAysFIu5QW/iQr1LzMgDyM9NH7K98KY+BiIFriQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/client-common": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.25.0.tgz", - "integrity": "sha512-il1zS/+Rc6la6RaCdSZ2YbJnkQC6W1wiBO8+SH+DE6CPMWBU6iDVzH0sCKSAtMWl9WBxoN6MhNjGBnCv9Yy2bA==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.15.0.tgz", + "integrity": "sha512-IofrVh213VLsDkPoSKMeM9Dshrv28jhDlBDLRcVJQvlL8pzue7PEB1EZ4UoJFYS3NSn7JOcJ/V+olRQzXlJj1w==", "license": "MIT", "engines": { "node": ">= 14.0.0" } }, - "node_modules/@docsearch/react/node_modules/@algolia/client-insights": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/client-insights/-/client-insights-5.25.0.tgz", - "integrity": "sha512-blbjrUH1siZNfyCGeq0iLQu00w3a4fBXm0WRIM0V8alcAPo7rWjLbMJMrfBtzL9X5ic6wgxVpDADXduGtdrnkw==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, "node_modules/@docsearch/react/node_modules/@algolia/client-personalization": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-5.25.0.tgz", - "integrity": "sha512-aywoEuu1NxChBcHZ1pWaat0Plw7A8jDMwjgRJ00Mcl7wGlwuPt5dJ/LTNcg3McsEUbs2MBNmw0ignXBw9Tbgow==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-5.15.0.tgz", + "integrity": "sha512-LfaZqLUWxdYFq44QrasCDED5bSYOswpQjSiIL7Q5fYlefAAUO95PzBPKCfUhSwhb4rKxigHfDkd81AvEicIEoA==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/client-query-suggestions": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/client-query-suggestions/-/client-query-suggestions-5.25.0.tgz", - "integrity": "sha512-a/W2z6XWKjKjIW1QQQV8PTTj1TXtaKx79uR3NGBdBdGvVdt24KzGAaN7sCr5oP8DW4D3cJt44wp2OY/fZcPAVA==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/client-search": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.25.0.tgz", - "integrity": "sha512-9rUYcMIBOrCtYiLX49djyzxqdK9Dya/6Z/8sebPn94BekT+KLOpaZCuc6s0Fpfq7nx5J6YY5LIVFQrtioK9u0g==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.15.0.tgz", + "integrity": "sha512-Z32gEMrRRpEta5UqVQA612sLdoqY3AovvUPClDfMxYrbdDAebmGDVPtSogUba1FZ4pP5dx20D3OV3reogLKsRA==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/ingestion": { - "version": "1.25.0", - "resolved": "https://registry.npmjs.org/@algolia/ingestion/-/ingestion-1.25.0.tgz", - "integrity": "sha512-jJeH/Hk+k17Vkokf02lkfYE4A+EJX+UgnMhTLR/Mb+d1ya5WhE+po8p5a/Nxb6lo9OLCRl6w3Hmk1TX1e9gVbQ==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/monitoring": { - "version": "1.25.0", - "resolved": "https://registry.npmjs.org/@algolia/monitoring/-/monitoring-1.25.0.tgz", - "integrity": "sha512-Ls3i1AehJ0C6xaHe7kK9vPmzImOn5zBg7Kzj8tRYIcmCWVyuuFwCIsbuIIz/qzUf1FPSWmw0TZrGeTumk2fqXg==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/recommend": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/recommend/-/recommend-5.25.0.tgz", - "integrity": "sha512-79sMdHpiRLXVxSjgw7Pt4R1aNUHxFLHiaTDnN2MQjHwJ1+o3wSseb55T9VXU4kqy3m7TUme3pyRhLk5ip/S4Mw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/recommend/-/recommend-5.15.0.tgz", + "integrity": "sha512-5eupMwSqMLDObgSMF0XG958zR6GJP3f7jHDQ3/WlzCM9/YIJiWIUoJFGsko9GYsA5xbLDHE/PhWtq4chcCdaGQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" + "@algolia/client-common": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/requester-browser-xhr": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.25.0.tgz", - "integrity": "sha512-JLaF23p1SOPBmfEqozUAgKHQrGl3z/Z5RHbggBu6s07QqXXcazEsub5VLonCxGVqTv6a61AAPr8J1G5HgGGjEw==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.15.0.tgz", + "integrity": "sha512-Po/GNib6QKruC3XE+WKP1HwVSfCDaZcXu48kD+gwmtDlqHWKc7Bq9lrS0sNZ456rfCKhXksOmMfUs4wRM/Y96w==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.25.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docsearch/react/node_modules/@algolia/requester-fetch": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-fetch/-/requester-fetch-5.25.0.tgz", - "integrity": "sha512-rtzXwqzFi1edkOF6sXxq+HhmRKDy7tz84u0o5t1fXwz0cwx+cjpmxu/6OQKTdOJFS92JUYHsG51Iunie7xbqfQ==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.25.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/@algolia/requester-node-http": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.25.0.tgz", - "integrity": "sha512-ZO0UKvDyEFvyeJQX0gmZDQEvhLZ2X10K+ps6hViMo1HgE2V8em00SwNsQ+7E/52a+YiBkVWX61pJJJE44juDMQ==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.15.0.tgz", + "integrity": "sha512-b1jTpbFf9LnQHEJP5ddDJKE2sAlhYd7EVSOWgzo/27n/SfCoHfqD0VWntnWYD83PnOKvfe8auZ2+xCb0TXotrQ==", "license": "MIT", "dependencies": { - "@algolia/client-common": "5.25.0" + "@algolia/client-common": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docsearch/react/node_modules/algoliasearch": { - "version": "5.25.0", - "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.25.0.tgz", - "integrity": "sha512-n73BVorL4HIwKlfJKb4SEzAYkR3Buwfwbh+MYxg2mloFph2fFGV58E90QTzdbfzWrLn4HE5Czx/WTjI8fcHaMg==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.15.0.tgz", + "integrity": "sha512-Yf3Swz1s63hjvBVZ/9f2P1Uu48GjmjCN+Esxb6MAONMGtZB1fRX8/S1AhUTtsuTlcGovbYLxpHgc7wEzstDZBw==", "license": "MIT", "dependencies": { - "@algolia/client-abtesting": "5.25.0", - "@algolia/client-analytics": "5.25.0", - "@algolia/client-common": "5.25.0", - "@algolia/client-insights": "5.25.0", - "@algolia/client-personalization": "5.25.0", - "@algolia/client-query-suggestions": "5.25.0", - "@algolia/client-search": "5.25.0", - "@algolia/ingestion": "1.25.0", - "@algolia/monitoring": "1.25.0", - "@algolia/recommend": "5.25.0", - "@algolia/requester-browser-xhr": "5.25.0", - "@algolia/requester-fetch": "5.25.0", - "@algolia/requester-node-http": "5.25.0" + "@algolia/client-abtesting": "5.15.0", + "@algolia/client-analytics": "5.15.0", + "@algolia/client-common": "5.15.0", + "@algolia/client-insights": "5.15.0", + "@algolia/client-personalization": "5.15.0", + "@algolia/client-query-suggestions": "5.15.0", + "@algolia/client-search": "5.15.0", + "@algolia/ingestion": "1.15.0", + "@algolia/monitoring": "1.15.0", + "@algolia/recommend": "5.15.0", + "@algolia/requester-browser-xhr": "5.15.0", + "@algolia/requester-fetch": "5.15.0", + "@algolia/requester-node-http": "5.15.0" }, "engines": { "node": ">= 14.0.0" } }, "node_modules/@docusaurus/babel": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/babel/-/babel-3.8.0.tgz", - "integrity": "sha512-9EJwSgS6TgB8IzGk1L8XddJLhZod8fXT4ULYMx6SKqyCBqCFpVCEjR/hNXXhnmtVM2irDuzYoVLGWv7srG/VOA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/babel/-/babel-3.6.2.tgz", + "integrity": "sha512-v8N8TWGXDsb5sxQC3Rcqb1CZr0LlU1OgqqVBUchN6cpIUr7EJuVJs5eHcIu5Ag8mwO/hWN3f7FE9uaHTMapAbg==", "license": "MIT", "dependencies": { "@babel/core": "^7.25.9", @@ -3752,8 +3620,8 @@ "@babel/runtime": "^7.25.9", "@babel/runtime-corejs3": "^7.25.9", "@babel/traverse": "^7.25.9", - "@docusaurus/logger": "3.8.0", - "@docusaurus/utils": "3.8.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/utils": "3.6.2", "babel-plugin-dynamic-import-node": "^2.3.3", "fs-extra": "^11.1.1", "tslib": "^2.6.0" @@ -3763,17 +3631,17 @@ } }, "node_modules/@docusaurus/bundler": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/bundler/-/bundler-3.8.0.tgz", - "integrity": "sha512-Rq4Z/MSeAHjVzBLirLeMcjLIAQy92pF1OI+2rmt18fSlMARfTGLWRE8Vb+ljQPTOSfJxwDYSzsK6i7XloD2rNA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/bundler/-/bundler-3.6.2.tgz", + "integrity": "sha512-YkEifEVs4lV931SrHBB4n6WqRowMw+aM/QPH3z8aU+5t1dWa+1p2OPqARS+tSbh3la9ns+L1zIfSbd8RHi2/PQ==", "license": "MIT", "dependencies": { "@babel/core": "^7.25.9", - "@docusaurus/babel": "3.8.0", - "@docusaurus/cssnano-preset": "3.8.0", - "@docusaurus/logger": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", + "@docusaurus/babel": "3.6.2", + "@docusaurus/cssnano-preset": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", "babel-loader": "^9.2.1", "clean-css": "^5.3.2", "copy-webpack-plugin": "^11.0.0", @@ -3787,6 +3655,7 @@ "postcss": "^8.4.26", "postcss-loader": "^7.3.3", "postcss-preset-env": "^10.1.0", + "react-dev-utils": "^12.0.1", "terser-webpack-plugin": "^5.3.9", "tslib": "^2.6.0", "url-loader": "^4.1.1", @@ -3806,18 +3675,18 @@ } }, "node_modules/@docusaurus/core": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-3.8.0.tgz", - "integrity": "sha512-c7u6zFELmSGPEP9WSubhVDjgnpiHgDqMh1qVdCB7rTflh4Jx0msTYmMiO91Ez0KtHj4sIsDsASnjwfJ2IZp3Vw==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-3.6.2.tgz", + "integrity": "sha512-irMts/mGLZv8dWcy0WUtbY/U6b5qIfHgQd1/kXMyAxUJo99fL0wFSqhMI+tcxjk0HYy427MXerLMqFJj+Arg1w==", "license": "MIT", "dependencies": { - "@docusaurus/babel": "3.8.0", - "@docusaurus/bundler": "3.8.0", - "@docusaurus/logger": "3.8.0", - "@docusaurus/mdx-loader": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-common": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/babel": "3.6.2", + "@docusaurus/bundler": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "boxen": "^6.2.1", "chalk": "^4.1.2", "chokidar": "^3.5.3", @@ -3825,28 +3694,29 @@ "combine-promises": "^1.1.0", "commander": "^5.1.0", "core-js": "^3.31.1", + "del": "^6.1.1", "detect-port": "^1.5.1", "escape-html": "^1.0.3", "eta": "^2.2.0", "eval": "^0.1.8", - "execa": "5.1.1", "fs-extra": "^11.1.1", "html-tags": "^3.3.1", "html-webpack-plugin": "^5.6.0", "leven": "^3.1.0", "lodash": "^4.17.21", - "open": "^8.4.0", "p-map": "^4.0.0", "prompts": "^2.4.2", - "react-helmet-async": "npm:@slorber/react-helmet-async@1.3.0", + "react-dev-utils": "^12.0.1", + "react-helmet-async": "^1.3.0", "react-loadable": "npm:@docusaurus/react-loadable@6.0.0", "react-loadable-ssr-addon-v5-slorber": "^1.0.1", "react-router": "^5.3.4", "react-router-config": "^5.1.1", "react-router-dom": "^5.3.4", + "rtl-detect": "^1.0.4", "semver": "^7.5.4", "serve-handler": "^6.1.6", - "tinypool": "^1.0.2", + "shelljs": "^0.8.5", "tslib": "^2.6.0", "update-notifier": "^6.0.2", "webpack": "^5.95.0", @@ -3862,14 +3732,14 @@ }, "peerDependencies": { "@mdx-js/react": "^3.0.0", - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/cssnano-preset": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-3.8.0.tgz", - "integrity": "sha512-UJ4hAS2T0R4WNy+phwVff2Q0L5+RXW9cwlH6AEphHR5qw3m/yacfWcSK7ort2pMMbDn8uGrD38BTm4oLkuuNoQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/cssnano-preset/-/cssnano-preset-3.6.2.tgz", + "integrity": "sha512-mBkVa4QMHRwCFCVLYdBlOZuAT1iVVsS7GGSgliSVAeTOagP/AbtlBsCVrBs+keEuDuRF1w/6QEcqDoZe9fa5pw==", "license": "MIT", "dependencies": { "cssnano-preset-advanced": "^6.1.2", @@ -3882,9 +3752,9 @@ } }, "node_modules/@docusaurus/logger": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-3.8.0.tgz", - "integrity": "sha512-7eEMaFIam5Q+v8XwGqF/n0ZoCld4hV4eCCgQkfcN9Mq5inoZa6PHHW9Wu6lmgzoK5Kx3keEeABcO2SxwraoPDQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/logger/-/logger-3.6.2.tgz", + "integrity": "sha512-1p4IQhhgLyIfsey4UAdAIW69aUE1Ei6O91Nsw30ryZeDWSG5dh4o3zaRGOLxfAX69Ac/yDm6YCwJOafUxL6Vxg==", "license": "MIT", "dependencies": { "chalk": "^4.1.2", @@ -3895,21 +3765,21 @@ } }, "node_modules/@docusaurus/mdx-loader": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-3.8.0.tgz", - "integrity": "sha512-mDPSzssRnpjSdCGuv7z2EIAnPS1MHuZGTaRLwPn4oQwszu4afjWZ/60sfKjTnjBjI8Vl4OgJl2vMmfmiNDX4Ng==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/mdx-loader/-/mdx-loader-3.6.2.tgz", + "integrity": "sha512-7fbRmNgF3CR96Ja82Ya0/Cdu1OL9UJ/22llNMY8lr5gAbw718Y5ryXMVRIYn0JNLTiSxzgtvW4DIsUWEB8NMpw==", "license": "MIT", "dependencies": { - "@docusaurus/logger": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@mdx-js/mdx": "^3.0.0", "@slorber/remark-comment": "^1.0.0", "escape-html": "^1.0.3", "estree-util-value-to-estree": "^3.0.1", "file-loader": "^6.2.0", "fs-extra": "^11.1.1", - "image-size": "^2.0.2", + "image-size": "^1.0.2", "mdast-util-mdx": "^3.0.0", "mdast-util-to-string": "^4.0.0", "rehype-raw": "^7.0.0", @@ -3929,22 +3799,22 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/module-type-aliases": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-3.8.0.tgz", - "integrity": "sha512-/uMb4Ipt5J/QnD13MpnoC/A4EYAe6DKNWqTWLlGrqsPJwJv73vSwkA25xnYunwfqWk0FlUQfGv/Swdh5eCCg7g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/module-type-aliases/-/module-type-aliases-3.6.2.tgz", + "integrity": "sha512-NrJkL2rLTCjHtWOqUvWzwqvJrsKLj0gVJeV6q5yeKdKKgItietcTf2fTRkM9LHKSUN8CBDXxwHABeQvTahvmXQ==", "license": "MIT", "dependencies": { - "@docusaurus/types": "3.8.0", + "@docusaurus/types": "3.6.2", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", "@types/react-router-dom": "*", - "react-helmet-async": "npm:@slorber/react-helmet-async@1.3.0", + "react-helmet-async": "*", "react-loadable": "npm:@docusaurus/react-loadable@6.0.0" }, "peerDependencies": { @@ -3953,24 +3823,24 @@ } }, "node_modules/@docusaurus/plugin-content-blog": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-3.8.0.tgz", - "integrity": "sha512-0SlOTd9R55WEr1GgIXu+hhTT0hzARYx3zIScA5IzpdekZQesI/hKEa5LPHBd415fLkWMjdD59TaW/3qQKpJ0Lg==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-3.6.2.tgz", + "integrity": "sha512-6bJxr6Or4NslEVH3BJuPH30kUWiqUjDRdGPhvxpHmt9W/RY2/6u72WICG3bW3dLFxJ/2uDLBU92lHnatpvo7Ew==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/logger": "3.8.0", - "@docusaurus/mdx-loader": "3.8.0", - "@docusaurus/theme-common": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-common": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "cheerio": "1.0.0-rc.12", "feed": "^4.2.2", "fs-extra": "^11.1.1", "lodash": "^4.17.21", - "schema-dts": "^1.1.2", + "reading-time": "^1.5.0", "srcset": "^4.0.0", "tslib": "^2.6.0", "unist-util-visit": "^5.0.0", @@ -3982,31 +3852,30 @@ }, "peerDependencies": { "@docusaurus/plugin-content-docs": "*", - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-content-docs": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-3.8.0.tgz", - "integrity": "sha512-fRDMFLbUN6eVRXcjP8s3Y7HpAt9pzPYh1F/7KKXOCxvJhjjCtbon4VJW0WndEPInVz4t8QUXn5QZkU2tGVCE2g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-3.6.2.tgz", + "integrity": "sha512-e6WW1g10RIXXLN/rrtqTi/FyJ1Hj3X9Mmgz4V11/0pDCxIGGI8m4ocbAglUlLtgvbLD5viNLefl/NwbOW3JXiQ==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/logger": "3.8.0", - "@docusaurus/mdx-loader": "3.8.0", - "@docusaurus/module-type-aliases": "3.8.0", - "@docusaurus/theme-common": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-common": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@types/react-router-config": "^5.0.7", "combine-promises": "^1.1.0", "fs-extra": "^11.1.1", "js-yaml": "^4.1.0", "lodash": "^4.17.21", - "schema-dts": "^1.1.2", "tslib": "^2.6.0", "utility-types": "^3.10.0", "webpack": "^5.88.1" @@ -4015,21 +3884,21 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-content-pages": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-3.8.0.tgz", - "integrity": "sha512-39EDx2y1GA0Pxfion5tQZLNJxL4gq6susd1xzetVBjVIQtwpCdyloOfQBAgX0FylqQxfJrYqL0DIUuq7rd7uBw==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-pages/-/plugin-content-pages-3.6.2.tgz", + "integrity": "sha512-fo4NyGkw10lYHyHaTxE6TZLYnxNtCfRHeZkNK1N9pBYqe7TT2dBUNAEeVW2U3ed9m6YuB7JKSQsa++GGmcP+6g==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/mdx-loader": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "fs-extra": "^11.1.1", "tslib": "^2.6.0", "webpack": "^5.88.1" @@ -4038,74 +3907,59 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" - } - }, - "node_modules/@docusaurus/plugin-css-cascade-layers": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-css-cascade-layers/-/plugin-css-cascade-layers-3.8.0.tgz", - "integrity": "sha512-/VBTNymPIxQB8oA3ZQ4GFFRYdH4ZxDRRBECxyjRyv486mfUPXfcdk+im4S5mKWa6EK2JzBz95IH/Wu0qQgJ5yQ==", - "license": "MIT", - "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", - "tslib": "^2.6.0" - }, - "engines": { - "node": ">=18.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-debug": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-3.8.0.tgz", - "integrity": "sha512-teonJvJsDB9o2OnG6ifbhblg/PXzZvpUKHFgD8dOL1UJ58u0lk8o0ZOkvaYEBa9nDgqzoWrRk9w+e3qaG2mOhQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-debug/-/plugin-debug-3.6.2.tgz", + "integrity": "sha512-T/eS3VvHElpeV5S8uwp7Si4ujEynmgFtJLvA2CSa5pzQuOF1EEghF9nekAIj0cWtDHsqNUDZNr8hK1brivFXSg==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", "fs-extra": "^11.1.1", - "react-json-view-lite": "^2.3.0", + "react-json-view-lite": "^1.2.0", "tslib": "^2.6.0" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-google-analytics": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-3.8.0.tgz", - "integrity": "sha512-aKKa7Q8+3xRSRESipNvlFgNp3FNPELKhuo48Cg/svQbGNwidSHbZT03JqbW4cBaQnyyVchO1ttk+kJ5VC9Gx0w==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-analytics/-/plugin-google-analytics-3.6.2.tgz", + "integrity": "sha512-B7ihrr3wz8e4XqW+dIAtq844u3Z83u5CeiL1xrCqzFH+vDCjUZHTamS3zKXNcgi6YVVe6hUQXPG15ltaqQaVPQ==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "tslib": "^2.6.0" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-google-gtag": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-3.8.0.tgz", - "integrity": "sha512-ugQYMGF4BjbAW/JIBtVcp+9eZEgT9HRdvdcDudl5rywNPBA0lct+lXMG3r17s02rrhInMpjMahN3Yc9Cb3H5/g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-gtag/-/plugin-google-gtag-3.6.2.tgz", + "integrity": "sha512-V8ijI6qddAAkJ0vd8sjZ7S/apRTLJn9dAwvj/rSMd93witGdKINemL+9TyfLkhcXKTxyqRT8zKdu8ewjPXqKHg==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@types/gtag.js": "^0.0.12", "tslib": "^2.6.0" }, @@ -4113,41 +3967,41 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-google-tag-manager": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-3.8.0.tgz", - "integrity": "sha512-9juRWxbwZD3SV02Jd9QB6yeN7eu+7T4zB0bvJLcVQwi+am51wAxn2CwbdL0YCCX+9OfiXbADE8D8Q65Hbopu/w==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-google-tag-manager/-/plugin-google-tag-manager-3.6.2.tgz", + "integrity": "sha512-fnWQ5FdN9f8c8VTgjaQ98208Y+d/JjHhD506rWIIL9rt1cJOf29XElxvOeKpMJadfkgY5KLZSAiHkGt+4qgN4g==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "tslib": "^2.6.0" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/plugin-sitemap": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-3.8.0.tgz", - "integrity": "sha512-fGpOIyJvNiuAb90nSJ2Gfy/hUOaDu6826e5w5UxPmbpCIc7KlBHNAZ5g4L4ZuHhc4hdfq4mzVBsQSnne+8Ze1g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-sitemap/-/plugin-sitemap-3.6.2.tgz", + "integrity": "sha512-qcAQAP1Ot0dZpeRoJ0L/Zck5FVDkll2IleVZQLzxeRVDZIw1P9/TK7/Aw1w2pmH7dmw/Cwk/cLSVRvLAmp9k7A==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/logger": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-common": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "fs-extra": "^11.1.1", "sitemap": "^7.1.1", "tslib": "^2.6.0" @@ -4156,82 +4010,57 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" - } - }, - "node_modules/@docusaurus/plugin-svgr": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/plugin-svgr/-/plugin-svgr-3.8.0.tgz", - "integrity": "sha512-kEDyry+4OMz6BWLG/lEqrNsL/w818bywK70N1gytViw4m9iAmoxCUT7Ri9Dgs7xUdzCHJ3OujolEmD88Wy44OA==", - "license": "MIT", - "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", - "@svgr/core": "8.1.0", - "@svgr/webpack": "^8.1.0", - "tslib": "^2.6.0", - "webpack": "^5.88.1" - }, - "engines": { - "node": ">=18.0" - }, - "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/preset-classic": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-3.8.0.tgz", - "integrity": "sha512-qOu6tQDOWv+rpTlKu+eJATCJVGnABpRCPuqf7LbEaQ1mNY//N/P8cHQwkpAU+aweQfarcZ0XfwCqRHJfjeSV/g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-3.6.2.tgz", + "integrity": "sha512-r2n5eHdhiNSrJGsrrYcw+WsyStmXxe0ZG3RdA9LVyK5+jBHM8blrUWJEDugnzCNbyhUzhdtcmgCC9fhdAvKuQw==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/plugin-content-blog": "3.8.0", - "@docusaurus/plugin-content-docs": "3.8.0", - "@docusaurus/plugin-content-pages": "3.8.0", - "@docusaurus/plugin-css-cascade-layers": "3.8.0", - "@docusaurus/plugin-debug": "3.8.0", - "@docusaurus/plugin-google-analytics": "3.8.0", - "@docusaurus/plugin-google-gtag": "3.8.0", - "@docusaurus/plugin-google-tag-manager": "3.8.0", - "@docusaurus/plugin-sitemap": "3.8.0", - "@docusaurus/plugin-svgr": "3.8.0", - "@docusaurus/theme-classic": "3.8.0", - "@docusaurus/theme-common": "3.8.0", - "@docusaurus/theme-search-algolia": "3.8.0", - "@docusaurus/types": "3.8.0" + "@docusaurus/core": "3.6.2", + "@docusaurus/plugin-content-blog": "3.6.2", + "@docusaurus/plugin-content-docs": "3.6.2", + "@docusaurus/plugin-content-pages": "3.6.2", + "@docusaurus/plugin-debug": "3.6.2", + "@docusaurus/plugin-google-analytics": "3.6.2", + "@docusaurus/plugin-google-gtag": "3.6.2", + "@docusaurus/plugin-google-tag-manager": "3.6.2", + "@docusaurus/plugin-sitemap": "3.6.2", + "@docusaurus/theme-classic": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/theme-search-algolia": "3.6.2", + "@docusaurus/types": "3.6.2" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-classic": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-3.8.0.tgz", - "integrity": "sha512-nQWFiD5ZjoT76OaELt2n33P3WVuuCz8Dt5KFRP2fCBo2r9JCLsp2GJjZpnaG24LZ5/arRjv4VqWKgpK0/YLt7g==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-classic/-/theme-classic-3.6.2.tgz", + "integrity": "sha512-bCdOPqPNezhLx+hgNVO2Cf+8/1AHa9uHDOqTx/CKAx2I0J/jV9G+6JiMtpSRKGNfBoLT1O+56/7+WtkOf54xTw==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/logger": "3.8.0", - "@docusaurus/mdx-loader": "3.8.0", - "@docusaurus/module-type-aliases": "3.8.0", - "@docusaurus/plugin-content-blog": "3.8.0", - "@docusaurus/plugin-content-docs": "3.8.0", - "@docusaurus/plugin-content-pages": "3.8.0", - "@docusaurus/theme-common": "3.8.0", - "@docusaurus/theme-translations": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-common": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/plugin-content-blog": "3.6.2", + "@docusaurus/plugin-content-docs": "3.6.2", + "@docusaurus/plugin-content-pages": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/theme-translations": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", "@mdx-js/react": "^3.0.0", "clsx": "^2.0.0", "copy-text-to-clipboard": "^3.2.0", @@ -4250,20 +4079,20 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-common": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-3.8.0.tgz", - "integrity": "sha512-YqV2vAWpXGLA+A3PMLrOMtqgTHJLDcT+1Caa6RF7N4/IWgrevy5diY8oIHFkXR/eybjcrFFjUPrHif8gSGs3Tw==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-common/-/theme-common-3.6.2.tgz", + "integrity": "sha512-lfgsL064KEHpCkgGUc0OYoUPCpYfzggp6Hof8sz59UuKiLvb/Z7raewE9/NfocrJ2HZI17rLgMX3SQlRDh/5gg==", "license": "MIT", "dependencies": { - "@docusaurus/mdx-loader": "3.8.0", - "@docusaurus/module-type-aliases": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-common": "3.8.0", + "@docusaurus/mdx-loader": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", "@types/history": "^4.7.11", "@types/react": "*", "@types/react-router-config": "*", @@ -4278,48 +4107,48 @@ }, "peerDependencies": { "@docusaurus/plugin-content-docs": "*", - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-mermaid": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-mermaid/-/theme-mermaid-3.8.0.tgz", - "integrity": "sha512-ou0NJM37p4xrVuFaZp8qFe5Z/qBq9LuyRTP4KKRa0u2J3zC4f3saBJDgc56FyvvN1OsmU0189KGEPUjTr6hFxg==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-mermaid/-/theme-mermaid-3.6.2.tgz", + "integrity": "sha512-Ui+rBtqMPKj3RCOxNlY04i1tEjNg+fZg4URTvkHmYR07hcKaJw+vkw+wlaYjd0HFZk+3Er9vUAcwsCWuea4cVQ==", "license": "MIT", "dependencies": { - "@docusaurus/core": "3.8.0", - "@docusaurus/module-type-aliases": "3.8.0", - "@docusaurus/theme-common": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", - "mermaid": ">=11.6.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", + "mermaid": ">=10.4", "tslib": "^2.6.0" }, "engines": { "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-search-algolia": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-3.8.0.tgz", - "integrity": "sha512-GBZ5UOcPgiu6nUw153+0+PNWvFKweSnvKIL6Rp04H9olKb475jfKjAwCCtju5D2xs5qXHvCMvzWOg5o9f6DtuQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-search-algolia/-/theme-search-algolia-3.6.2.tgz", + "integrity": "sha512-SFLS+Rq8Cg2yepnHucA9sRpIR97yHvZWlCgMzBLunV3KHbB6hD2h5HPhFV39wYHYCjJUAOH1lX9poJ1qKYuSvg==", "license": "MIT", "dependencies": { - "@docsearch/react": "^3.9.0", - "@docusaurus/core": "3.8.0", - "@docusaurus/logger": "3.8.0", - "@docusaurus/plugin-content-docs": "3.8.0", - "@docusaurus/theme-common": "3.8.0", - "@docusaurus/theme-translations": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-validation": "3.8.0", - "algoliasearch": "^5.17.1", - "algoliasearch-helper": "^3.22.6", + "@docsearch/react": "^3.5.2", + "@docusaurus/core": "3.6.2", + "@docusaurus/logger": "3.6.2", + "@docusaurus/plugin-content-docs": "3.6.2", + "@docusaurus/theme-common": "3.6.2", + "@docusaurus/theme-translations": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-validation": "3.6.2", + "algoliasearch": "^4.18.0", + "algoliasearch-helper": "^3.13.3", "clsx": "^2.0.0", "eta": "^2.2.0", "fs-extra": "^11.1.1", @@ -4331,131 +4160,14 @@ "node": ">=18.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-analytics": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-analytics/-/client-analytics-5.19.0.tgz", - "integrity": "sha512-CDW4RwnCHzU10upPJqS6N6YwDpDHno7w6/qXT9KPbPbt8szIIzCHrva4O9KIfx1OhdsHzfGSI5hMAiOOYl4DEQ==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-common": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-common/-/client-common-5.19.0.tgz", - "integrity": "sha512-2ERRbICHXvtj5kfFpY5r8qu9pJII/NAHsdgUXnUitQFwPdPL7wXiupcvZJC7DSntOnE8AE0lM7oDsPhrJfj5nQ==", - "license": "MIT", - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-personalization": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-personalization/-/client-personalization-5.19.0.tgz", - "integrity": "sha512-B9eoce/fk8NLboGje+pMr72pw+PV7c5Z01On477heTZ7jkxoZ4X92dobeGuEQop61cJ93Gaevd1of4mBr4hu2A==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/client-search": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.19.0.tgz", - "integrity": "sha512-Ctg3xXD/1VtcwmkulR5+cKGOMj4r0wC49Y/KZdGQcqpydKn+e86F6l3tb3utLJQVq4lpEJud6kdRykFgcNsp8Q==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/recommend": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/recommend/-/recommend-5.19.0.tgz", - "integrity": "sha512-PbgrMTbUPlmwfJsxjFhal4XqZO2kpBNRjemLVTkUiti4w/+kzcYO4Hg5zaBgVqPwvFDNQ8JS4SS3TBBem88u+g==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/requester-browser-xhr": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-browser-xhr/-/requester-browser-xhr-5.19.0.tgz", - "integrity": "sha512-GfnhnQBT23mW/VMNs7m1qyEyZzhZz093aY2x8p0era96MMyNv8+FxGek5pjVX0b57tmSCZPf4EqNCpkGcGsmbw==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/@algolia/requester-node-http": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/@algolia/requester-node-http/-/requester-node-http-5.19.0.tgz", - "integrity": "sha512-p6t8ue0XZNjcRiqNkb5QAM0qQRAKsCiebZ6n9JjWA+p8fWf8BvnhO55y2fO28g3GW0Imj7PrAuyBuxq8aDVQwQ==", - "license": "MIT", - "dependencies": { - "@algolia/client-common": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" - } - }, - "node_modules/@docusaurus/theme-search-algolia/node_modules/algoliasearch": { - "version": "5.19.0", - "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.19.0.tgz", - "integrity": "sha512-zrLtGhC63z3sVLDDKGW+SlCRN9eJHFTgdEmoAOpsVh6wgGL1GgTTDou7tpCBjevzgIvi3AIyDAQO3Xjbg5eqZg==", - "license": "MIT", - "dependencies": { - "@algolia/client-abtesting": "5.19.0", - "@algolia/client-analytics": "5.19.0", - "@algolia/client-common": "5.19.0", - "@algolia/client-insights": "5.19.0", - "@algolia/client-personalization": "5.19.0", - "@algolia/client-query-suggestions": "5.19.0", - "@algolia/client-search": "5.19.0", - "@algolia/ingestion": "1.19.0", - "@algolia/monitoring": "1.19.0", - "@algolia/recommend": "5.19.0", - "@algolia/requester-browser-xhr": "5.19.0", - "@algolia/requester-fetch": "5.19.0", - "@algolia/requester-node-http": "5.19.0" - }, - "engines": { - "node": ">= 14.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/theme-translations": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-3.8.0.tgz", - "integrity": "sha512-1DTy/snHicgkCkryWq54fZvsAglTdjTx4qjOXgqnXJ+DIty1B+aPQrAVUu8LiM+6BiILfmNxYsxhKTj+BS3PZg==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/theme-translations/-/theme-translations-3.6.2.tgz", + "integrity": "sha512-LIWrYoDUsOTKmb0c7IQzawiPUTAaczBs5IOx6srxOWoTHVUMLzJCkl5Y6whfuRrnul8G05qv2vk238bN5Ko62g==", "license": "MIT", "dependencies": { "fs-extra": "^11.1.1", @@ -4466,9 +4178,9 @@ } }, "node_modules/@docusaurus/types": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-3.8.0.tgz", - "integrity": "sha512-RDEClpwNxZq02c+JlaKLWoS13qwWhjcNsi2wG1UpzmEnuti/z1Wx4SGpqbUqRPNSd8QWWePR8Cb7DvG0VN/TtA==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/types/-/types-3.6.2.tgz", + "integrity": "sha512-117Wsk6xXrWEAsCYCXS3TGJv5tkdIZDcd7T/V0UJvKYmY0gyVPPcEQChy8yTdjbIkbB2q4fa7Jpox72Qv86mqQ==", "license": "MIT", "dependencies": { "@mdx-js/mdx": "^3.0.0", @@ -4476,14 +4188,14 @@ "@types/react": "*", "commander": "^5.1.0", "joi": "^17.9.2", - "react-helmet-async": "npm:@slorber/react-helmet-async@1.3.0", + "react-helmet-async": "^1.3.0", "utility-types": "^3.10.0", "webpack": "^5.95.0", "webpack-merge": "^5.9.0" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0", - "react-dom": "^18.0.0 || ^19.0.0" + "react": "^18.0.0", + "react-dom": "^18.0.0" } }, "node_modules/@docusaurus/types/node_modules/webpack-merge": { @@ -4501,16 +4213,16 @@ } }, "node_modules/@docusaurus/utils": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-3.8.0.tgz", - "integrity": "sha512-2wvtG28ALCN/A1WCSLxPASFBFzXCnP0YKCAFIPcvEb6imNu1wg7ni/Svcp71b3Z2FaOFFIv4Hq+j4gD7gA0yfQ==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/utils/-/utils-3.6.2.tgz", + "integrity": "sha512-oxnpUcFZGE3uPCDoXr8GJriB3VWM9sFjPedFidX3Fsz87l1NZNc1wtbKPfQ7GYFDMYo2IGlAv5+47Me9RkM6lg==", "license": "MIT", "dependencies": { - "@docusaurus/logger": "3.8.0", - "@docusaurus/types": "3.8.0", - "@docusaurus/utils-common": "3.8.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/types": "3.6.2", + "@docusaurus/utils-common": "3.6.2", + "@svgr/webpack": "^8.1.0", "escape-string-regexp": "^4.0.0", - "execa": "5.1.1", "file-loader": "^6.2.0", "fs-extra": "^11.1.1", "github-slugger": "^1.5.0", @@ -4520,9 +4232,9 @@ "js-yaml": "^4.1.0", "lodash": "^4.17.21", "micromatch": "^4.0.5", - "p-queue": "^6.6.2", "prompts": "^2.4.2", "resolve-pathname": "^3.0.0", + "shelljs": "^0.8.5", "tslib": "^2.6.0", "url-loader": "^4.1.1", "utility-types": "^3.10.0", @@ -4533,12 +4245,12 @@ } }, "node_modules/@docusaurus/utils-common": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-3.8.0.tgz", - "integrity": "sha512-3TGF+wVTGgQ3pAc9+5jVchES4uXUAhAt9pwv7uws4mVOxL4alvU3ue/EZ+R4XuGk94pDy7CNXjRXpPjlfZXQfw==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-common/-/utils-common-3.6.2.tgz", + "integrity": "sha512-dr5wK+OyU2QAWxG7S5siD2bPgS7+ZeqWHfgLNHZ5yalaZf8TbeNNLqydfngukAY56BGZN0NbMkX6jGIr7ZF0sA==", "license": "MIT", "dependencies": { - "@docusaurus/types": "3.8.0", + "@docusaurus/types": "3.6.2", "tslib": "^2.6.0" }, "engines": { @@ -4546,14 +4258,14 @@ } }, "node_modules/@docusaurus/utils-validation": { - "version": "3.8.0", - "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-3.8.0.tgz", - "integrity": "sha512-MrnEbkigr54HkdFeg8e4FKc4EF+E9dlVwsY3XQZsNkbv3MKZnbHQ5LsNJDIKDROFe8PBf5C4qCAg5TPBpsjrjg==", + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/@docusaurus/utils-validation/-/utils-validation-3.6.2.tgz", + "integrity": "sha512-Y3EwblDz72KOcobb5t2zlhHSmrfE8EaHusPJ96Kx2JYtNXL2omqCoOb6FpaXWhES75wvjUpkFLYfiNqAqEov8g==", "license": "MIT", "dependencies": { - "@docusaurus/logger": "3.8.0", - "@docusaurus/utils": "3.8.0", - "@docusaurus/utils-common": "3.8.0", + "@docusaurus/logger": "3.6.2", + "@docusaurus/utils": "3.6.2", + "@docusaurus/utils-common": "3.6.2", "fs-extra": "^11.2.0", "joi": "^17.9.2", "js-yaml": "^4.1.0", @@ -4747,12 +4459,12 @@ } }, "node_modules/@mermaid-js/parser": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-0.4.0.tgz", - "integrity": "sha512-wla8XOWvQAwuqy+gxiZqY+c7FokraOTHRWMsbB4AgRx9Sy7zKslNyejy7E+a77qHfey5GXw/ik3IXv/NHMJgaA==", + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-0.3.0.tgz", + "integrity": "sha512-HsvL6zgE5sUPGgkIDlmAWR1HTNHz2Iy11BAWPTa4Jjabkpguy4Ze2gzfLrg6pdRuBvFwgUYyxiaNqZwrEEXepA==", "license": "MIT", "dependencies": { - "langium": "3.3.1" + "langium": "3.0.0" } }, "node_modules/@nodelib/fs.scandir": { @@ -5474,6 +5186,15 @@ "@types/ms": "*" } }, + "node_modules/@types/dompurify": { + "version": "3.0.5", + "resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-3.0.5.tgz", + "integrity": "sha512-1Wg0g3BtQF7sSb27fJQAKck1HECM6zV1EB66j8JH9i3LCjYabJa0FSdiSgsD5K/RbrsR0SiraKacLB+T8ZVYAg==", + "license": "MIT", + "dependencies": { + "@types/trusted-types": "*" + } + }, "node_modules/@types/eslint": { "version": "9.6.1", "resolved": "https://registry.npmjs.org/@types/eslint/-/eslint-9.6.1.tgz", @@ -5674,6 +5395,12 @@ "@types/node": "*" } }, + "node_modules/@types/parse-json": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.2.tgz", + "integrity": "sha512-dISoDXWWQwUquiKsyZ4Ng+HX2KsPL7LyHKHQwgGFEA3IaKac4Obd+h2a/a6waisAoepJlBcx9paWqjA8/HVjCw==", + "license": "MIT" + }, "node_modules/@types/prismjs": { "version": "1.26.5", "resolved": "https://registry.npmjs.org/@types/prismjs/-/prismjs-1.26.5.tgz", @@ -5798,8 +5525,7 @@ "version": "2.0.7", "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz", "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==", - "license": "MIT", - "optional": true + "license": "MIT" }, "node_modules/@types/unist": { "version": "3.0.3", @@ -6162,9 +5888,9 @@ } }, "node_modules/algoliasearch-helper": { - "version": "3.23.0", - "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.23.0.tgz", - "integrity": "sha512-8CK4Gb/ju4OesAYcS+mjBpNiVA7ILWpg7D2vhBZohh0YkG8QT1KZ9LG+8+EntQBUGoKtPy06OFhiwP4f5zzAQg==", + "version": "3.22.5", + "resolved": "https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.22.5.tgz", + "integrity": "sha512-lWvhdnc+aKOKx8jyA3bsdEgHzm/sglC4cYdMG4xSQyRiPLJVJtH/IVYZG3Hp6PkTEhQqhyVYkeP9z2IlcHJsWw==", "license": "MIT", "dependencies": { "@algolia/events": "^4.0.1" @@ -6306,9 +6032,9 @@ } }, "node_modules/asciinema-player": { - "version": "3.10.0", - "resolved": "https://registry.npmjs.org/asciinema-player/-/asciinema-player-3.10.0.tgz", - "integrity": "sha512-shoOK6F606nDKZxDVM7JuGSCAyWLePoGRFNlV+FqiP5Sqvyn0BlE7wlbjZyd2X4P1iRhv/HKfVNtnQIxmgphRA==", + "version": "3.8.1", + "resolved": "https://registry.npmjs.org/asciinema-player/-/asciinema-player-3.8.1.tgz", + "integrity": "sha512-NkpbFg81Y6iJFpDRndakLCQ0G26XSpvuT3vJTFjMRgHb26lqHgRNY9gun54e5MehZ4fEDNYkMZv+z6MfZ8c2aA==", "license": "Apache-2.0", "dependencies": { "@babel/runtime": "^7.21.0", @@ -6324,6 +6050,15 @@ "astring": "bin/astring" } }, + "node_modules/at-least-node": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/at-least-node/-/at-least-node-1.0.0.tgz", + "integrity": "sha512-+q/t7Ekv1EDY2l6Gda6LLiX14rU9TV20Wa3ofeQmwPFZbOMo9DXrLbOjFaaclkXKWidIaopwAObQDqwWtGUjqg==", + "license": "ISC", + "engines": { + "node": ">= 4.0.0" + } + }, "node_modules/autoprefixer": { "version": "10.4.20", "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.20.tgz", @@ -8549,6 +8284,28 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/del": { + "version": "6.1.1", + "resolved": "https://registry.npmjs.org/del/-/del-6.1.1.tgz", + "integrity": "sha512-ua8BhapfP0JUJKC/zV9yHHDW/rDoDxP4Zhn3AkA6/xT6gY7jYXJiaeyBZznYVujhZZET+UgcbZiQ7sN3WqcImg==", + "license": "MIT", + "dependencies": { + "globby": "^11.0.1", + "graceful-fs": "^4.2.4", + "is-glob": "^4.0.1", + "is-path-cwd": "^2.2.0", + "is-path-inside": "^3.0.2", + "p-map": "^4.0.0", + "rimraf": "^3.0.2", + "slash": "^3.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/delaunator": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.0.1.tgz", @@ -8609,6 +8366,38 @@ "node": ">= 4.0.0" } }, + "node_modules/detect-port-alt": { + "version": "1.1.6", + "resolved": "https://registry.npmjs.org/detect-port-alt/-/detect-port-alt-1.1.6.tgz", + "integrity": "sha512-5tQykt+LqfJFBEYaDITx7S7cR7mJ/zQmLXZ2qt5w04ainYZw6tBf9dBunMjVeVOdYVRUzUOE4HkY5J7+uttb5Q==", + "license": "MIT", + "dependencies": { + "address": "^1.0.1", + "debug": "^2.6.0" + }, + "bin": { + "detect": "bin/detect-port", + "detect-port": "bin/detect-port" + }, + "engines": { + "node": ">= 4.2.1" + } + }, + "node_modules/detect-port-alt/node_modules/debug": { + "version": "2.6.9", + "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", + "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", + "license": "MIT", + "dependencies": { + "ms": "2.0.0" + } + }, + "node_modules/detect-port-alt/node_modules/ms": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", + "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", + "license": "MIT" + }, "node_modules/devlop": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/devlop/-/devlop-1.1.0.tgz", @@ -8697,13 +8486,10 @@ } }, "node_modules/dompurify": { - "version": "3.2.6", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.6.tgz", - "integrity": "sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ==", - "license": "(MPL-2.0 OR Apache-2.0)", - "optionalDependencies": { - "@types/trusted-types": "^2.0.7" - } + "version": "3.1.6", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.1.6.tgz", + "integrity": "sha512-cTOAhc36AalkjtBpfG6O8JimdTMWNXjiePT2xQH/ppBGi/4uIpmj8eKyIkMJErXWARyINV/sB38yf8JCLF5pbQ==", + "license": "(MPL-2.0 OR Apache-2.0)" }, "node_modules/domutils": { "version": "3.1.0", @@ -9463,6 +9249,15 @@ "url": "https://opencollective.com/webpack" } }, + "node_modules/filesize": { + "version": "8.0.7", + "resolved": "https://registry.npmjs.org/filesize/-/filesize-8.0.7.tgz", + "integrity": "sha512-pjmC+bkIF8XI7fWaH8KxHcZL3DPybs1roSKP4rKDvy20tAWwIObE4+JIseG2byfGKhud5ZnM4YSGKBz7Sh0ndQ==", + "license": "BSD-3-Clause", + "engines": { + "node": ">= 0.4.0" + } + }, "node_modules/fill-range": { "version": "7.1.1", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", @@ -9569,6 +9364,134 @@ } } }, + "node_modules/fork-ts-checker-webpack-plugin": { + "version": "6.5.3", + "resolved": "https://registry.npmjs.org/fork-ts-checker-webpack-plugin/-/fork-ts-checker-webpack-plugin-6.5.3.tgz", + "integrity": "sha512-SbH/l9ikmMWycd5puHJKTkZJKddF4iRLyW3DeZ08HTI7NGyLS38MXd/KGgeWumQO7YNQbW2u/NtPT2YowbPaGQ==", + "license": "MIT", + "dependencies": { + "@babel/code-frame": "^7.8.3", + "@types/json-schema": "^7.0.5", + "chalk": "^4.1.0", + "chokidar": "^3.4.2", + "cosmiconfig": "^6.0.0", + "deepmerge": "^4.2.2", + "fs-extra": "^9.0.0", + "glob": "^7.1.6", + "memfs": "^3.1.2", + "minimatch": "^3.0.4", + "schema-utils": "2.7.0", + "semver": "^7.3.2", + "tapable": "^1.0.0" + }, + "engines": { + "node": ">=10", + "yarn": ">=1.0.0" + }, + "peerDependencies": { + "eslint": ">= 6", + "typescript": ">= 2.7", + "vue-template-compiler": "*", + "webpack": ">= 4" + }, + "peerDependenciesMeta": { + "eslint": { + "optional": true + }, + "vue-template-compiler": { + "optional": true + } + } + }, + "node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv": { + "version": "6.12.6", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", + "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "license": "MIT", + "dependencies": { + "fast-deep-equal": "^3.1.1", + "fast-json-stable-stringify": "^2.0.0", + "json-schema-traverse": "^0.4.1", + "uri-js": "^4.2.2" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/epoberezkin" + } + }, + "node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv-keywords": { + "version": "3.5.2", + "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz", + "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==", + "license": "MIT", + "peerDependencies": { + "ajv": "^6.9.1" + } + }, + "node_modules/fork-ts-checker-webpack-plugin/node_modules/cosmiconfig": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-6.0.0.tgz", + "integrity": "sha512-xb3ZL6+L8b9JLLCx3ZdoZy4+2ECphCMo2PwqgP1tlfVq6M6YReyzBJtvWWtbDSpNr9hn96pkCiZqUcFEc+54Qg==", + "license": "MIT", + "dependencies": { + "@types/parse-json": "^4.0.0", + "import-fresh": "^3.1.0", + "parse-json": "^5.0.0", + "path-type": "^4.0.0", + "yaml": "^1.7.2" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/fork-ts-checker-webpack-plugin/node_modules/fs-extra": { + "version": "9.1.0", + "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-9.1.0.tgz", + "integrity": "sha512-hcg3ZmepS30/7BSFqRvoo3DOMQu7IjqxO5nCDt+zM9XWjb33Wg7ziNT+Qvqbuc3+gWpzO02JubVyk2G4Zvo1OQ==", + "license": "MIT", + "dependencies": { + "at-least-node": "^1.0.0", + "graceful-fs": "^4.2.0", + "jsonfile": "^6.0.1", + "universalify": "^2.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/fork-ts-checker-webpack-plugin/node_modules/json-schema-traverse": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", + "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", + "license": "MIT" + }, + "node_modules/fork-ts-checker-webpack-plugin/node_modules/schema-utils": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-2.7.0.tgz", + "integrity": "sha512-0ilKFI6QQF5nxDZLFn2dMjvc4hjg/Wkg7rHd3jK6/A4a1Hl9VFdQWvgB1UMGoU94pad1P/8N7fMcEnLnSiju8A==", + "license": "MIT", + "dependencies": { + "@types/json-schema": "^7.0.4", + "ajv": "^6.12.2", + "ajv-keywords": "^3.4.1" + }, + "engines": { + "node": ">= 8.9.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/webpack" + } + }, + "node_modules/fork-ts-checker-webpack-plugin/node_modules/tapable": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/tapable/-/tapable-1.1.3.tgz", + "integrity": "sha512-4WK/bYZmj8xLr+HUCODHGF1ZFzsYffasLUgEiMBY4fgtltdO6B4WJtlSbPaDTLpYTcGVwM2qLnFTICEcNxs3kA==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, "node_modules/form-data-encoder": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/form-data-encoder/-/form-data-encoder-2.1.4.tgz", @@ -9781,6 +9704,44 @@ "node": ">=10" } }, + "node_modules/global-modules": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/global-modules/-/global-modules-2.0.0.tgz", + "integrity": "sha512-NGbfmJBp9x8IxyJSd1P+otYK8vonoJactOogrVfFRIAEY1ukil8RSKDz2Yo7wh1oihl51l/r6W4epkeKJHqL8A==", + "license": "MIT", + "dependencies": { + "global-prefix": "^3.0.0" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/global-prefix": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/global-prefix/-/global-prefix-3.0.0.tgz", + "integrity": "sha512-awConJSVCHVGND6x3tmMaKcQvwXLhjdkmomy2W+Goaui8YPgYgXJZewhg3fWC+DlfqqQuWg8AwqjGTD2nAPVWg==", + "license": "MIT", + "dependencies": { + "ini": "^1.3.5", + "kind-of": "^6.0.2", + "which": "^1.3.1" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/global-prefix/node_modules/which": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz", + "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==", + "license": "ISC", + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "which": "bin/which" + } + }, "node_modules/globals": { "version": "11.12.0", "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz", @@ -10556,10 +10517,13 @@ } }, "node_modules/image-size": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/image-size/-/image-size-2.0.2.tgz", - "integrity": "sha512-IRqXKlaXwgSMAMtpNzZa1ZAe8m+Sa1770Dhk8VkSsP9LS+iHD62Zd8FQKs8fbPiagBE7BzoFX23cxFnwshpV6w==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/image-size/-/image-size-1.1.1.tgz", + "integrity": "sha512-541xKlUw6jr/6gGuk92F+mYM5zaFAc5ahphvkqvNe2bQ6gVBkd6bfrmVJ2t4KDAfikAYZyIqTnktX3i6/aQDrQ==", "license": "MIT", + "dependencies": { + "queue": "6.0.2" + }, "bin": { "image-size": "bin/image-size.js" }, @@ -10567,6 +10531,16 @@ "node": ">=16.x" } }, + "node_modules/immer": { + "version": "9.0.21", + "resolved": "https://registry.npmjs.org/immer/-/immer-9.0.21.tgz", + "integrity": "sha512-bc4NBHqOqSfRW7POMkHd51LvClaeMXpm8dx0e8oE2GORbq5aRK7Bxl4FyzVLdGtLmvLKL7BTDBG5ACQm4HWjTA==", + "license": "MIT", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/immer" + } + }, "node_modules/import-fresh": { "version": "3.3.0", "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.0.tgz", @@ -10657,6 +10631,15 @@ "node": ">=12" } }, + "node_modules/interpret": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/interpret/-/interpret-1.4.0.tgz", + "integrity": "sha512-agE4QfB2Lkp9uICn7BAqoscw4SZP9kTE2hxiFI3jBPmXJfdqiahTbUuKGsMoN2GtqL9AxhYioAcVvgsb1HvRbA==", + "license": "MIT", + "engines": { + "node": ">= 0.10" + } + }, "node_modules/invariant": { "version": "2.2.4", "resolved": "https://registry.npmjs.org/invariant/-/invariant-2.2.4.tgz", @@ -10864,6 +10847,15 @@ "node": ">=0.10.0" } }, + "node_modules/is-path-cwd": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/is-path-cwd/-/is-path-cwd-2.2.0.tgz", + "integrity": "sha512-w942bTcih8fdJPJmQHFzkS76NEP8Kzzvmw92cXsazb8intwLqPibPPdXf4ANdKV3rYMuuQYGIWtvz9JilB3NFQ==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, "node_modules/is-path-inside": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz", @@ -10906,6 +10898,15 @@ "node": ">=0.10.0" } }, + "node_modules/is-root": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-root/-/is-root-2.1.0.tgz", + "integrity": "sha512-AGOriNp96vNBd3HtU+RzFEc75FfR5ymiYv8E553I71SCeXBiMsVDUtdio1OEFvrPyLIQ9tVR5RxXIFe5PUFjMg==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, "node_modules/is-stream": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz", @@ -11171,9 +11172,9 @@ "license": "MIT" }, "node_modules/langium": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/langium/-/langium-3.3.1.tgz", - "integrity": "sha512-QJv/h939gDpvT+9SiLVlY7tZC3xB2qK57v0J04Sh9wpMb6MP1q8gB21L3WIo8T5P1MSMg3Ep14L7KkDCFG3y4w==", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/langium/-/langium-3.0.0.tgz", + "integrity": "sha512-+Ez9EoiByeoTu/2BXmEaZ06iPNXM6thWJp02KfBO/raSMyCJ4jw7AkWWa+zBCTm0+Tw1Fj9FOxdqSskyN5nAwg==", "license": "MIT", "dependencies": { "chevrotain": "~11.0.3", @@ -11415,9 +11416,9 @@ } }, "node_modules/marked": { - "version": "15.0.12", - "resolved": "https://registry.npmjs.org/marked/-/marked-15.0.12.tgz", - "integrity": "sha512-8dD6FusOQSrpv9Z1rdNMdlSgQOIP880DHqnohobOmYLElGEqAL/JvxvuxZO16r4HtjTlfPRDC1hbvxC9dPN2nA==", + "version": "13.0.3", + "resolved": "https://registry.npmjs.org/marked/-/marked-13.0.3.tgz", + "integrity": "sha512-rqRix3/TWzE9rIoFGIn8JmsVfhiuC8VIQ8IdX5TfzmeBucdY05/0UlzKaw0eVtpcN/OdVFpBk7CjKGo9iHJ/zA==", "license": "MIT", "bin": { "marked": "bin/marked.js" @@ -11879,31 +11880,32 @@ } }, "node_modules/mermaid": { - "version": "11.6.0", - "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.6.0.tgz", - "integrity": "sha512-PE8hGUy1LDlWIHWBP05SFdqUHGmRcCcK4IzpOKPE35eOw+G9zZgcnMpyunJVUEOgb//KBORPjysKndw8bFLuRg==", + "version": "11.4.0", + "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.4.0.tgz", + "integrity": "sha512-mxCfEYvADJqOiHfGpJXLs4/fAjHz448rH0pfY5fAoxiz70rQiDSzUUy4dNET2T08i46IVpjohPd6WWbzmRHiPA==", "license": "MIT", "dependencies": { - "@braintree/sanitize-url": "^7.0.4", - "@iconify/utils": "^2.1.33", - "@mermaid-js/parser": "^0.4.0", + "@braintree/sanitize-url": "^7.0.1", + "@iconify/utils": "^2.1.32", + "@mermaid-js/parser": "^0.3.0", "@types/d3": "^7.4.3", - "cytoscape": "^3.29.3", + "@types/dompurify": "^3.0.5", + "cytoscape": "^3.29.2", "cytoscape-cose-bilkent": "^4.1.0", "cytoscape-fcose": "^2.2.0", "d3": "^7.9.0", "d3-sankey": "^0.12.3", "dagre-d3-es": "7.0.11", - "dayjs": "^1.11.13", - "dompurify": "^3.2.4", + "dayjs": "^1.11.10", + "dompurify": "^3.0.11 <3.1.7", "katex": "^0.16.9", "khroma": "^2.1.0", "lodash-es": "^4.17.21", - "marked": "^15.0.7", + "marked": "^13.0.2", "roughjs": "^4.6.6", - "stylis": "^4.3.6", + "stylis": "^4.3.1", "ts-dedent": "^2.2.0", - "uuid": "^11.1.0" + "uuid": "^9.0.1" } }, "node_modules/methods": { @@ -14191,15 +14193,6 @@ "node": ">=12.20" } }, - "node_modules/p-finally": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/p-finally/-/p-finally-1.0.0.tgz", - "integrity": "sha512-LICb2p9CB7FS+0eR1oqWnHhp0FljGLZCWBE9aix0Uye9W8LTQPwMTYVGWQWIw9RdQiDg4+epXQODwIYJtSJaow==", - "license": "MIT", - "engines": { - "node": ">=4" - } - }, "node_modules/p-limit": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-4.0.0.tgz", @@ -14245,22 +14238,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/p-queue": { - "version": "6.6.2", - "resolved": "https://registry.npmjs.org/p-queue/-/p-queue-6.6.2.tgz", - "integrity": "sha512-RwFpb72c/BhQLEXIZ5K2e+AhgNVmIejGlTgiB9MzZ0e93GRvqZ7uSi0dvRF7/XIXDeNkra2fNHBxTyPDGySpjQ==", - "license": "MIT", - "dependencies": { - "eventemitter3": "^4.0.4", - "p-timeout": "^3.2.0" - }, - "engines": { - "node": ">=8" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/p-retry": { "version": "4.6.2", "resolved": "https://registry.npmjs.org/p-retry/-/p-retry-4.6.2.tgz", @@ -14274,16 +14251,13 @@ "node": ">=8" } }, - "node_modules/p-timeout": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/p-timeout/-/p-timeout-3.2.0.tgz", - "integrity": "sha512-rhIwUycgwwKcP9yTOOFK/AKsAopjjCakVqLHePO3CC6Mir1Z99xT+R63jZxAT5lFZLa2inS5h+ZS2GvR99/FBg==", + "node_modules/p-try": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz", + "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==", "license": "MIT", - "dependencies": { - "p-finally": "^1.0.0" - }, "engines": { - "node": ">=8" + "node": ">=6" } }, "node_modules/package-json": { @@ -14539,6 +14513,79 @@ "pathe": "^1.1.2" } }, + "node_modules/pkg-up": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/pkg-up/-/pkg-up-3.1.0.tgz", + "integrity": "sha512-nDywThFk1i4BQK4twPQ6TA4RT8bDY96yeuCVBWL3ePARCiEKDRSrNGbFIgUJpLp+XeIR65v8ra7WuJOFUBtkMA==", + "license": "MIT", + "dependencies": { + "find-up": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/pkg-up/node_modules/find-up": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz", + "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==", + "license": "MIT", + "dependencies": { + "locate-path": "^3.0.0" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/pkg-up/node_modules/locate-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz", + "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==", + "license": "MIT", + "dependencies": { + "p-locate": "^3.0.0", + "path-exists": "^3.0.0" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/pkg-up/node_modules/p-limit": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz", + "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==", + "license": "MIT", + "dependencies": { + "p-try": "^2.0.0" + }, + "engines": { + "node": ">=6" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/pkg-up/node_modules/p-locate": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz", + "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==", + "license": "MIT", + "dependencies": { + "p-limit": "^2.0.0" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/pkg-up/node_modules/path-exists": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-3.0.0.tgz", + "integrity": "sha512-bpC7GYwiDYQ4wYLe+FA8lhRjhQCMcQGuSgGGqDkg/QerRWw9CmGRT0iSOVRSZJ29NMLZgIzqaljJ63oaL4NIJQ==", + "license": "MIT", + "engines": { + "node": ">=4" + } + }, "node_modules/points-on-curve": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/points-on-curve/-/points-on-curve-0.2.0.tgz", @@ -16040,9 +16087,9 @@ } }, "node_modules/prism-react-renderer": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/prism-react-renderer/-/prism-react-renderer-2.4.1.tgz", - "integrity": "sha512-ey8Ls/+Di31eqzUxC46h8MksNuGx/n0AAC8uKpwFau4RPDYLuE3EXTp8N8G2vX2N7UC/+IXeNUnlWBGGcAG+Ig==", + "version": "2.4.0", + "resolved": "https://registry.npmjs.org/prism-react-renderer/-/prism-react-renderer-2.4.0.tgz", + "integrity": "sha512-327BsVCD/unU4CNLZTWVHyUHKnsqcvj2qbPlQ8MiBE2eq2rgctjigPA1Gp9HLF83kZ20zNN6jgizHJeEsyFYOw==", "license": "MIT", "dependencies": { "@types/prismjs": "^1.26.0", @@ -16168,6 +16215,15 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/queue": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/queue/-/queue-6.0.2.tgz", + "integrity": "sha512-iHZWu+q3IdFZFX36ro/lKBkSvfkztY5Y7HMiPlOUjhupPcG2JMfst2KKEpu5XndviX/3UhFbRngUPNKtgvtZiA==", + "license": "MIT", + "dependencies": { + "inherits": "~2.0.3" + } + }, "node_modules/queue-microtask": { "version": "1.2.3", "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", @@ -16290,6 +16346,132 @@ "node": ">=0.10.0" } }, + "node_modules/react-dev-utils": { + "version": "12.0.1", + "resolved": "https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-12.0.1.tgz", + "integrity": "sha512-84Ivxmr17KjUupyqzFode6xKhjwuEJDROWKJy/BthkL7Wn6NJ8h4WE6k/exAv6ImS+0oZLRRW5j/aINMHyeGeQ==", + "license": "MIT", + "dependencies": { + "@babel/code-frame": "^7.16.0", + "address": "^1.1.2", + "browserslist": "^4.18.1", + "chalk": "^4.1.2", + "cross-spawn": "^7.0.3", + "detect-port-alt": "^1.1.6", + "escape-string-regexp": "^4.0.0", + "filesize": "^8.0.6", + "find-up": "^5.0.0", + "fork-ts-checker-webpack-plugin": "^6.5.0", + "global-modules": "^2.0.0", + "globby": "^11.0.4", + "gzip-size": "^6.0.0", + "immer": "^9.0.7", + "is-root": "^2.1.0", + "loader-utils": "^3.2.0", + "open": "^8.4.0", + "pkg-up": "^3.1.0", + "prompts": "^2.4.2", + "react-error-overlay": "^6.0.11", + "recursive-readdir": "^2.2.2", + "shell-quote": "^1.7.3", + "strip-ansi": "^6.0.1", + "text-table": "^0.2.0" + }, + "engines": { + "node": ">=14" + } + }, + "node_modules/react-dev-utils/node_modules/find-up": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz", + "integrity": "sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==", + "license": "MIT", + "dependencies": { + "locate-path": "^6.0.0", + "path-exists": "^4.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/react-dev-utils/node_modules/loader-utils": { + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/loader-utils/-/loader-utils-3.3.1.tgz", + "integrity": "sha512-FMJTLMXfCLMLfJxcX9PFqX5qD88Z5MRGaZCVzfuqeZSPsyiBzs+pahDQjbIWz2QIzPZz0NX9Zy4FX3lmK6YHIg==", + "license": "MIT", + "engines": { + "node": ">= 12.13.0" + } + }, + "node_modules/react-dev-utils/node_modules/locate-path": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz", + "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==", + "license": "MIT", + "dependencies": { + "p-locate": "^5.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/react-dev-utils/node_modules/p-limit": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz", + "integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==", + "license": "MIT", + "dependencies": { + "yocto-queue": "^0.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/react-dev-utils/node_modules/p-locate": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-5.0.0.tgz", + "integrity": "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==", + "license": "MIT", + "dependencies": { + "p-limit": "^3.0.2" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/react-dev-utils/node_modules/path-exists": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz", + "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/react-dev-utils/node_modules/yocto-queue": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz", + "integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==", + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/react-dom": { "version": "18.3.1", "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz", @@ -16303,6 +16485,12 @@ "react": "^18.3.1" } }, + "node_modules/react-error-overlay": { + "version": "6.0.11", + "resolved": "https://registry.npmjs.org/react-error-overlay/-/react-error-overlay-6.0.11.tgz", + "integrity": "sha512-/6UZ2qgEyH2aqzYZgQPxEnz33NJ2gNsnHA2o5+o4wW9bLM/JYQitNP9xPhsXwC08hMMovfGe/8retsdDsczPRg==", + "license": "MIT" + }, "node_modules/react-fast-compare": { "version": "3.2.2", "resolved": "https://registry.npmjs.org/react-fast-compare/-/react-fast-compare-3.2.2.tgz", @@ -16333,15 +16521,15 @@ "license": "MIT" }, "node_modules/react-json-view-lite": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/react-json-view-lite/-/react-json-view-lite-2.4.1.tgz", - "integrity": "sha512-fwFYknRIBxjbFm0kBDrzgBy1xa5tDg2LyXXBepC5f1b+MY3BUClMCsvanMPn089JbV1Eg3nZcrp0VCuH43aXnA==", + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/react-json-view-lite/-/react-json-view-lite-1.5.0.tgz", + "integrity": "sha512-nWqA1E4jKPklL2jvHWs6s+7Na0qNgw9HCP6xehdQJeg6nPBTFZgGwyko9Q0oj+jQWKTTVRS30u0toM5wiuL3iw==", "license": "MIT", "engines": { - "node": ">=18" + "node": ">=14" }, "peerDependencies": { - "react": "^18.0.0 || ^19.0.0" + "react": "^16.13.1 || ^17.0.0 || ^18.0.0" } }, "node_modules/react-loadable": { @@ -16450,6 +16638,23 @@ "node": ">=8.10.0" } }, + "node_modules/reading-time": { + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/reading-time/-/reading-time-1.5.0.tgz", + "integrity": "sha512-onYyVhBNr4CmAxFsKS7bz+uTLRakypIe4R+5A824vBSkQy/hB3fZepoVEf8OVAxzLvK+H/jm9TzpI3ETSm64Kg==", + "license": "MIT" + }, + "node_modules/rechoir": { + "version": "0.6.2", + "resolved": "https://registry.npmjs.org/rechoir/-/rechoir-0.6.2.tgz", + "integrity": "sha512-HFM8rkZ+i3zrV+4LQjwQ0W+ez98pApMGM3HUrN04j3CqzPOzl9nmP15Y8YXNm8QHGv/eacOVEjqhmWpkRV0NAw==", + "dependencies": { + "resolve": "^1.1.6" + }, + "engines": { + "node": ">= 0.10" + } + }, "node_modules/recma-build-jsx": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/recma-build-jsx/-/recma-build-jsx-1.0.0.tgz", @@ -16514,6 +16719,18 @@ "url": "https://opencollective.com/unified" } }, + "node_modules/recursive-readdir": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/recursive-readdir/-/recursive-readdir-2.2.3.tgz", + "integrity": "sha512-8HrF5ZsXk5FAH9dgsx3BlUer73nIhuj+9OrQwEbLTPOBzGkL1lsFCR01am+v+0m2Cmbs1nP12hLDl5FA7EszKA==", + "license": "MIT", + "dependencies": { + "minimatch": "^3.0.5" + }, + "engines": { + "node": ">=6.0.0" + } + }, "node_modules/regenerate": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.2.tgz", @@ -17014,6 +17231,12 @@ "points-on-path": "^0.2.1" } }, + "node_modules/rtl-detect": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/rtl-detect/-/rtl-detect-1.1.2.tgz", + "integrity": "sha512-PGMBq03+TTG/p/cRB7HCLKJ1MgDIi07+QU1faSjiYRfmY5UsAttV9Hs08jDAHVwcOwmVLcSJkpwyfXszVjWfIQ==", + "license": "BSD-3-Clause" + }, "node_modules/rtlcss": { "version": "4.3.0", "resolved": "https://registry.npmjs.org/rtlcss/-/rtlcss-4.3.0.tgz", @@ -17102,12 +17325,6 @@ "loose-envify": "^1.1.0" } }, - "node_modules/schema-dts": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/schema-dts/-/schema-dts-1.1.5.tgz", - "integrity": "sha512-RJr9EaCmsLzBX2NDiO5Z3ux2BVosNZN5jo0gWgsyKvxKIUL5R3swNvoorulAeL9kLB0iTSX7V6aokhla2m7xbg==", - "license": "Apache-2.0" - }, "node_modules/schema-utils": { "version": "4.2.0", "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.2.0.tgz", @@ -17465,6 +17682,23 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/shelljs": { + "version": "0.8.5", + "resolved": "https://registry.npmjs.org/shelljs/-/shelljs-0.8.5.tgz", + "integrity": "sha512-TiwcRcrkhHvbrZbnRcFYMLl30Dfov3HKqzp5tO5b4pt6G/SezKcYhmDg15zXVBswHmctSAQKznqNW2LO5tTDow==", + "license": "BSD-3-Clause", + "dependencies": { + "glob": "^7.0.0", + "interpret": "^1.0.0", + "rechoir": "^0.6.2" + }, + "bin": { + "shjs": "bin/shjs" + }, + "engines": { + "node": ">=4" + } + }, "node_modules/side-channel": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz", @@ -17864,9 +18098,9 @@ } }, "node_modules/stylis": { - "version": "4.3.6", - "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.6.tgz", - "integrity": "sha512-yQ3rwFWRfwNUY7H5vpU0wfdkNSnvnJinhF9830Swlaxl03zsOjCfmX0ugac+3LtK0lYSgwL/KXc8oYL3mG4YFQ==", + "version": "4.3.4", + "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.4.tgz", + "integrity": "sha512-osIBl6BGUmSfDkyH2mB7EFvCJntXDrLhKjHTRj/rK6xLH0yuPrHULDRQzKokSOD4VoorhtKpfcfW1GAntu8now==", "license": "MIT" }, "node_modules/supports-color": { @@ -18078,6 +18312,12 @@ "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", "license": "MIT" }, + "node_modules/text-table": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz", + "integrity": "sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==", + "license": "MIT" + }, "node_modules/thunky": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/thunky/-/thunky-1.1.0.tgz", @@ -18102,15 +18342,6 @@ "integrity": "sha512-WiCJLEECkO18gwqIp6+hJg0//p23HXp4S+gGtAKu3mI2F2/sXC4FvHvXvB0zJVVaTPhx1/tOwdbRsa1sOBIKqQ==", "license": "MIT" }, - "node_modules/tinypool": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/tinypool/-/tinypool-1.0.2.tgz", - "integrity": "sha512-al6n+QEANGFOMf/dmUMsuS5/r9B06uwlyNjZZql/zv8J7ybHCgoihBNORZCY2mzUuAnomQa2JdhyHKzZxPCrFA==", - "license": "MIT", - "engines": { - "node": "^18.0.0 || >=20.0.0" - } - }, "node_modules/to-regex-range": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", @@ -18236,7 +18467,6 @@ "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.6.3.tgz", "integrity": "sha512-hjcS1mhfuyi4WW8IWtjP7brDrG2cuDZukyrYrSauoXGNgx0S7zceP07adYkJycEr56BOUTNPzbInooiN3fn1qw==", "license": "Apache-2.0", - "optional": true, "peer": true, "bin": { "tsc": "bin/tsc", @@ -18681,16 +18911,16 @@ } }, "node_modules/uuid": { - "version": "11.1.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz", - "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==", + "version": "9.0.1", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", + "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", "funding": [ "https://github.com/sponsors/broofa", "https://github.com/sponsors/ctavan" ], "license": "MIT", "bin": { - "uuid": "dist/esm/bin/uuid" + "uuid": "dist/bin/uuid" } }, "node_modules/value-equal": { @@ -19394,6 +19624,15 @@ "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==", "license": "ISC" }, + "node_modules/yaml": { + "version": "1.10.2", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz", + "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==", + "license": "ISC", + "engines": { + "node": ">= 6" + } + }, "node_modules/yocto-queue": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-1.1.1.tgz", diff --git a/docs/package.json b/docs/package.json index d44749548..5ee770b61 100644 --- a/docs/package.json +++ b/docs/package.json @@ -15,23 +15,23 @@ }, "dependencies": { "@cmfcmf/docusaurus-search-local": "1.2.0", - "@docusaurus/core": "3.8.0", - "@docusaurus/preset-classic": "3.8.0", - "@docusaurus/theme-mermaid": "3.8.0", + "@docusaurus/core": "3.6.2", + "@docusaurus/preset-classic": "3.6.2", + "@docusaurus/theme-mermaid": "3.6.2", "@mdx-js/react": "3.1.0", - "asciinema-player": "3.10.0", + "asciinema-player": "3.8.1", "clsx": "2.1.1", - "prism-react-renderer": "2.4.1", + "prism-react-renderer": "2.4.0", "react": "18.3.1", "react-dom": "18.3.1" }, "devDependencies": { - "@docusaurus/module-type-aliases": "3.8.0", - "@docusaurus/types": "3.8.0" + "@docusaurus/module-type-aliases": "3.6.2", + "@docusaurus/types": "3.6.2" }, "overrides": { "@cmfcmf/docusaurus-search-local": { - "@docusaurus/core": "3.8.0", + "@docusaurus/core": "3.6.2", "cheerio": "1.0.0-rc.12" } }, diff --git a/docs/screencasts/docker/Dockerfile b/docs/screencasts/docker/Dockerfile index d0b0a5a91..0b965f876 100644 --- a/docs/screencasts/docker/Dockerfile +++ b/docs/screencasts/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04@sha256:b59d21599a2b151e23eea5f6602f4af4d7d31c4e236d22bf0b62b86d2e386b8f +FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 # Install requirements RUN apt-get update && apt-get install -y software-properties-common &&\ diff --git a/docs/versioned_docs/version-2.0/getting-started/first-steps.md b/docs/versioned_docs/version-2.0/getting-started/first-steps.md index caec42ded..08adfbd12 100644 --- a/docs/versioned_docs/version-2.0/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.0/getting-started/first-steps.md @@ -137,11 +137,11 @@ The following steps guide you through the process of creating a cluster and depl You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - * **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. + * **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. + * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.1/getting-started/first-steps.md b/docs/versioned_docs/version-2.1/getting-started/first-steps.md index 10cf3d7b9..d729fd0cf 100644 --- a/docs/versioned_docs/version-2.1/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.1/getting-started/first-steps.md @@ -142,11 +142,11 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - * **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. + * **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. + * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.10/getting-started/first-steps.md b/docs/versioned_docs/version-2.10/getting-started/first-steps.md index 4420eb708..9f6034e6b 100644 --- a/docs/versioned_docs/version-2.10/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.10/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.10/workflows/config.md b/docs/versioned_docs/version-2.10/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.10/workflows/config.md +++ b/docs/versioned_docs/version-2.10/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.11/getting-started/first-steps.md b/docs/versioned_docs/version-2.11/getting-started/first-steps.md index 9ebe21701..9811597e6 100644 --- a/docs/versioned_docs/version-2.11/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.11/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.11/workflows/config.md b/docs/versioned_docs/version-2.11/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.11/workflows/config.md +++ b/docs/versioned_docs/version-2.11/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.12/getting-started/first-steps.md b/docs/versioned_docs/version-2.12/getting-started/first-steps.md index 9ebe21701..9811597e6 100644 --- a/docs/versioned_docs/version-2.12/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.12/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.12/workflows/config.md b/docs/versioned_docs/version-2.12/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.12/workflows/config.md +++ b/docs/versioned_docs/version-2.12/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.13/getting-started/first-steps.md b/docs/versioned_docs/version-2.13/getting-started/first-steps.md index 3ec110064..287e0737a 100644 --- a/docs/versioned_docs/version-2.13/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.13/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.13/workflows/config.md b/docs/versioned_docs/version-2.13/workflows/config.md index edc3c9091..4dab6bd50 100644 --- a/docs/versioned_docs/version-2.13/workflows/config.md +++ b/docs/versioned_docs/version-2.13/workflows/config.md @@ -160,10 +160,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -240,11 +240,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.13/workflows/terraform-module.md b/docs/versioned_docs/version-2.13/workflows/terraform-module.md index e38a4cc2c..07525cd27 100644 --- a/docs/versioned_docs/version-2.13/workflows/terraform-module.md +++ b/docs/versioned_docs/version-2.13/workflows/terraform-module.md @@ -100,11 +100,11 @@ The files are deleted on `terraform destroy`. name = "constell" project = "constell-proj" // replace with your project id service_account_id = "constid" - zone = "europe-west3-a" + zone = "europe-west2-a" node_groups = { control_plane_default = { role = "control-plane" - zone = "europe-west3-a" + zone = "europe-west2-a" instance_type = "n2d-standard-4" disk_size = 30 disk_type = "pd-ssd" @@ -112,7 +112,7 @@ The files are deleted on `terraform destroy`. }, worker_default = { role = "worker" - zone = "europe-west3-a" + zone = "europe-west2-a" instance_type = "n2d-standard-4" disk_size = 30 disk_type = "pd-ssd" diff --git a/docs/versioned_docs/version-2.14/getting-started/first-steps.md b/docs/versioned_docs/version-2.14/getting-started/first-steps.md index e4e6c8e48..a1f6cba25 100644 --- a/docs/versioned_docs/version-2.14/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.14/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.14/workflows/config.md b/docs/versioned_docs/version-2.14/workflows/config.md index 5e938c29c..81d2b49fd 100644 --- a/docs/versioned_docs/version-2.14/workflows/config.md +++ b/docs/versioned_docs/version-2.14/workflows/config.md @@ -152,10 +152,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -232,11 +232,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.15/getting-started/first-steps.md b/docs/versioned_docs/version-2.15/getting-started/first-steps.md index 8618fb843..a6efd758f 100644 --- a/docs/versioned_docs/version-2.15/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.15/getting-started/first-steps.md @@ -73,10 +73,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.15/workflows/config.md b/docs/versioned_docs/version-2.15/workflows/config.md index be9cc6a98..92ff9d040 100644 --- a/docs/versioned_docs/version-2.15/workflows/config.md +++ b/docs/versioned_docs/version-2.15/workflows/config.md @@ -157,10 +157,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -244,11 +244,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.16/getting-started/first-steps.md b/docs/versioned_docs/version-2.16/getting-started/first-steps.md index 738868551..d82d93836 100644 --- a/docs/versioned_docs/version-2.16/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.16/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.16/workflows/config.md b/docs/versioned_docs/version-2.16/workflows/config.md index 11cf31cbd..120bf8ed7 100644 --- a/docs/versioned_docs/version-2.16/workflows/config.md +++ b/docs/versioned_docs/version-2.16/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.17/getting-started/first-steps.md b/docs/versioned_docs/version-2.17/getting-started/first-steps.md index c31263ed3..9b37efa64 100644 --- a/docs/versioned_docs/version-2.17/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.17/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.17/workflows/config.md b/docs/versioned_docs/version-2.17/workflows/config.md index 11cf31cbd..120bf8ed7 100644 --- a/docs/versioned_docs/version-2.17/workflows/config.md +++ b/docs/versioned_docs/version-2.17/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.18/getting-started/first-steps.md b/docs/versioned_docs/version-2.18/getting-started/first-steps.md index 18b723565..128ac2849 100644 --- a/docs/versioned_docs/version-2.18/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.18/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.18/workflows/config.md b/docs/versioned_docs/version-2.18/workflows/config.md index a8a52980e..95f791acd 100644 --- a/docs/versioned_docs/version-2.18/workflows/config.md +++ b/docs/versioned_docs/version-2.18/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.19/getting-started/first-steps.md b/docs/versioned_docs/version-2.19/getting-started/first-steps.md index 2afe95635..128ac2849 100644 --- a/docs/versioned_docs/version-2.19/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.19/getting-started/first-steps.md @@ -102,10 +102,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. @@ -117,12 +117,6 @@ If you encounter any problem with the following steps, make sure to use the [lat * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - diff --git a/docs/versioned_docs/version-2.19/getting-started/install.md b/docs/versioned_docs/version-2.19/getting-started/install.md index 29be1e7f6..bc0a8c959 100644 --- a/docs/versioned_docs/version-2.19/getting-started/install.md +++ b/docs/versioned_docs/version-2.19/getting-started/install.md @@ -418,7 +418,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se :::caution -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. +`project_id` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `clouds.yaml` file. It's of the format "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX". ::: diff --git a/docs/versioned_docs/version-2.19/workflows/config.md b/docs/versioned_docs/version-2.19/workflows/config.md index a8a52980e..95f791acd 100644 --- a/docs/versioned_docs/version-2.19/workflows/config.md +++ b/docs/versioned_docs/version-2.19/workflows/config.md @@ -210,10 +210,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -308,11 +308,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.2/getting-started/first-steps.md b/docs/versioned_docs/version-2.2/getting-started/first-steps.md index ef4861cbe..3dcb4f6c5 100644 --- a/docs/versioned_docs/version-2.2/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.2/getting-started/first-steps.md @@ -149,11 +149,11 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - * **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. + * **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. + * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.20/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.20/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.20/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/concept-constellation.svg b/docs/versioned_docs/version-2.20/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.20/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.20/_media/concept-managed.svg b/docs/versioned_docs/version-2.20/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.20/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.20/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.20/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.20/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.20/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.20/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.20/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.20/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.20/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.20/_media/tcb.svg b/docs/versioned_docs/version-2.20/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.20/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.20/architecture/attestation.md b/docs/versioned_docs/version-2.20/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.20/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.20/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.20/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.20/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.20/architecture/images.md b/docs/versioned_docs/version-2.20/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.20/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.20/architecture/keys.md b/docs/versioned_docs/version-2.20/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.20/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.20/architecture/microservices.md b/docs/versioned_docs/version-2.20/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.20/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.20/architecture/networking.md b/docs/versioned_docs/version-2.20/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.20/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.20/architecture/observability.md b/docs/versioned_docs/version-2.20/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.20/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.20/architecture/orchestration.md b/docs/versioned_docs/version-2.20/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.20/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.20/architecture/overview.md b/docs/versioned_docs/version-2.20/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.20/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.20/architecture/versions.md b/docs/versioned_docs/version-2.20/architecture/versions.md deleted file mode 100644 index 9d5a064e0..000000000 --- a/docs/versioned_docs/version-2.20/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.28.15 -* v1.29.11 -* v1.30.7 diff --git a/docs/versioned_docs/version-2.20/getting-started/examples.md b/docs/versioned_docs/version-2.20/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.20/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.20/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.20/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.20/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.20/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.20/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.20/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.20/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.20/getting-started/first-steps.md b/docs/versioned_docs/version-2.20/getting-started/first-steps.md deleted file mode 100644 index 2afe95635..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.20/getting-started/install.md b/docs/versioned_docs/version-2.20/getting-started/install.md deleted file mode 100644 index 29be1e7f6..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/install.md +++ /dev/null @@ -1,439 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_STACKIT_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.20/getting-started/marketplaces.md b/docs/versioned_docs/version-2.20/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.20/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.20/intro.md b/docs/versioned_docs/version-2.20/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.20/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.20/overview/clouds.md b/docs/versioned_docs/version-2.20/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.20/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.20/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.20/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.20/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.20/overview/license.md b/docs/versioned_docs/version-2.20/overview/license.md deleted file mode 100644 index 34122c025..000000000 --- a/docs/versioned_docs/version-2.20/overview/license.md +++ /dev/null @@ -1,33 +0,0 @@ -# License - -## Source code - -Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -## Binaries - -Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). - -These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Terraform provider - -Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Community License - -You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. - -## Enterprise License - -Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.20/overview/performance/application.md b/docs/versioned_docs/version-2.20/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -

-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.20/overview/performance/compute.md b/docs/versioned_docs/version-2.20/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.20/overview/performance/io.md b/docs/versioned_docs/version-2.20/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.20/overview/performance/performance.md b/docs/versioned_docs/version-2.20/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.20/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.20/overview/product.md b/docs/versioned_docs/version-2.20/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.20/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.20/overview/security-benefits.md b/docs/versioned_docs/version-2.20/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.20/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.20/reference/cli.md b/docs/versioned_docs/version-2.20/reference/cli.md deleted file mode 100644 index 99acef520..000000000 --- a/docs/versioned_docs/version-2.20/reference/cli.md +++ /dev/null @@ -1,844 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.29") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --serviceAccountID string ID for the service account that will be created (required) - Must be 6 to 30 lowercase letters, digits, or hyphens. - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.20/reference/migration.md b/docs/versioned_docs/version-2.20/reference/migration.md deleted file mode 100644 index 0252c409f..000000000 --- a/docs/versioned_docs/version-2.20/reference/migration.md +++ /dev/null @@ -1,128 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrations to v2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0) - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.20/reference/slsa.md b/docs/versioned_docs/version-2.20/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.20/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.20/reference/terraform.md b/docs/versioned_docs/version-2.20/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.20/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.20/workflows/cert-manager.md b/docs/versioned_docs/version-2.20/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.20/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.20/workflows/config.md b/docs/versioned_docs/version-2.20/workflows/config.md deleted file mode 100644 index a8a52980e..000000000 --- a/docs/versioned_docs/version-2.20/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.20/workflows/create.md b/docs/versioned_docs/version-2.20/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.20/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.20/workflows/lb.md b/docs/versioned_docs/version-2.20/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.20/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.20/workflows/recovery.md b/docs/versioned_docs/version-2.20/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.20/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.20/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.20/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.20/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.20/workflows/s3proxy.md b/docs/versioned_docs/version-2.20/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.20/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.20/workflows/sbom.md b/docs/versioned_docs/version-2.20/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.20/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.20/workflows/scale.md b/docs/versioned_docs/version-2.20/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.20/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.20/workflows/storage.md b/docs/versioned_docs/version-2.20/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.20/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.20/workflows/terraform-provider.md b/docs/versioned_docs/version-2.20/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.20/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.20/workflows/troubleshooting.md b/docs/versioned_docs/version-2.20/workflows/troubleshooting.md deleted file mode 100644 index 195bce1cc..000000000 --- a/docs/versioned_docs/version-2.20/workflows/troubleshooting.md +++ /dev/null @@ -1,151 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` diff --git a/docs/versioned_docs/version-2.20/workflows/trusted-launch.md b/docs/versioned_docs/version-2.20/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.20/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.20/workflows/upgrade.md b/docs/versioned_docs/version-2.20/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.20/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.20/workflows/verify-cli.md b/docs/versioned_docs/version-2.20/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.20/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.20/workflows/verify-cluster.md b/docs/versioned_docs/version-2.20/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.20/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.21/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.21/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.21/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/concept-constellation.svg b/docs/versioned_docs/version-2.21/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.21/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.21/_media/concept-managed.svg b/docs/versioned_docs/version-2.21/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.21/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.21/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.21/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.21/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.21/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.21/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.21/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.21/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.21/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.21/_media/tcb.svg b/docs/versioned_docs/version-2.21/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.21/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.21/architecture/attestation.md b/docs/versioned_docs/version-2.21/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.21/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.21/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.21/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.21/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.21/architecture/images.md b/docs/versioned_docs/version-2.21/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.21/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.21/architecture/keys.md b/docs/versioned_docs/version-2.21/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.21/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.21/architecture/microservices.md b/docs/versioned_docs/version-2.21/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.21/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.21/architecture/networking.md b/docs/versioned_docs/version-2.21/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.21/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.21/architecture/observability.md b/docs/versioned_docs/version-2.21/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.21/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.21/architecture/orchestration.md b/docs/versioned_docs/version-2.21/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.21/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.21/architecture/overview.md b/docs/versioned_docs/version-2.21/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.21/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.21/architecture/versions.md b/docs/versioned_docs/version-2.21/architecture/versions.md deleted file mode 100644 index 9acc866ed..000000000 --- a/docs/versioned_docs/version-2.21/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.29.14 -* v1.30.10 -* v1.31.6 diff --git a/docs/versioned_docs/version-2.21/getting-started/examples.md b/docs/versioned_docs/version-2.21/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.21/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.21/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.21/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.21/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.21/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.21/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.21/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.21/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.21/getting-started/first-steps.md b/docs/versioned_docs/version-2.21/getting-started/first-steps.md deleted file mode 100644 index 2afe95635..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.21/getting-started/install.md b/docs/versioned_docs/version-2.21/getting-started/install.md deleted file mode 100644 index f7b36770a..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/install.md +++ /dev/null @@ -1,439 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.21/getting-started/marketplaces.md b/docs/versioned_docs/version-2.21/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.21/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.21/intro.md b/docs/versioned_docs/version-2.21/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.21/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.21/overview/clouds.md b/docs/versioned_docs/version-2.21/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.21/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.21/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.21/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.21/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.21/overview/license.md b/docs/versioned_docs/version-2.21/overview/license.md deleted file mode 100644 index 34122c025..000000000 --- a/docs/versioned_docs/version-2.21/overview/license.md +++ /dev/null @@ -1,33 +0,0 @@ -# License - -## Source code - -Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -## Binaries - -Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). - -These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Terraform provider - -Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Community License - -You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. - -## Enterprise License - -Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.21/overview/performance/application.md b/docs/versioned_docs/version-2.21/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -
-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.21/overview/performance/compute.md b/docs/versioned_docs/version-2.21/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.21/overview/performance/io.md b/docs/versioned_docs/version-2.21/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.21/overview/performance/performance.md b/docs/versioned_docs/version-2.21/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.21/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.21/overview/product.md b/docs/versioned_docs/version-2.21/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.21/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.21/overview/security-benefits.md b/docs/versioned_docs/version-2.21/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.21/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.21/reference/cli.md b/docs/versioned_docs/version-2.21/reference/cli.md deleted file mode 100644 index 7bb4d5b40..000000000 --- a/docs/versioned_docs/version-2.21/reference/cli.md +++ /dev/null @@ -1,873 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Prepare your cluster for emergency ssh access - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --serviceAccountID string ID for the service account that will be created (required) - Must be 6 to 30 lowercase letters, digits, or hyphens. - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation ssh - -Prepare your cluster for emergency ssh access - -### Synopsis - -Prepare your cluster for emergency ssh access and sign a given key pair for authorization. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing ssh public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.21/reference/migration.md b/docs/versioned_docs/version-2.21/reference/migration.md deleted file mode 100644 index 0252c409f..000000000 --- a/docs/versioned_docs/version-2.21/reference/migration.md +++ /dev/null @@ -1,128 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrations to v2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0) - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.21/reference/slsa.md b/docs/versioned_docs/version-2.21/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.21/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.21/reference/terraform.md b/docs/versioned_docs/version-2.21/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.21/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.21/workflows/cert-manager.md b/docs/versioned_docs/version-2.21/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.21/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.21/workflows/config.md b/docs/versioned_docs/version-2.21/workflows/config.md deleted file mode 100644 index a8a52980e..000000000 --- a/docs/versioned_docs/version-2.21/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.21/workflows/create.md b/docs/versioned_docs/version-2.21/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.21/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.21/workflows/lb.md b/docs/versioned_docs/version-2.21/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.21/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.21/workflows/recovery.md b/docs/versioned_docs/version-2.21/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.21/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.21/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.21/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.21/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.21/workflows/s3proxy.md b/docs/versioned_docs/version-2.21/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.21/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.21/workflows/sbom.md b/docs/versioned_docs/version-2.21/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.21/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.21/workflows/scale.md b/docs/versioned_docs/version-2.21/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.21/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.21/workflows/storage.md b/docs/versioned_docs/version-2.21/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.21/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.21/workflows/terraform-provider.md b/docs/versioned_docs/version-2.21/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.21/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.21/workflows/troubleshooting.md b/docs/versioned_docs/version-2.21/workflows/troubleshooting.md deleted file mode 100644 index 195bce1cc..000000000 --- a/docs/versioned_docs/version-2.21/workflows/troubleshooting.md +++ /dev/null @@ -1,151 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` diff --git a/docs/versioned_docs/version-2.21/workflows/trusted-launch.md b/docs/versioned_docs/version-2.21/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.21/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.21/workflows/upgrade.md b/docs/versioned_docs/version-2.21/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.21/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.21/workflows/verify-cli.md b/docs/versioned_docs/version-2.21/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.21/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.21/workflows/verify-cluster.md b/docs/versioned_docs/version-2.21/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.21/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.22/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.22/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.22/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/concept-constellation.svg b/docs/versioned_docs/version-2.22/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.22/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.22/_media/concept-managed.svg b/docs/versioned_docs/version-2.22/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.22/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.22/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.22/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.22/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.22/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.22/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.22/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.22/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.22/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.22/_media/tcb.svg b/docs/versioned_docs/version-2.22/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.22/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.22/architecture/attestation.md b/docs/versioned_docs/version-2.22/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.22/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.22/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.22/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.22/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.22/architecture/images.md b/docs/versioned_docs/version-2.22/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.22/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.22/architecture/keys.md b/docs/versioned_docs/version-2.22/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.22/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.22/architecture/microservices.md b/docs/versioned_docs/version-2.22/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.22/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.22/architecture/networking.md b/docs/versioned_docs/version-2.22/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.22/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.22/architecture/observability.md b/docs/versioned_docs/version-2.22/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.22/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.22/architecture/orchestration.md b/docs/versioned_docs/version-2.22/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.22/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.22/architecture/overview.md b/docs/versioned_docs/version-2.22/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.22/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.22/architecture/versions.md b/docs/versioned_docs/version-2.22/architecture/versions.md deleted file mode 100644 index 6f06c011b..000000000 --- a/docs/versioned_docs/version-2.22/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.29.15 -* v1.30.11 -* v1.31.7 diff --git a/docs/versioned_docs/version-2.22/getting-started/examples.md b/docs/versioned_docs/version-2.22/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.22/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.22/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.22/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.22/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.22/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.22/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.22/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.22/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.22/getting-started/first-steps.md b/docs/versioned_docs/version-2.22/getting-started/first-steps.md deleted file mode 100644 index fb8437a06..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.22/getting-started/install.md b/docs/versioned_docs/version-2.22/getting-started/install.md deleted file mode 100644 index f120b865a..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/install.md +++ /dev/null @@ -1,442 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.roles.create` -* `iam.roles.delete` -* `iam.roles.get` -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.22/getting-started/marketplaces.md b/docs/versioned_docs/version-2.22/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.22/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.22/intro.md b/docs/versioned_docs/version-2.22/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.22/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.22/overview/clouds.md b/docs/versioned_docs/version-2.22/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.22/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.22/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.22/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.22/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.22/overview/license.md b/docs/versioned_docs/version-2.22/overview/license.md deleted file mode 100644 index 34122c025..000000000 --- a/docs/versioned_docs/version-2.22/overview/license.md +++ /dev/null @@ -1,33 +0,0 @@ -# License - -## Source code - -Constellation's source code is available on [GitHub](https://github.com/edgelesssys/constellation) under the [GNU Affero General Public License v3.0](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -## Binaries - -Edgeless Systems provides ready-to-use and [signed](../architecture/attestation.md#chain-of-trust) binaries of Constellation. This includes the CLI and the [node images](../architecture/images.md). - -These binaries may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -The Constellation CLI displays relevant license information when you initialize your cluster. You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Terraform provider - -Edgeless Systems provides a [Terraform provider](https://github.com/edgelesssys/terraform-provider-constellation/releases), which may be used free of charge within the bounds of Constellation's [**Community License**](#community-license). An [**Enterprise License**](#enterprise-license) can be purchased from Edgeless Systems. - -You are responsible for staying within the bounds of your respective license. Constellation doesn't enforce any limits so as not to endanger your cluster's availability. - -## Community License - -You are free to use the Constellation binaries provided by Edgeless Systems to create services for internal consumption, evaluation purposes, or non-commercial use. You must not use the Constellation binaries to provide commercial hosted services to third parties. Edgeless Systems gives no warranties and offers no support. - -## Enterprise License - -Enterprise Licenses don't have the above limitations and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.22/overview/performance/application.md b/docs/versioned_docs/version-2.22/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -
-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.22/overview/performance/compute.md b/docs/versioned_docs/version-2.22/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.22/overview/performance/io.md b/docs/versioned_docs/version-2.22/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.22/overview/performance/performance.md b/docs/versioned_docs/version-2.22/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.22/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.22/overview/product.md b/docs/versioned_docs/version-2.22/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.22/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.22/overview/security-benefits.md b/docs/versioned_docs/version-2.22/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.22/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.22/reference/cli.md b/docs/versioned_docs/version-2.22/reference/cli.md deleted file mode 100644 index 7cbc0be8d..000000000 --- a/docs/versioned_docs/version-2.22/reference/cli.md +++ /dev/null @@ -1,873 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Generate a certificate for emergency SSH access - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --prefix string Prefix for the service account ID and VM ID that will be created (required) - Must be letters, digits, or hyphens. - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation ssh - -Generate a certificate for emergency SSH access - -### Synopsis - -Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing SSH public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.22/reference/migration.md b/docs/versioned_docs/version-2.22/reference/migration.md deleted file mode 100644 index 36bfb1462..000000000 --- a/docs/versioned_docs/version-2.22/reference/migration.md +++ /dev/null @@ -1,134 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrating from CLI versions before 2.21.1 - -### AWS - -* AWS clusters that use `LoadBalancer` resources require more IAM permissions. Please upgrade your IAM roles using `constellation iam upgrade apply`. This will show necessary changes and apply them, if desired. - -## Migrating from CLI versions before 2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from CLI versions before 2.18.0 - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.22/reference/slsa.md b/docs/versioned_docs/version-2.22/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.22/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.22/reference/terraform.md b/docs/versioned_docs/version-2.22/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.22/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.22/workflows/cert-manager.md b/docs/versioned_docs/version-2.22/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.22/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.22/workflows/config.md b/docs/versioned_docs/version-2.22/workflows/config.md deleted file mode 100644 index 7868ff1be..000000000 --- a/docs/versioned_docs/version-2.22/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.22/workflows/create.md b/docs/versioned_docs/version-2.22/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.22/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.22/workflows/lb.md b/docs/versioned_docs/version-2.22/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.22/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.22/workflows/recovery.md b/docs/versioned_docs/version-2.22/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.22/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.22/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.22/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.22/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.22/workflows/s3proxy.md b/docs/versioned_docs/version-2.22/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.22/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.22/workflows/sbom.md b/docs/versioned_docs/version-2.22/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.22/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.22/workflows/scale.md b/docs/versioned_docs/version-2.22/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.22/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.22/workflows/storage.md b/docs/versioned_docs/version-2.22/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.22/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.22/workflows/terraform-provider.md b/docs/versioned_docs/version-2.22/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.22/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.22/workflows/troubleshooting.md b/docs/versioned_docs/version-2.22/workflows/troubleshooting.md deleted file mode 100644 index 903c829e0..000000000 --- a/docs/versioned_docs/version-2.22/workflows/troubleshooting.md +++ /dev/null @@ -1,200 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` - -### Emergency SSH access - -Emergency SSH access to nodes can be useful to diagnose issues or download important data even if the Kubernetes API isn't reachable anymore. - -1. Enter the `constellation-terraform` directory in your Constellation workspace and enable emergency SSH access to the cluster: - - ```bash - cd constellation-terraform - echo "emergency_ssh = true" >> ./terraform.tfvars - terraform apply - ``` - -2. Sign an existing SSH key with your master secret: - - ```bash - cd ../ # go back to your Constellation workspace - constellation ssh --key your_public_key.pub - ``` - - A certificate is written to `constellation_cert.pub`. - - The certificate is valid for 24 hours and enables you to access your Constellation nodes using - [certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication). - -3. Now you can connect to any Constellation node using your certificate and your private key. - - ```bash - ssh -o CertificateFile=constellation_cert.pub -i root@ - ``` - - Normally, you don't have access to the Constellation nodes since they reside in a private network. - To access those nodes anyways, you can use your Constellation load balancer as a proxy jump host. - For this, use something along the following SSH client configuration: - - ```text - Host - ProxyJump none - - Host * - IdentityFile - PreferredAuthentications publickey - CertificateFile=constellation_cert.pub - User root - ProxyJump - ``` - - With this configuration you can connect to a Constellation node using `ssh -F `. - You can obtain the private node IP and the domain name of the load balancer using your CSP's web UI. diff --git a/docs/versioned_docs/version-2.22/workflows/trusted-launch.md b/docs/versioned_docs/version-2.22/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.22/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.22/workflows/upgrade.md b/docs/versioned_docs/version-2.22/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.22/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.22/workflows/verify-cli.md b/docs/versioned_docs/version-2.22/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.22/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.22/workflows/verify-cluster.md b/docs/versioned_docs/version-2.22/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.22/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.23/_media/SLSA-Badge-full-level3.svg b/docs/versioned_docs/version-2.23/_media/SLSA-Badge-full-level3.svg deleted file mode 100644 index 7154d4a13..000000000 --- a/docs/versioned_docs/version-2.23/_media/SLSA-Badge-full-level3.svg +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_bw.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_bw.png deleted file mode 100644 index a82ebe2d0..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_iops.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_iops.png deleted file mode 100644 index 1723257a8..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_azure_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_bw.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_bw.png deleted file mode 100644 index 4f0ecc94b..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_bw.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_iops.png b/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_iops.png deleted file mode 100644 index 571086da2..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_fio_gcp_iops.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_azure.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_azure.png deleted file mode 100644 index 9130349c7..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_gcp.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_gcp.png deleted file mode 100644 index a41557e96..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2p_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_azure.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_azure.png deleted file mode 100644 index d83e17f5a..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_azure.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_gcp.png b/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_gcp.png deleted file mode 100644 index 55916a1de..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_net_p2svc_gcp.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/max_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/max_latency.png deleted file mode 100644 index 696250181..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/max_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/mean_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/mean_latency.png deleted file mode 100644 index 3b43298ac..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/mean_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/min_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/min_latency.png deleted file mode 100644 index 1046df67e..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/min_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/p99_latency.png b/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/p99_latency.png deleted file mode 100644 index 0190118b2..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/benchmark_vault/5replicas/p99_latency.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/concept-constellation.svg b/docs/versioned_docs/version-2.23/_media/concept-constellation.svg deleted file mode 100644 index 30d32bf6d..000000000 --- a/docs/versioned_docs/version-2.23/_media/concept-constellation.svg +++ /dev/null @@ -1,460 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.23/_media/concept-managed.svg b/docs/versioned_docs/version-2.23/_media/concept-managed.svg deleted file mode 100644 index 5645a608f..000000000 --- a/docs/versioned_docs/version-2.23/_media/concept-managed.svg +++ /dev/null @@ -1,591 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.23/_media/constellation_oneline.svg b/docs/versioned_docs/version-2.23/_media/constellation_oneline.svg deleted file mode 100644 index 4e354958a..000000000 --- a/docs/versioned_docs/version-2.23/_media/constellation_oneline.svg +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - diff --git a/docs/versioned_docs/version-2.23/_media/example-emojivoto.jpg b/docs/versioned_docs/version-2.23/_media/example-emojivoto.jpg deleted file mode 100644 index 4be0d5b26..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/example-emojivoto.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/example-online-boutique.jpg b/docs/versioned_docs/version-2.23/_media/example-online-boutique.jpg deleted file mode 100644 index 026f0d865..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/example-online-boutique.jpg and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/recovery-gcp-serial-console-link.png b/docs/versioned_docs/version-2.23/_media/recovery-gcp-serial-console-link.png deleted file mode 100644 index eb67f0e99..000000000 Binary files a/docs/versioned_docs/version-2.23/_media/recovery-gcp-serial-console-link.png and /dev/null differ diff --git a/docs/versioned_docs/version-2.23/_media/tcb.svg b/docs/versioned_docs/version-2.23/_media/tcb.svg deleted file mode 100644 index e5bcb5b95..000000000 --- a/docs/versioned_docs/version-2.23/_media/tcb.svg +++ /dev/null @@ -1,535 +0,0 @@ - - diff --git a/docs/versioned_docs/version-2.23/architecture/attestation.md b/docs/versioned_docs/version-2.23/architecture/attestation.md deleted file mode 100644 index 9bd157460..000000000 --- a/docs/versioned_docs/version-2.23/architecture/attestation.md +++ /dev/null @@ -1,409 +0,0 @@ -# Attestation - -This page explains Constellation's attestation process and highlights the cornerstones of its trust model. - -## Terms - -The following lists terms and concepts that help to understand the attestation concept of Constellation. - -### Trusted Platform Module (TPM) - -A TPM chip is a dedicated tamper-resistant crypto-processor. -It can securely store artifacts such as passwords, certificates, encryption keys, or *runtime measurements* (more on this below). -When a TPM is implemented in software, it's typically called a *virtual* TPM (vTPM). - -### Runtime measurement - -A runtime measurement is a cryptographic hash of the memory pages of a so called *runtime component*. Runtime components of interest typically include a system's bootloader or OS kernel. - -### Platform Configuration Register (PCR) - -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. -To store a new value in a PCR, the existing value is extended with a new value as follows: - -``` -PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend ) -``` - -The PCRs are typically used to store runtime measurements. -The new value of a PCR is always an extension of the existing value. -Thus, storing the measurements of multiple components into the same PCR irreversibly links them together. - -### Measured boot - -Measured boot builds on the concept of chained runtime measurements. -Each component in the boot chain loads and measures the next component into the PCR before executing it. -By comparing the resulting PCR values against trusted reference values, the integrity of the entire boot chain and thereby the running system can be ensured. - -### Remote attestation (RA) - -Remote attestation is the process of verifying certain properties of an application or platform, such as integrity and confidentiality, from a remote location. -In the case of a measured boot, the goal is to obtain a signed attestation statement on the PCR values of the boot measurements. -The statement can then be verified and compared to a set of trusted reference values. -This way, the integrity of the platform can be ensured before sharing secrets with it. - -### Confidential virtual machine (CVM) - -Confidential computing (CC) is the protection of data in-use with hardware-based trusted execution environments (TEEs). -With CVMs, TEEs encapsulate entire virtual machines and isolate them against the hypervisor, other VMs, and direct memory access. -After loading the initial VM image into encrypted memory, the hypervisor calls for a secure processor to measure these initial memory pages. -The secure processor locks these pages and generates an attestation report on the initial page measurements. -CVM memory pages are encrypted with a key that resides inside the secure processor, which makes sure only the guest VM can access them. -The attestation report is signed by the secure processor and can be verified using remote attestation via the certificate authority of the hardware vendor. -Such an attestation statement guarantees the confidentiality and integrity of a CVM. - -### Attested TLS (aTLS) - -In a CC environment, attested TLS (aTLS) can be used to establish secure connections between two parties using the remote attestation features of the CC components. - -aTLS modifies the TLS handshake by embedding an attestation statement into the TLS certificate. -Instead of relying on a certificate authority, aTLS uses this attestation statement to establish trust in the certificate. - -The protocol can be used by clients to verify a server certificate, by a server to verify a client certificate, or for mutual verification (mutual aTLS). - -## Overview - -The challenge for Constellation is to lift a CVM's attestation statement to the Kubernetes software layer and make it end-to-end verifiable. -From there, Constellation needs to expand the attestation from a single CVM to the entire cluster. - -The [*JoinService*](microservices.md#joinservice) and [*VerificationService*](microservices.md#verificationservice) are where all runs together. -Internally, the *JoinService* uses remote attestation to securely join CVM nodes to the cluster. -Externally, the *VerificationService* provides an attestation statement for the cluster's CVMs and configuration. - -The following explains the details of both steps. - -## Node attestation - -The idea is that Constellation nodes should have verifiable integrity from the CVM hardware measurement up to the Kubernetes software layer. -The solution is a verifiable boot chain and an integrity-protected runtime environment. - -Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it. -Outside of CC, this is usually implemented via TPMs. -CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM. -For simplicity, TPM terminology like *PCR* is used in the following. - -When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain. -This process goes up to the root filesystem. -The root filesystem is mounted read-only with integrity protection. -For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation. -Any changes to the image will inevitably also change the corresponding PCR values. -To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware. -This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement. - -In addition to the image measurements, Constellation extends a PCR during the [initialization phase](../workflows/create.md) that irrevocably marks the node as initialized. -The measurement is created using the [*clusterID*](../architecture/keys.md#cluster-identity), tying all future attestation statements to this ID. -Thereby, an attestation statement is unique for every cluster and a node can be identified unambiguously as being initialized. - -To verify an attestation, the hardware's signature and a statement are verified first to establish trust in the contained runtime measurements. -If successful, the measurements are verified against the trusted values of the particular Constellation release version. -Finally, the measurement of the *clusterID* can be compared by calculating it with the [master secret](keys.md#master-secret). - -### Runtime measurements - -Constellation uses runtime measurements to implement the measured boot approach. -As stated above, the underlying hardware technology and guest firmware differ in their implementations of runtime measurements. -The following gives a detailed description of the available measurements in the different cloud environments. - -The runtime measurements consist of two types of values: - -* **Measurements produced by the cloud infrastructure and firmware of the CVM**: -These are measurements of closed-source firmware and other values controlled by the cloud provider. -While not being reproducible for the user, some of them can be compared against previously observed values. -Others may change frequently and aren't suitable for verification. -The [signed image measurements](#chain-of-trust) include measurements that are known, previously observed values. - -* **Measurements produced by the Constellation bootloader and boot chain**: -The Constellation Bootloader takes over from the CVM firmware and [measures the rest of the boot chain](images.md). -The Constellation [Bootstrapper](microservices.md#bootstrapper) is the first user mode component that runs in a Constellation image. -It extends PCR registers with the [IDs](keys.md#cluster-identity) of the cluster marking a node as initialized. - -Constellation allows to specify in the config which measurements should be enforced during the attestation process. -Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config. -By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly. - - - - -Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | AWS | No | -| 1 | Firmware | AWS | No | -| 2 | Firmware | AWS | No | -| 3 | Firmware | AWS | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | AWS, Constellation Bootloader | Yes | -| 5 | Firmware | AWS | No | -| 6 | Firmware | AWS | No | -| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements. -This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [measured boot](https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation#measured-boot) verification that's based on the trusted launch feature of [Trusted Launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | Azure | No | -| 1 | Firmware | Azure | No | -| 2 | Firmware | Azure | No | -| 3 | Firmware | Azure | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes | -| 5 | Reserved | Azure | No | -| 6 | VM Unique ID | Azure | No | -| 7 | Secure Boot State | Azure, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements. -Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -It provides a [launch attestation report](https://cloud.google.com/compute/confidential-vm/docs/monitoring#about_launch_attestation_report_events) that's based on the measured boot feature of [Shielded VMs](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#measured-boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | CVM version and technology | GCP | No | -| 1 | Firmware | GCP | No | -| 2 | Firmware | GCP | No | -| 3 | Firmware | GCP | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes | -| 5 | Disk GUID partition table | GCP | No | -| 6 | Disk GUID partition table | GCP | No | -| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -Constellation uses a hypervisor-based vTPM for runtime measurements. - -The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. -The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). - -The following table lists all PCR values of the vTPM and the measured components. -It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. -The latter means that the value can be generated offline and compared to the one in the vTPM. - -| PCR | Components | Measured by | Reproducible and verifiable | -| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | -| 0 | Firmware | STACKIT | No | -| 1 | Firmware | STACKIT | No | -| 2 | Firmware | STACKIT | No | -| 3 | Firmware | STACKIT | No | -| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | -| 5 | Firmware | STACKIT | No | -| 6 | Firmware | STACKIT | No | -| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | -| 8 | - | - | - | -| 9 | initramfs, Kernel command line | Linux Kernel | Yes | -| 10 | User space | Linux IMA | No[^1] | -| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | -| 12 | Reserved | (User space, Constellation Bootloader) | Yes | -| 13 | Reserved | (Constellation Bootloader) | Yes | -| 14 | Secure Boot State | Constellation Bootloader | No | -| 15 | ClusterID | Constellation Bootstrapper | Yes | -| 16–23 | Unused | - | - | - - - - -### CVM verification - -To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established. -For verification of the CVM technology, Constellation may expose additional options in its config file. - - - - -On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* Firmware Signer - - This config option allows you to specify how the firmware signer should be verified. - More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report. - You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`. - - - - -On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM. -You may customize certain parameters for verification of the attestation statement using the Constellation config file. - -* TCB versions - - You can set the minimum version numbers of components in the SEV-SNP TCB. - Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. - Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. - -* AMD Root Key Certificate - - This certificate is the root of trust for verifying the SEV-SNP certificate chain. - -* AMD Signing Key Certificate - - This is the intermediate certificate for verifying the SEV-SNP report's signature. - If it's not specified, the CLI fetches it from the AMD key distribution server. - - - - -On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. -The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). -There is no additional configuration available for STACKIT. - - - - -## Cluster attestation - -Cluster-facing, Constellation's [*JoinService*](microservices.md#joinservice) verifies each node joining the cluster given the configured ground truth runtime measurements. -User-facing, the [*VerificationService*](microservices.md#verificationservice) provides an interface to verify a node using remote attestation. -By verifying the first node during the [initialization](microservices.md#bootstrapper) and configuring the ground truth measurements that are subsequently enforced by the *JoinService*, the whole cluster is verified in a transitive way. - -### Cluster-facing attestation - -The *JoinService* is provided with the runtime measurements of the whitelisted Constellation image version as the ground truth. -During the initialization and the cluster bootstrapping, each node connects to the *JoinService* using [aTLS](#attested-tls-atls). -During the handshake, the node transmits an attestation statement including its runtime measurements. -The *JoinService* verifies that statement and compares the measurements against the ground truth. -For details of the initialization process check the [microservice descriptions](microservices.md). - -After the initialization, every node updates its runtime measurements with the *clusterID* value, marking it irreversibly as initialized. -When an initialized node tries to join another cluster, its measurements inevitably mismatch the measurements of an uninitialized node and it will be declined. - -### User-facing attestation - -The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements. -A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy. - -## Putting it all together - -This section puts the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained. - -### CLI and node images - -It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore. - -The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3: - -* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json) -* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig) - -The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements. - -### Cluster creation - -When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for two things: - -1. The CLI sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. -2. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI. - -After this, the aTLS connection is closed and the first node bootstraps the Kubernetes cluster. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection. - -The CLI connects to the Kubernetes API to write the runtime measurements for the applicable node image to etcd. The JoinService uses these runtime measurements to verify all nodes that join the cluster subsequently. - -### Chain of trust - -In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram. - -```mermaid -flowchart LR - A[User]-- "verifies" -->B[CLI] - B[CLI]-- "verifies" -->C([Runtime measurements]) - D[Edgeless Systems]-- "signs" -->B[CLI] - D[Edgeless Systems]-- "signs" -->C([Runtime measurements]) - B[CLI]-- "verifies (remote attestation)" -->E[First node] - E[First node]-- "verifies (remote attestation)" -->F[Other nodes] - C([Runtime measurements]) -.-> E[First node] - C([Runtime measurements]) -.-> F[Other nodes] -``` - -### Upgrades - -Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. - -## References - -[^1]: Linux IMA produces runtime measurements of user-space binaries. -However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. -Instead, a policy engine must be used to verify the TPM event log against a policy. diff --git a/docs/versioned_docs/version-2.23/architecture/encrypted-storage.md b/docs/versioned_docs/version-2.23/architecture/encrypted-storage.md deleted file mode 100644 index f047fa4a9..000000000 --- a/docs/versioned_docs/version-2.23/architecture/encrypted-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -# Encrypted persistent storage - -Confidential VMs provide runtime memory encryption to protect data in use. -In the context of Kubernetes, this is sufficient for the confidentiality and integrity of stateless services. -Consider a front-end web server, for example, that keeps all connection information cached in main memory. -No sensitive data is ever written to an insecure medium. -However, many real-world applications need some form of state or data-lake service that's connected to a persistent storage device and requires encryption at rest. -As described in [Use persistent storage](../workflows/storage.md), cloud service providers (CSPs) use the container storage interface (CSI) to make their storage solutions available to Kubernetes workloads. -These CSI storage solutions often support some sort of encryption. -For example, Google Cloud [encrypts data at rest by default](https://cloud.google.com/security/encryption/default-encryption), without any action required by the customer. - -## Cloud provider-managed encryption - -CSP-managed storage solutions encrypt the data in the cloud backend before writing it physically to disk. -In the context of confidential computing and Constellation, the CSP and its managed services aren't trusted. -Hence, cloud provider-managed encryption protects your data from offline hardware access to physical storage devices. -It doesn't protect it from anyone with infrastructure-level access to the storage backend or a malicious insider in the cloud platform. -Even with "bring your own key" or similar concepts, the CSP performs the encryption process with access to the keys and plaintext data. - -In the security model of Constellation, securing persistent storage and thereby data at rest requires that all cryptographic operations are performed inside a trusted execution environment. -Consequently, using CSP-managed encryption of persistent storage usually isn't an option. - -## Constellation-managed encryption - -Constellation provides CSI drivers for storage solutions in all major clouds with built-in encryption support. -Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads. -All cryptographic operations happen inside the trusted environment of the confidential Constellation node. - -Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. - -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](microservices.md#keyservice). -The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). -This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. - -Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs. - -Refer to [keys and cryptography](keys.md) for more details on key management in Constellation. - -Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class. -Data at rest is secured without any additional actions required by the developer. - -## Cryptographic algorithms - -This section gives an overview of the libraries, cryptographic algorithms, and their configurations, used in Constellation's CSI drivers. - -### dm-crypt - -To interact with the dm-crypt kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -New devices are formatted as [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/-/tree/master) partitions with a sector size of 4096 bytes. -The used key derivation function is [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) with the [recommended parameters for memory-constrained environments](https://datatracker.ietf.org/doc/html/rfc9106#section-7.4) of 3 iterations and 64 MiB of memory, utilizing 4 parallel threads. -For encryption Constellation uses AES in XTS-Plain64. The key size is 512 bit. - -### dm-integrity - -To interact with the dm-integrity kernel module, Constellation uses [libcryptsetup](https://gitlab.com/cryptsetup/cryptsetup/). -When enabled, the used data integrity algorithm is [HMAC](https://datatracker.ietf.org/doc/html/rfc2104) with SHA256 as the hash function. -The tag size is 32 Bytes. - -## Encrypted S3 object storage - -Constellation comes with a service that you can use to transparently retrofit client-side encryption to existing applications that use S3 (AWS or compatible) for storage. -To learn more, check out the [s3proxy documentation](../workflows/s3proxy.md). diff --git a/docs/versioned_docs/version-2.23/architecture/images.md b/docs/versioned_docs/version-2.23/architecture/images.md deleted file mode 100644 index 8a9c51d36..000000000 --- a/docs/versioned_docs/version-2.23/architecture/images.md +++ /dev/null @@ -1,49 +0,0 @@ -# Constellation images - -Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless. -The Constellation images provide measured boot and an immutable filesystem. - -## Measured boot - -```mermaid -flowchart LR - Firmware --> Bootloader - Bootloader --> uki - subgraph uki[Unified Kernel Image] - Kernel[Kernel] - initramfs[Initramfs] - cmdline[Kernel Command Line] - end - uki --> rootfs[Root Filesystem] -``` - -Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. - -### Firmware - -With confidential VMs, the firmware is the root of trust and is measured automatically at boot. After initialization, the firmware will load and measure the bootloader before executing it. - -### Bootloader - -The bootloader is the first modifiable part of the boot chain. The bootloader is tasked with loading the kernel, initramfs and setting the kernel command line. The Constellation bootloader measures these components before starting the kernel. - -### initramfs - -The initramfs is a small filesystem loaded to prepare the actual root filesystem. The Constellation initramfs maps the block device containing the root filesystem with [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html). The initramfs then mounts the root filesystem from the mapped block device. - -dm-verity provides integrity checking using a cryptographic hash tree. When a block is read, its integrity is checked by verifying the tree against a trusted root hash. The initramfs reads this root hash from the previously measured kernel command line. Thus, if any block of the root filesystem's device is modified on disk, trying to read the modified block will result in a kernel panic at runtime. - -After mounting the root filesystem, the initramfs will switch over and start the `init` process of the integrity-protected root filesystem. - -## State disk - -In addition to the read-only root filesystem, each Constellation node has a disk for storing state data. -This disk is mounted readable and writable by the initramfs and contains data that should persist across reboots. -Such data can contain sensitive information and, therefore, must be stored securely. -To that end, the state disk is protected by authenticated encryption. -See the section on [keys and encryption](keys.md#storage-encryption) for more information on the cryptographic primitives in use. - -## Kubernetes components - -During initialization, the [*Bootstrapper*](microservices.md#bootstrapper) downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) as configured by the user. -They're stored on the state partition and can be updated once new releases need to be installed. diff --git a/docs/versioned_docs/version-2.23/architecture/keys.md b/docs/versioned_docs/version-2.23/architecture/keys.md deleted file mode 100644 index 49821cd0b..000000000 --- a/docs/versioned_docs/version-2.23/architecture/keys.md +++ /dev/null @@ -1,130 +0,0 @@ -# Key management and cryptographic primitives - -Constellation protects and isolates your cluster and workloads. -To that end, cryptography is the foundation that ensures the confidentiality and integrity of all components. -Evaluating the security and compliance of Constellation requires a precise understanding of the cryptographic primitives and keys used. -The following gives an overview of the architecture and explains the technical details. - -## Confidential VMs - -Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation. -For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories. - -## Master secret - -The master secret is the cryptographic material used for deriving the [*clusterID*](#cluster-identity) and the *key encryption key (KEK)* for [storage encryption](#storage-encryption). -It's generated during the bootstrapping of a Constellation cluster. -It can either be managed by [Constellation](#constellation-managed-key-management) or an [external key management system](#user-managed-key-management). -In case of [recovery](#recovery-and-migration), the master secret allows to decrypt the state and recover a Constellation cluster. - -## Cluster identity - -The identity of a Constellation cluster is represented by cryptographic [measurements](attestation.md#runtime-measurements): - -The **base measurements** represent the identity of a valid, uninitialized Constellation node. -They depend on the node image, but are otherwise the same for every Constellation cluster. -On node boot, they're determined using the CVM's attestation mechanism and [measured boot up to the read-only root filesystem](images.md). - -The **clusterID** represents the identity of a single initialized Constellation cluster. -It's derived from the master secret and a cryptographically random salt and unique for every Constellation cluster. -The [Bootstrapper](microservices.md#bootstrapper) measures the *clusterID* into its own PCR before executing any code not measured as part of the *base measurements*. -See [Node attestation](attestation.md#node-attestation) for details. - -The remote attestation statement of a Constellation cluster combines the *base measurements* and the *clusterID* for a verifiable, unspoofable, unique identity. - -## Network encryption - -Constellation encrypts all cluster network communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -See [network encryption](networking.md) for more details. - -The Cilium agent running on each node establishes a secure [WireGuard](https://www.wireguard.com/) tunnel between it and all other known nodes in the cluster. -Each node creates its own [Curve25519](http://cr.yp.to/ecdh.html) encryption key pair and distributes its public key via Kubernetes. -A node uses another node's public key to decrypt and encrypt traffic from and to Cilium-managed endpoints running on that node. -Connections are always encrypted peer-to-peer using [ChaCha20](http://cr.yp.to/chacha.html) with [Poly1305](http://cr.yp.to/mac.html). -WireGuard implements [forward secrecy with key rotation every 2 minutes](https://lists.zx2c4.com/pipermail/wireguard/2017-December/002141.html). - -## Storage encryption - -Constellation supports transparent encryption of persistent storage. -The Linux kernel's device mapper-based encryption features are used to encrypt the data on the block storage level. -Currently, the following primitives are used for block storage encryption: - -* [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html) -* [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html) - -Adding primitives for integrity protection in the CVM attacker model are under active development and will be available in a future version of Constellation. -See [encrypted storage](encrypted-storage.md) for more details. - -As a cluster administrator, when creating a cluster, you can use the Constellation [installation program](orchestration.md) to select one of the following methods for key management: - -* Constellation-managed key management -* User-managed key management - -### Constellation-managed key management - -#### Key material and key derivation - -During the creation of a Constellation cluster, the cluster's master secret is used to derive a KEK. -This means creating two clusters with the same master secret will yield the same KEK. -Any data encryption key (DEK) is derived from the KEK via HKDF. -Note that the master secret is recommended to be unique for every cluster and shouldn't be reused (except in case of [recovering](../workflows/recovery.md) a cluster). - -#### State and storage - -The KEK is derived from the master secret during the initialization. -Subsequently, all other key material is derived from the KEK. -Given the same KEK, any DEK can be derived deterministically from a given identifier. -Hence, there is no need to store DEKs. They can be derived on demand. -After the KEK was derived, it's stored in memory only and never leaves the CVM context. - -#### Availability - -Constellation-managed key management has the same availability as the underlying Kubernetes cluster. -Therefore, the KEK is stored in the [distributed Kubernetes etcd storage](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/) to allow for unexpected but non-fatal (control-plane) node failure. -The etcd storage is backed by the encrypted and integrity protected [state disk](images.md#state-disk) of the nodes. - -#### Recovery - -Constellation clusters can be recovered in the event of a disaster, even when all node machines have been stopped and need to be rebooted. -For details on the process see the [recovery workflow](../workflows/recovery.md). - -### User-managed key management - -User-managed key management is under active development and will be available soon. -In scenarios where constellation-managed key management isn't an option, this mode allows you to keep full control of your keys. -For example, compliance requirements may force you to keep your KEKs in an on-prem key management system (KMS). - -During the creation of a Constellation cluster, you specify a KEK present in a remote KMS. -This follows the common scheme of "bring your own key" (BYOK). -Constellation will support several KMSs for managing the storage and access of your KEK. -Initially, it will support the following KMSs: - -* [AWS KMS](https://aws.amazon.com/kms/) -* [GCP KMS](https://cloud.google.com/security-key-management) -* [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) -* [KMIP-compatible KMS](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip) - -Storing the keys in Cloud KMS of AWS, Azure, or GCP binds the key usage to the particular cloud identity access management (IAM). -In the future, Constellation will support remote attestation-based access policies for Cloud KMS once available. -Note that using a Cloud KMS limits the isolation and protection to the guarantees of the particular offering. - -KMIP support allows you to use your KMIP-compatible on-prem KMS and keep full control over your keys. -This follows the common scheme of "hold your own key" (HYOK). - -The KEK is used to encrypt per-data "data encryption keys" (DEKs). -DEKs are generated to encrypt your data before storing it on persistent storage. -After being encrypted by the KEK, the DEKs are stored on dedicated cloud storage for persistence. -Currently, Constellation supports the following cloud storage options: - -* [AWS S3](https://aws.amazon.com/s3/) -* [GCP Cloud Storage](https://cloud.google.com/storage) -* [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/#overview) - -The DEKs are only present in plaintext form in the encrypted main memory of the CVMs. -Similarly, the cryptographic operations for encrypting data before writing it to persistent storage are performed in the context of the CVMs. - -#### Recovery and migration - -In the case of a disaster, the KEK can be used to decrypt the DEKs locally and subsequently use them to decrypt and retrieve the data. -In case of migration, configuring the same KEK will provide seamless migration of data. -Thus, only the DEK storage needs to be transferred to the new cluster alongside the encrypted data for seamless migration. diff --git a/docs/versioned_docs/version-2.23/architecture/microservices.md b/docs/versioned_docs/version-2.23/architecture/microservices.md deleted file mode 100644 index 90bae783b..000000000 --- a/docs/versioned_docs/version-2.23/architecture/microservices.md +++ /dev/null @@ -1,73 +0,0 @@ -# Microservices - -Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. -During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. -These features are provided by several microservices: - -* The [Bootstrapper](microservices.md#bootstrapper) initializes a Constellation node and bootstraps the cluster -* The [JoinService](microservices.md#joinservice) joins new nodes to an existing cluster -* The [VerificationService](microservices.md#verificationservice) provides remote attestation functionality -* The [KeyService](microservices.md#keyservice) manages Constellation-internal keys - -The relations between microservices are shown in the following diagram: - -```mermaid -flowchart LR - subgraph admin [Admin's machine] - A[Constellation CLI] - end - subgraph img [Constellation OS image] - B[Constellation OS] - C[Bootstrapper] - end - subgraph Kubernetes - D[JoinService] - E[KeyService] - F[VerificationService] - end - A -- deploys --> - B -- starts --> C - C -- deploys --> D - C -- deploys --> E - C -- deploys --> F -``` - -## Bootstrapper - -The *Bootstrapper* is the first microservice launched after booting a Constellation node image. -It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. -To this end, the *Bootstrapper* first downloads and verifies the [Kubernetes components](https://kubernetes.io/docs/concepts/overview/components/) at the configured versions. -The *Bootstrapper* tries to find an existing cluster and if successful, communicates with the [JoinService](microservices.md#joinservice) to join the node. -Otherwise, it waits for an initialization request to create a new Kubernetes cluster. - -## JoinService - -The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. -New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). -The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](microservices.md#keyservice) for its state disk, and a Kubernetes bootstrap token. - - -```mermaid -sequenceDiagram - participant New node - participant JoinService - New node->>JoinService: aTLS handshake (server side verification) - JoinService-->>New node: # - New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KeyService: GetDataKey(DiskUUID) - KeyService-->>-JoinService: DiskEncryptionKey - JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... -``` - -## VerificationService - -The *VerificationService* runs as DaemonSet on each node. -It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). -Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. - -## KeyService - -The *KeyService* runs as DaemonSet on each control-plane node. -It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/versioned_docs/version-2.23/architecture/networking.md b/docs/versioned_docs/version-2.23/architecture/networking.md deleted file mode 100644 index e9cbdf029..000000000 --- a/docs/versioned_docs/version-2.23/architecture/networking.md +++ /dev/null @@ -1,22 +0,0 @@ -# Network encryption - -Constellation encrypts all pod communication using the [container network interface (CNI)](https://github.com/containernetworking/cni). -To that end, Constellation deploys, configures, and operates the [Cilium](https://cilium.io/) CNI plugin. -Cilium provides [transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption) for all cluster traffic using either IPSec or [WireGuard](https://www.wireguard.com/). -Currently, Constellation only supports WireGuard as the encryption engine. -You can read more about the cryptographic soundness of WireGuard [in their white paper](https://www.wireguard.com/papers/wireguard.pdf). - -Cilium is actively working on implementing a feature called [`host-to-host`](https://github.com/cilium/cilium/pull/19401) encryption mode for WireGuard. -With `host-to-host`, all traffic between nodes will be tunneled via WireGuard (host-to-host, host-to-pod, pod-to-host, pod-to-pod). -Until the `host-to-host` feature is released, Constellation enables `pod-to-pod` encryption. -This mode encrypts all traffic between Kubernetes pods using WireGuard tunnels. - -When using Cilium in the default setup but with encryption enabled, there is a [known issue](https://docs.cilium.io/en/v1.12/gettingstarted/encryption/#egress-traffic-to-not-yet-discovered-remote-endpoints-may-be-unencrypted) -that can cause pod-to-pod traffic to be unencrypted. -To mitigate this issue, Constellation adds a *strict* mode to Cilium's `pod-to-pod` encryption. -This mode changes the default behavior of traffic that's destined for an unknown endpoint to not be send out in plaintext, but instead being dropped. -The strict mode distinguishes between traffic that's send to a pod from traffic that's destined for a cluster-external endpoint by considering the pod's CIDR range. - -Traffic originating from hosts isn't encrypted yet. -This mainly includes health checks from Kubernetes API server. -Also, traffic proxied over the API server via e.g. `kubectl port-forward` isn't encrypted. diff --git a/docs/versioned_docs/version-2.23/architecture/observability.md b/docs/versioned_docs/version-2.23/architecture/observability.md deleted file mode 100644 index 0f4daffd4..000000000 --- a/docs/versioned_docs/version-2.23/architecture/observability.md +++ /dev/null @@ -1,74 +0,0 @@ -# Observability - -In Kubernetes, observability is the ability to gain insight into the behavior and performance of applications. -It helps identify and resolve issues more effectively, ensuring stability and performance of Kubernetes workloads, reducing downtime and outages, and improving efficiency. -The "three pillars of observability" are logs, metrics, and traces. - -In the context of Confidential Computing, observability is a delicate subject and needs to be applied such that it doesn't leak any sensitive information. -The following gives an overview of where and how you can apply standard observability tools in Constellation. - -## Cloud resource monitoring - -While inaccessible, Constellation's nodes are still visible as black box VMs to the hypervisor. -Resource consumption, such as memory and CPU utilization, can be monitored from the outside and observed via the cloud platforms directly. -Similarly, other resources, such as storage and network and their respective metrics, are visible via the cloud platform. - -## Metrics - -Metrics are numeric representations of data measured over intervals of time. They're essential for understanding system health and gaining insights using telemetry signals. - -By default, Constellation exposes the [metrics for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/) inside the cluster. -Similarly, the [etcd metrics](https://etcd.io/docs/v3.5/metrics/) endpoints are exposed inside the cluster. -These [metrics endpoints can be disabled](https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#disabling-metrics). - -You can collect these cluster-internal metrics via tools such as [Prometheus](https://prometheus.io/) or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -Constellation's CNI Cilium also supports [metrics via Prometheus endpoints](https://docs.cilium.io/en/latest/observability/metrics/). -However, in Constellation, they're disabled by default and must be enabled first. - -## Logs - -Logs represent discrete events that usually describe what's happening with your service. -The payload is an actual message emitted from your system along with a metadata section containing a timestamp, labels, and tracking identifiers. - -### System logs - -Detailed system-level logs are accessible via `/var/log` and [journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) on the nodes directly. -They can be collected from there, for example, via [Filebeat and Logstash](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html), which are tools of the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -In case of an error during the initialization, the CLI automatically collects the [Bootstrapper](./microservices.md#bootstrapper) logs and returns these as a file for [troubleshooting](../workflows/troubleshooting.md). Here is an example of such an event: - -```shell-session -Cluster initialization failed. This error is not recoverable. -Terminate your cluster and try again. -Fetched bootstrapper logs are stored in "constellation-cluster.log" -``` - -### Kubernetes logs - -Constellation supports the [Kubernetes logging architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/). -By default, logs are written to the nodes' encrypted state disks. -These include the Pod and container logs and the [system component logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/#system-component-logs). - -[Constellation services](microservices.md) run as Pods inside the `kube-system` namespace and use the standard container logging mechanism. -The same applies for the [Cilium Pods](https://docs.cilium.io/en/latest/operations/troubleshooting/#logs). - -You can collect logs from within the cluster via tools such as [Fluentd](https://github.com/fluent/fluentd), [Loki](https://github.com/grafana/loki), or the [Elastic Stack](https://www.elastic.co/de/elastic-stack/). - -## Traces - -Modern systems are implemented as interconnected complex and distributed microservices. Understanding request flows and system communications is challenging, mainly because all systems in a chain need to be modified to propagate tracing information. Distributed tracing is a new approach to increasing observability and understanding performance bottlenecks. A trace represents consecutive events that reflect an end-to-end request path in a distributed system. - -Constellation supports [traces for Kubernetes system components](https://kubernetes.io/docs/concepts/cluster-administration/system-traces/). -By default, they're disabled and need to be enabled first. - -Similarly, Cilium can be enabled to [export traces](https://cilium.io/use-cases/metrics-export/). - -You can collect these traces via tools such as [Jaeger](https://www.jaegertracing.io/) or [Zipkin](https://zipkin.io/). - -## Integrations - -Platforms and SaaS solutions such as Datadog, logz.io, Dynatrace, or New Relic facilitate the observability challenge for Kubernetes and provide all-in-one SaaS solutions. -They install agents into the cluster that collect metrics, logs, and tracing information and upload them into the data lake of the platform. -Technically, the agent-based approach is compatible with Constellation, and attaching these platforms is straightforward. -However, you need to evaluate if the exported data might violate Constellation's compliance and privacy guarantees by uploading them to a third-party platform. diff --git a/docs/versioned_docs/version-2.23/architecture/orchestration.md b/docs/versioned_docs/version-2.23/architecture/orchestration.md deleted file mode 100644 index 3c8d529e7..000000000 --- a/docs/versioned_docs/version-2.23/architecture/orchestration.md +++ /dev/null @@ -1,83 +0,0 @@ -# Orchestrating Constellation clusters - -You can use the CLI to create a cluster on the supported cloud platforms. -The CLI provisions the resources in your cloud environment and initiates the initialization of your cluster. -It uses a set of parameters and an optional configuration file to manage your cluster installation. -The CLI is also used for updating your cluster. - -## Workspaces - -Each Constellation cluster has an associated *workspace*. -The workspace is where data such as the Constellation state and config files are stored. -Each workspace is associated with a single cluster and configuration. -The CLI stores state in the local filesystem making the current directory the active workspace. -Multiple clusters require multiple workspaces, hence, multiple directories. -Note that every operation on a cluster always has to be performed from the directory associated with its workspace. - -You may copy files from the workspace to other locations, -but you shouldn't move or delete them while the cluster is still being used. -The Constellation CLI takes care of managing the workspace. -Only when a cluster was terminated, and you are sure the files aren't needed anymore, should you remove a workspace. - -## Cluster creation process - -To allow for fine-grained configuration of your cluster and cloud environment, Constellation supports an extensive configuration file with strong defaults. [Generating the configuration file](../workflows/config.md) is typically the first thing you do in the workspace. - -Altogether, the following files are generated during the creation of a Constellation cluster and stored in the current workspace: - -* a configuration file -* a state file -* a Base64-encoded master secret -* [Terraform artifacts](../reference/terraform.md), stored in subdirectories -* a Kubernetes `kubeconfig` file. - -After the initialization of your cluster, the CLI will provide you with a Kubernetes `kubeconfig` file. -This file grants you access to your Kubernetes cluster and configures the [kubectl](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) tool. -In addition, the cluster's [identifier](orchestration.md#post-installation-configuration) is returned and stored in the state file. - -### Creation process details - -1. The CLI `apply` command first creates the confidential VM (CVM) resources in your cloud environment and configures the network -2. Each CVM boots the Constellation node image and measures every component in the boot chain -3. The first microservice launched in each node is the [*Bootstrapper*](microservices.md#bootstrapper) -4. The *Bootstrapper* waits until it either receives an initialization request or discovers an initialized cluster -5. The CLI then connects to the *Bootstrapper* of a selected node, sends the configuration, and initiates the initialization of the cluster -6. The *Bootstrapper* of **that** node [initializes the Kubernetes cluster](microservices.md#bootstrapper) and deploys the other Constellation [microservices](microservices.md) including the [*JoinService*](microservices.md#joinservice) -7. Subsequently, the *Bootstrappers* of the other nodes discover the initialized cluster and send join requests to the *JoinService* -8. As part of the join request each node includes an attestation statement of its boot measurements as authentication -9. The *JoinService* verifies the attestation statements and joins the nodes to the Kubernetes cluster -10. This process is repeated for every node joining the cluster later (e.g., through autoscaling) - -## Post-installation configuration - -Post-installation the CLI provides a configuration for [accessing the cluster using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/). -The `kubeconfig` file provides the credentials and configuration for connecting and authenticating to the API server. -Once configured, orchestrate the Kubernetes cluster via `kubectl`. - -After the initialization, the CLI will present you with a couple of tokens: - -* The [*master secret*](keys.md#master-secret) (stored in the `constellation-mastersecret.json` file by default) -* The [*clusterID*](keys.md#cluster-identity) of your cluster in Base64 encoding - -You can read more about these values and their meaning in the guide on [cluster identity](keys.md#cluster-identity). - -The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md). -Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation. - -The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md). - -## Upgrades - -Constellation images and microservices may need to be upgraded to new versions during the lifetime of a cluster. -Constellation implements a rolling update mechanism ensuring no downtime of the control or data plane. -You can upgrade a Constellation cluster with a single operation by using the CLI. -For step-by-step instructions on how to do this, refer to [Upgrade your cluster](../workflows/upgrade.md). - -### Attestation of upgrades - -With every new image, corresponding measurements are released. -During an update procedure, the CLI provides new measurements to the [JoinService](microservices.md#joinservice) securely. -New measurements for an updated image are automatically pulled and verified by the CLI following the [supply chain security concept](attestation.md#chain-of-trust) of Constellation. -The [attestation section](attestation.md#cluster-facing-attestation) describes in detail how these measurements are then used by the JoinService for the attestation of nodes. - - diff --git a/docs/versioned_docs/version-2.23/architecture/overview.md b/docs/versioned_docs/version-2.23/architecture/overview.md deleted file mode 100644 index 386f93b2f..000000000 --- a/docs/versioned_docs/version-2.23/architecture/overview.md +++ /dev/null @@ -1,30 +0,0 @@ -# Overview - -Constellation is a cloud-based confidential orchestration platform. -The foundation of Constellation is Kubernetes and therefore shares the same technology stack and architecture principles. -To learn more about Constellation and Kubernetes, see [product overview](../overview/product.md). - -## About orchestration and updates - -As a cluster administrator, you can use the [Constellation CLI](orchestration.md) to install and deploy a cluster. -Updates are provided in accordance with the [support policy](versions.md). - -## About microservices and attestation - -Constellation manages the nodes and network in your cluster. All nodes are bootstrapped by the [*Bootstrapper*](microservices.md#bootstrapper). They're verified and authenticated by the [*JoinService*](microservices.md#joinservice) before being added to the cluster and the network. Finally, the entire cluster can be verified via the [*VerificationService*](microservices.md#verificationservice) using [remote attestation](attestation.md). - -## About node images and verified boot - -Constellation comes with operating system images for Kubernetes control-plane and worker nodes. -They're highly optimized for running containerized workloads and specifically prepared for running inside confidential VMs. -You can learn more about [the images](images.md) and how verified boot ensures their integrity during boot and beyond. - -## About key management and cryptographic primitives - -Encryption of data at-rest, in-transit, and in-use is the fundamental building block for confidential computing and Constellation. Learn more about the [keys and cryptographic primitives](keys.md) used in Constellation, [encrypted persistent storage](encrypted-storage.md), and [network encryption](networking.md). - -## About observability - -Observability in Kubernetes refers to the capability to troubleshoot issues using telemetry signals such as logs, metrics, and traces. -In the realm of Confidential Computing, it's crucial that observability aligns with confidentiality, necessitating careful implementation. -Learn more about the [observability capabilities in Constellation](./observability.md). diff --git a/docs/versioned_docs/version-2.23/architecture/versions.md b/docs/versioned_docs/version-2.23/architecture/versions.md deleted file mode 100644 index d5cbc987b..000000000 --- a/docs/versioned_docs/version-2.23/architecture/versions.md +++ /dev/null @@ -1,21 +0,0 @@ -# Versions and support policy - -All components of Constellation use a three-digit version number of the form `v..`. -The components are released in lock step, usually on the first Tuesday of every month. This release primarily introduces new features, but may also include security or performance improvements. The `MINOR` version will be incremented as part of this release. - -Additional `PATCH` releases may be created on demand, to fix security issues or bugs before the next `MINOR` release window. - -New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). - -## Kubernetes support policy - -Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. -When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. -Subsequent Constellation releases drop support for the oldest (and deprecated) Kubernetes version. - -The following Kubernetes versions are currently supported: - - -* v1.29.15 -* v1.30.12 -* v1.31.8 diff --git a/docs/versioned_docs/version-2.23/getting-started/examples.md b/docs/versioned_docs/version-2.23/getting-started/examples.md deleted file mode 100644 index fded84980..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples.md +++ /dev/null @@ -1,6 +0,0 @@ -# Examples - -After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples? -* [Emojivoto](examples/emojivoto.md): a simple but fun web application -* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices -* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities diff --git a/docs/versioned_docs/version-2.23/getting-started/examples/emojivoto.md b/docs/versioned_docs/version-2.23/getting-started/examples/emojivoto.md deleted file mode 100644 index 2bbe27917..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples/emojivoto.md +++ /dev/null @@ -1,22 +0,0 @@ -# Emojivoto -[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster. - - - -emojivoto - Web UI - - - -1. Deploy the application: - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` -2. Wait until it becomes available: - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - ``` -3. Forward the web service to your machine: - ```bash - kubectl -n emojivoto port-forward svc/web-svc 8080:80 - ``` -4. Visit [http://localhost:8080](http://localhost:8080) diff --git a/docs/versioned_docs/version-2.23/getting-started/examples/filestash-s3proxy.md b/docs/versioned_docs/version-2.23/getting-started/examples/filestash-s3proxy.md deleted file mode 100644 index b9a394256..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples/filestash-s3proxy.md +++ /dev/null @@ -1,107 +0,0 @@ - -# Deploying Filestash - -Filestash is a web frontend for different storage backends, including S3. -It's a useful application to showcase s3proxy in action. - -1. Deploy s3proxy as described in [Deployment](../../workflows/s3proxy.md#deployment). -2. Create a deployment file for Filestash with one pod: - -```sh -cat << EOF > "deployment-filestash.yaml" -apiVersion: apps/v1 -kind: Deployment -metadata: - name: filestash -spec: - replicas: 1 - selector: - matchLabels: - app: filestash - template: - metadata: - labels: - app: filestash - spec: - hostAliases: - - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}') - hostnames: - - "s3.us-east-1.amazonaws.com" - - "s3.us-east-2.amazonaws.com" - - "s3.us-west-1.amazonaws.com" - - "s3.us-west-2.amazonaws.com" - - "s3.eu-north-1.amazonaws.com" - - "s3.eu-south-1.amazonaws.com" - - "s3.eu-south-2.amazonaws.com" - - "s3.eu-west-1.amazonaws.com" - - "s3.eu-west-2.amazonaws.com" - - "s3.eu-west-3.amazonaws.com" - - "s3.eu-central-1.amazonaws.com" - - "s3.eu-central-2.amazonaws.com" - - "s3.ap-northeast-1.amazonaws.com" - - "s3.ap-northeast-2.amazonaws.com" - - "s3.ap-northeast-3.amazonaws.com" - - "s3.ap-east-1.amazonaws.com" - - "s3.ap-southeast-1.amazonaws.com" - - "s3.ap-southeast-2.amazonaws.com" - - "s3.ap-southeast-3.amazonaws.com" - - "s3.ap-southeast-4.amazonaws.com" - - "s3.ap-south-1.amazonaws.com" - - "s3.ap-south-2.amazonaws.com" - - "s3.me-south-1.amazonaws.com" - - "s3.me-central-1.amazonaws.com" - - "s3.il-central-1.amazonaws.com" - - "s3.af-south-1.amazonaws.com" - - "s3.ca-central-1.amazonaws.com" - - "s3.sa-east-1.amazonaws.com" - containers: - - name: filestash - image: machines/filestash:latest - ports: - - containerPort: 8334 - volumeMounts: - - name: ca-cert - mountPath: /etc/ssl/certs/kube-ca.crt - subPath: kube-ca.crt - volumes: - - name: ca-cert - secret: - secretName: s3proxy-tls - items: - - key: ca.crt - path: kube-ca.crt -EOF -``` - -The pod spec includes the `hostAliases` key, which adds an entry to the pod's `/etc/hosts`. -The entry forwards all requests for any of the currently defined AWS regions to the Kubernetes service `s3proxy-service`. -If you followed the s3proxy [Deployment](../../workflows/s3proxy.md#deployment) guide, this service points to a s3proxy pod. - -The deployment specifies all regions explicitly to prevent accidental data leaks. -If one of your buckets were located in a region that's not part of the `hostAliases` key, traffic towards those buckets would not be redirected to s3proxy. -Similarly, if you want to exclude data for specific regions from going through s3proxy you can remove those regions from the deployment. - -The spec also includes a volume mount for the TLS certificate and adds it to the pod's certificate trust store. -The volume is called `ca-cert`. -The key `ca.crt` of that volume is mounted to `/etc/ssl/certs/kube-ca.crt`, which is the default certificate trust store location for that container's OpenSSL library. -Not adding the CA certificate will result in TLS authentication errors. - -3. Apply the file: `kubectl apply -f deployment-filestash.yaml` - -Afterward, you can use a port forward to access the Filestash pod: -`kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8334:8334` - -4. After browsing to `localhost:8443`, Filestash will ask you to set an administrator password. -After setting it, you can directly leave the admin area by clicking the blue cloud symbol in the top left corner. -Subsequently, you can select S3 as storage backend and enter your credentials. -This will bring you to an overview of your buckets. -If you want to deploy Filestash in production, take a look at its [documentation](https://www.filestash.app/docs/). - -5. To see the logs of s3proxy intercepting requests made to S3, run: `kubectl logs -f pod/$(kubectl get pod --selector='app=s3proxy' -o=jsonpath='{.items[*].metadata.name}')` -Look out for log messages labeled `intercepting`. -There is one such log message for each message that's encrypted, decrypted, or blocked. - -6. Once you have uploaded a file with Filestash, you should be able to view the file in Filestash. -However, if you go to the AWS S3 [Web UI](https://s3.console.aws.amazon.com/s3/home) and download the file you just uploaded in Filestash, you won't be able to read it. -Another way to spot encrypted files without downloading them is to click on a file, scroll to the Metadata section, and look for the header named `x-amz-meta-constellation-encryption`. -This header holds the encrypted data encryption key of the object and is only present on objects that are encrypted by s3proxy. diff --git a/docs/versioned_docs/version-2.23/getting-started/examples/horizontal-scaling.md b/docs/versioned_docs/version-2.23/getting-started/examples/horizontal-scaling.md deleted file mode 100644 index dfaf9e742..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/examples/horizontal-scaling.md +++ /dev/null @@ -1,98 +0,0 @@ -# Horizontal Pod Autoscaling -This example demonstrates Constellation's autoscaling capabilities. It's based on the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down. - -## Requirements -The cluster needs to be initialized with Kubernetes 1.23 or later. In addition, [autoscaling must be enabled](../../workflows/scale.md) to enable Constellation to assign new nodes dynamically. - -Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Start with a small cluster with only *one* low-powered node for the control-plane node and *one* low-powered worker node. - -:::info -We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP. -::: - -## Setup - -1. Install the Kubernetes Metrics Server: - ```bash - kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - ``` - -2. Deploy the HPA example server that's supposed to be scaled under load. - - This manifest is similar to the one from the Kubernetes HPA walkthrough, but with increased CPU limits and requests to facilitate the triggering of node scaling events. - ```bash - cat < - -Online Boutique - Web UI - - - -1. Create a namespace: - ```bash - kubectl create ns boutique - ``` -2. Deploy the application: - ```bash - kubectl apply -n boutique -f https://github.com/GoogleCloudPlatform/microservices-demo/raw/main/release/kubernetes-manifests.yaml - ``` -3. Wait for all services to become available: - ```bash - kubectl wait --for=condition=available --timeout=300s -n boutique --all deployments - ``` -4. Get the frontend's external IP address: - ```shell-session - $ kubectl get service frontend-external -n boutique | awk '{print $4}' - EXTERNAL-IP - - ``` - (`` is a placeholder for the IP assigned by your CSP.) -5. Enter the IP from the result in your browser to browse the online shop. diff --git a/docs/versioned_docs/version-2.23/getting-started/first-steps-local.md b/docs/versioned_docs/version-2.23/getting-started/first-steps-local.md deleted file mode 100644 index 98f0302de..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/first-steps-local.md +++ /dev/null @@ -1,277 +0,0 @@ -# First steps with a local cluster - -A local cluster lets you deploy and test Constellation without a cloud subscription. -You have two options: - -* Use MiniConstellation to automatically deploy a two-node cluster. -* For more fine-grained control, create the cluster using the QEMU provider. - -Both options use virtualization to create a local cluster with control-plane nodes and worker nodes. They **don't** require hardware with Confidential VM (CVM) support. For attestation, they currently use a software-based vTPM provided by KVM/QEMU. - -You need an x64 machine with a Linux OS. -You can use a VM, but it needs nested virtualization. - -## Prerequisites - -* Machine requirements: - * An x86-64 CPU with at least 4 cores (6 cores are recommended) - * At least 4 GB RAM (6 GB are recommended) - * 20 GB of free disk space - * Hardware virtualization enabled in the BIOS/UEFI (often referred to as Intel VT-x or AMD-V/SVM) / nested-virtualization support when using a VM -* Software requirements: - * Linux OS with [KVM kernel module](https://www.linux-kvm.org/page/Main_Page) - * Recommended: Ubuntu 22.04 LTS - * [Docker](https://docs.docker.com/engine/install/) - * [xsltproc](https://gitlab.gnome.org/GNOME/libxslt/-/wikis/home) - * (Optional) [virsh](https://www.libvirt.org/manpages/virsh.html) to observe and access your nodes - -### Software installation on Ubuntu - -```bash -# install Docker -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update -sudo apt install docker-ce -# install other dependencies -sudo apt install xsltproc -sudo snap install kubectl --classic -# install Constellation CLI -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -sudo install constellation-linux-amd64 /usr/local/bin/constellation -# do not drop forwarded packages -sudo iptables -P FORWARD ACCEPT -``` - -## Create a cluster - - - - - -With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/). - - -:::caution - -MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since MiniConstellation runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -The following creates your MiniConstellation cluster (may take up to 10 minutes to complete): - -```bash -constellation mini up -``` - -This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster. -All `constellation` commands concerning this cluster need to be issued from this directory. - - - - -With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other. - -:::caution - -Constellation on QEMU has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up. - -::: - -:::note - -Since Constellation on QEMU runs on your local system, cloud features such as load balancing, -attaching persistent storage, or autoscaling aren't available. - -::: - -1. To set up your local cluster, you need to create a configuration file for Constellation first. - - ```bash - constellation config generate qemu - ``` - - This creates a [configuration file](../workflows/config.md) for QEMU called `constellation-conf.yaml`. After that, your current folder also becomes your [workspace](../architecture/orchestration.md#workspaces). All `constellation` commands for your cluster need to be executed from this directory. - -2. Now you can create your cluster and its nodes. `constellation apply` uses the options set in `constellation-conf.yaml`. - - ```bash - constellation apply -y - ``` - - The Output should look like the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type 2-vCPUs will be created. - 1 worker node of type 2-vCPUs will be created. - Creating - Cloud infrastructure created successfully. - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your setup, `constellation apply` may take 10+ minutes to complete. - - ::: - -3. Configure kubectl - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - - - -## Connect to the cluster - -Your cluster initially consists of a single control-plane node: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 66s v1.24.6 -``` - -Additional nodes will request to join the cluster shortly. Before each additional node is allowed to join the cluster, its state is verified using remote attestation by the [JoinService](../architecture/microservices.md#joinservice). -If verification passes successfully, the new node receives keys and certificates to join the cluster. - -You can follow this process by viewing the logs of the JoinService: - -```shell-session -$ kubectl logs -n kube-system daemonsets/join-service -f -{"level":"INFO","ts":"2022-10-14T09:32:20Z","caller":"cmd/main.go:48","msg":"Constellation Node Join Service","version":"2.1.0","cloudProvider":"qemu"} -{"level":"INFO","ts":"2022-10-14T09:32:20Z","logger":"validator","caller":"watcher/validator.go:96","msg":"Updating expected measurements"} -... -``` - -Once all nodes have joined your cluster, it may take a couple of minutes for all resources to become available. -You can check on the state of your cluster by running the following: - -```shell-session -$ kubectl get nodes -NAME STATUS ROLES AGE VERSION -control-plane-0 Ready control-plane 2m59s v1.24.6 -worker-0 Ready 32s v1.24.6 -``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation mini down -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -Once you are done, you can clean up the created resources using the following command: - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -This will destroy your cluster and clean up your workspace. -The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters. - - - - -## Troubleshooting - -Make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### VMs have no internet access / CLI remains in "Initializing cluster" state - -`iptables` rules may prevent your VMs from accessing the internet. -Make sure your rules aren't dropping forwarded packages. - -List your rules: - -```bash -sudo iptables -S -``` - -The output may look similar to the following: - -```shell-session --P INPUT ACCEPT --P FORWARD DROP --P OUTPUT ACCEPT --N DOCKER --N DOCKER-ISOLATION-STAGE-1 --N DOCKER-ISOLATION-STAGE-2 --N DOCKER-USER -``` - -If your `FORWARD` chain is set to `DROP`, you need to update your rules: - -```bash -sudo iptables -P FORWARD ACCEPT -``` diff --git a/docs/versioned_docs/version-2.23/getting-started/first-steps.md b/docs/versioned_docs/version-2.23/getting-started/first-steps.md deleted file mode 100644 index fb8437a06..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/first-steps.md +++ /dev/null @@ -1,235 +0,0 @@ -# First steps with Constellation - -The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md), -and have access to a cloud subscription. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -:::note -If you encounter any problem with the following steps, make sure to use the [latest release](https://github.com/edgelesssys/constellation/releases/latest) and check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). -::: - -## Create a cluster - -1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file. - - - - - ```bash - constellation config generate aws - ``` - - - - - ```bash - constellation config generate azure - ``` - - - - - ```bash - constellation config generate gcp - ``` - - - - - ```bash - constellation config generate stackit - ``` - - - - -2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration). - - - - - ```bash - constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config - ``` - - This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Depending on the attestation variant selected on config generation, different regions are available. - AMD SEV-SNP machines (requires the default attestation variant `awsSEVSNP`) are currently available in the following regions: - * `eu-west-1` - * `us-east-2` - - You can find a list of regions that support AMD SEV-SNP in [AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). - - NitroTPM machines (requires the attestation variant `awsNitroTPM`) are available in all regions. - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - - - - - ```bash - constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config - ``` - - This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - - - - - ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test --update-config - ``` - - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. - - Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. - - - - - To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md). - After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`: - - * `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud)) - - :::caution - - `stackitProjectID` refers to the ID of your STACKIT project. The STACKIT portal also shows the OpenStack ID that's associated with your project in some places. Make sure you insert the STACKIT project ID in the `constellation-conf.yaml` file. It's of the format `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. - - ::: - - - - - :::tip - To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md). - ::: - - - -3. Create the cluster. `constellation apply` uses options set in `constellation-conf.yaml`. - If you want to manually manage your cloud resources, for example by using [Terraform](../reference/terraform.md), follow the corresponding instructions in the [Create workflow](../workflows/create.md). - - :::tip - - On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate. - - ::: - - ```bash - constellation apply -y - ``` - - This should look similar to the following: - - ```shell-session - $ constellation apply -y - Checking for infrastructure changes - The following Constellation cluster will be created: - 3 control-plane nodes of type n2d-standard-4 will be created. - 1 worker node of type n2d-standard-4 will be created. - Creating - Cloud infrastructure created successfully - Your Constellation master secret was successfully written to ./constellation-mastersecret.json - Connecting - Initializing cluster - Installing Kubernetes components - Your Constellation cluster was successfully initialized. - - Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= - Kubernetes configuration constellation-admin.conf - - You can now connect to your cluster by executing: - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - - The cluster's identifier will be different in your output. - Keep `constellation-mastersecret.json` somewhere safe. - This will allow you to [recover your cluster](../workflows/recovery.md) in case of a disaster. - - :::info - - Depending on your CSP and region, `constellation apply` may take 10+ minutes to complete. - - ::: - -4. Configure kubectl. - - ```bash - export KUBECONFIG="$PWD/constellation-admin.conf" - ``` - -## Deploy a sample application - -1. Deploy the [emojivoto app](https://github.com/BuoyantIO/emojivoto) - - ```bash - kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment - ``` - -2. Expose the frontend service locally - - ```bash - kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments - kubectl -n emojivoto port-forward svc/web-svc 8080:80 & - curl http://localhost:8080 - kill %1 - ``` - -## Terminate your cluster - -Use the CLI to terminate your cluster. If you manually used [Terraform](../reference/terraform.md) to manage your cloud resources, follow the corresponding instructions in the [Terminate workflow](../workflows/terminate.md). - -```bash -constellation terminate -``` - -This should give the following output: - -```shell-session -$ constellation terminate -You are about to terminate a Constellation cluster. -All of its associated resources will be DESTROYED. -This action is irreversible and ALL DATA WILL BE LOST. -Do you want to continue? [y/n]: -``` - -Confirm with `y` to terminate the cluster: - -```shell-session -Terminating ... -Your Constellation cluster was terminated successfully. -``` - -Optionally, you can also [delete your IAM resources](../workflows/config.md#deleting-an-iam-configuration). diff --git a/docs/versioned_docs/version-2.23/getting-started/install.md b/docs/versioned_docs/version-2.23/getting-started/install.md deleted file mode 100644 index f072407d8..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/install.md +++ /dev/null @@ -1,447 +0,0 @@ -# Installation and setup - -Constellation runs entirely in your cloud environment and can be controlled via a dedicated [command-line interface (CLI)](../reference/cli.md) or a [Terraform provider](../workflows/terraform-provider.md). - -## Prerequisites - -Make sure the following requirements are met: - -* Your machine is running Linux, macOS, or Windows -* You have admin rights on your machine -* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed -* Your CSP is Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or STACKIT - -## Install the Constellation CLI - -:::tip - -If you prefer to use Terraform, you can alternatively use the [Terraform provider](../workflows/terraform-provider.md) to manage the cluster's lifecycle. - -::: - -The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases). -Install it with the following commands: - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-amd64 /usr/local/bin/constellation -``` - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-linux-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-arm64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64 -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI to your PATH: - -```bash -sudo install constellation-darwin-amd64 /usr/local/bin/constellation -``` - - - - - -1. Download the CLI: - -```bash -Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' -``` - -2. [Verify the signature](../workflows/verify-cli.md) (optional) - -3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` - -3. Add the CLI to your PATH: - - 1. Open `Advanced system settings` by searching for the App in the Windows search - 2. Go to the `Advanced` tab - 3. Click `Environment Variables…` - 4. Click variable called `Path` and click `Edit…` - 5. Click `New` - 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` - - - - -:::tip -The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps. -::: - -## Set up cloud credentials - -Constellation makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -### Required permissions - - - - -To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" - ], - "Resource": "*" - } - ] -} -``` - -The built-in `AdministratorAccess` policy is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), see the permissions of [main.tf](https://github.com/edgelesssys/constellation/blob/main/terraform/infrastructure/iam/aws/main.tf). - -The built-in `PowerUserAccess` policy is a superset of these permissions. - -Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). - - - - -The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: - -* `Microsoft.Attestation` -* `Microsoft.Compute` -* `Microsoft.Insights` -* `Microsoft.ManagedIdentity` -* `Microsoft.Network` - -By default, Constellation tries to register these automatically if they haven't been registered before. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `*/register/action` \[1] -* `Microsoft.Authorization/roleAssignments/*` -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` - -The built-in `Owner` role is a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `Microsoft.Attestation/attestationProviders/*` -* `Microsoft.Compute/virtualMachineScaleSets/*` -* `Microsoft.Insights/components/*` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Network/loadBalancers/*` -* `Microsoft.Network/loadBalancers/backendAddressPools/*` -* `Microsoft.Network/networkSecurityGroups/*` -* `Microsoft.Network/publicIPAddresses/*` -* `Microsoft.Network/virtualNetworks/*` -* `Microsoft.Network/virtualNetworks/subnets/*` -* `Microsoft.Network/natGateways/*` - -The built-in `Contributor` role is a superset of these permissions. - -Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). - -1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration. - - - - -Create a new project for Constellation or use an existing one. -Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. - -To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: - -* `iam.roles.create` -* `iam.roles.delete` -* `iam.roles.get` -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` - -Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -To [create a Constellation cluster](../workflows/create.md), you need the following permissions: - -* `compute.addresses.createInternal` -* `compute.addresses.deleteInternal` -* `compute.addresses.get` -* `compute.addresses.useInternal` -* `compute.backendServices.create` -* `compute.backendServices.delete` -* `compute.backendServices.get` -* `compute.backendServices.use` -* `compute.disks.create` -* `compute.firewalls.create` -* `compute.firewalls.delete` -* `compute.firewalls.get` -* `compute.firewalls.update` -* `compute.forwardingRules.create` -* `compute.forwardingRules.delete` -* `compute.forwardingRules.get` -* `compute.forwardingRules.setLabels` -* `compute.forwardingRules.list` -* `compute.globalAddresses.create` -* `compute.globalAddresses.delete` -* `compute.globalAddresses.get` -* `compute.globalAddresses.use` -* `compute.globalForwardingRules.create` -* `compute.globalForwardingRules.delete` -* `compute.globalForwardingRules.get` -* `compute.globalForwardingRules.setLabels` -* `compute.globalOperations.get` -* `compute.healthChecks.create` -* `compute.healthChecks.delete` -* `compute.healthChecks.get` -* `compute.healthChecks.useReadOnly` -* `compute.instanceGroupManagers.create` -* `compute.instanceGroupManagers.delete` -* `compute.instanceGroupManagers.get` -* `compute.instanceGroupManagers.update` -* `compute.instanceGroups.create` -* `compute.instanceGroups.delete` -* `compute.instanceGroups.get` -* `compute.instanceGroups.update` -* `compute.instanceGroups.use` -* `compute.instances.create` -* `compute.instances.setLabels` -* `compute.instances.setMetadata` -* `compute.instances.setTags` -* `compute.instanceTemplates.create` -* `compute.instanceTemplates.delete` -* `compute.instanceTemplates.get` -* `compute.instanceTemplates.useReadOnly` -* `compute.networks.create` -* `compute.networks.delete` -* `compute.networks.get` -* `compute.networks.updatePolicy` -* `compute.routers.create` -* `compute.routers.delete` -* `compute.routers.get` -* `compute.routers.update` -* `compute.subnetworks.create` -* `compute.subnetworks.delete` -* `compute.subnetworks.get` -* `compute.subnetworks.use` -* `compute.targetTcpProxies.create` -* `compute.targetTcpProxies.delete` -* `compute.targetTcpProxies.get` -* `compute.targetTcpProxies.use` -* `iam.serviceAccounts.actAs` - -Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions. - -Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). - - - - -Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account. -The UAT already has all required permissions by default. -The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers. -Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role. - - - - -### Authentication - -You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments. - -:::note -The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps. -::: - - - - -**Testing** - -You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html). - -**Production** - -Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine: - -```bash -aws configure -``` - -Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html). - - - - -**Testing** - -Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview). - -**Production** - -Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine: - -```bash -az login -``` - -Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). - - - - -**Testing** - -You can use the [Google Cloud Shell](https://cloud.google.com/shell). Make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt. - -**Production** - -Use one of the following options on a trusted machine: - -* Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud) - - ```bash - gcloud auth application-default login - ``` - - This will ask you to log-in to your Google account and create your credentials. - The Constellation CLI will automatically load these credentials when needed. - -* Set up a service account and pass the credentials manually - - Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials. - - - - -You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). - -1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file with the credentials from the User Access Token under: - * Linux: `~/.config/openstack/clouds.yaml` - * macOS: `/Users//Library/Application Support/openstack/clouds.yaml` or `/etc/openstack/clouds.yaml` - * Windows: `%AppData%\openstack\clouds.yaml` - - - ```yaml - clouds: - stackit: - auth: - auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3 - username: REPLACE_WITH_UAT_USERNAME - password: REPLACE_WITH_UAT_PASSWORD - project_id: REPLACE_WITH_OPENSTACK_PROJECT_ID - project_name: REPLACE_WITH_STACKIT_PROJECT_NAME - user_domain_name: portal_mvp - project_domain_name: portal_mvp - region_name: RegionOne - identity_api_version: 3 - ``` - -:::caution - -`project_id` refers to the ID of your OpenStack project. The STACKIT portal also shows the STACKIT ID that's associated with your project in some places. Make sure you insert the OpenStack project ID in the `clouds.yaml` file. - -::: - -3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token -4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) - - ```json - {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} - ``` - - - - - -## Next steps - -You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md). diff --git a/docs/versioned_docs/version-2.23/getting-started/marketplaces.md b/docs/versioned_docs/version-2.23/getting-started/marketplaces.md deleted file mode 100644 index a6763a42a..000000000 --- a/docs/versioned_docs/version-2.23/getting-started/marketplaces.md +++ /dev/null @@ -1,56 +0,0 @@ -# Using Constellation via Cloud Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). - -This document explains how to run Constellation with the dynamically billed cloud marketplace images. - - - - -To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal. - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access. - -To use a marketplace image, you need to accept the marketplace image's terms once for your subscription with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest): - -```bash -az vm image terms accept --publisher edgelesssystems --offer constellation --plan constellation -``` - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation). - -Then, enable the use of marketplace images in your Constellation `constellation-conf.yaml` [config file](../workflows/config.md): - -```bash -yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml -``` - - - - -On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal. - - - - -Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file). - -From there, you can proceed with the [cluster creation](../workflows/create.md) as usual. diff --git a/docs/versioned_docs/version-2.23/intro.md b/docs/versioned_docs/version-2.23/intro.md deleted file mode 100644 index 0bfe86da9..000000000 --- a/docs/versioned_docs/version-2.23/intro.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -slug: / -id: intro ---- -# Introduction - -Welcome to the documentation of Constellation! Constellation is a Kubernetes engine that aims to provide the best possible data security. - -![Constellation concept](/img/concept.svg) - - Constellation shields your entire Kubernetes cluster from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages a technology called *confidential computing* and more specifically Confidential VMs. - -:::tip -See the 📄[whitepaper](https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf) for more information on confidential computing. -::: - -## Goals - -From a security perspective, Constellation is designed to keep all data always encrypted and to prevent any access from the underlying (cloud) infrastructure. This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure. Such attackers could be malicious co-tenants escalating their privileges or hackers who managed to compromise a cloud server. - -From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern Kubernetes engine. - -## Use cases - -Constellation provides unique security [features](overview/confidential-kubernetes.md) and [benefits](overview/security-benefits.md). The core use cases are: - -* Increasing the overall security of your clusters -* Increasing the trustworthiness of your SaaS offerings -* Moving sensitive workloads from on-prem to the cloud -* Meeting regulatory requirements - -## Next steps - -You can learn more about the concept of Confidential Kubernetes, features, security benefits, and performance of Constellation in the *Basics* section. To jump right into the action head to *Getting started*. diff --git a/docs/versioned_docs/version-2.23/overview/clouds.md b/docs/versioned_docs/version-2.23/overview/clouds.md deleted file mode 100644 index b2695d28e..000000000 --- a/docs/versioned_docs/version-2.23/overview/clouds.md +++ /dev/null @@ -1,66 +0,0 @@ -# Feature status of clouds - -What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks. - -For Constellation, the ideal environment provides the following: - -1. Ability to run arbitrary software and images inside CVMs -2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or Intel TDX (available in Xeon CPUs since the Sapphire Rapids generation) -3. Ability for CVM guests to obtain raw hardware attestation statements -4. Reviewable, open-source firmware inside CVMs -5. Capability of the firmware to attest the integrity of the code it passes control to, e.g., with an embedded virtual TPM (vTPM) - -(1) is a functional must-have. (2)--(5) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore. - -The following table summarizes the state of features for different infrastructures. - -| **Feature** | **AWS** | **Azure** | **GCP** | **STACKIT** | **OpenStack (Yoga)** | -|-----------------------------------|---------|-----------|---------|--------------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | -| **4. Reviewable firmware** | Yes | No* | No | No | Depends on kernel/HV | -| **5. Confidential measured boot** | No | Yes | No | No | Depends on kernel/HV | - -## Amazon Web Services (AWS) - -Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). -Regarding (3), AWS provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by the Nitro hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. - -## Microsoft Azure - -With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. -Regarding (3), Azure provides direct access to attestation statements. -The firmware runs in an isolated domain inside the CVM and exposes a vTPM (5), but it's closed source (4). -On SEV-SNP, Azure uses VM Privilege Level (VMPL) isolation for the separation of firmware and the rest of the VM; on TDX, they use TD partitioning. -This firmware is signed by Azure. -The signature is reflected in the attestation statements of CVMs. -Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB). - -\* Recently, [Azure announced the open source paravisor OpenHCL](https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172). It's the foundation for fully open source and verifiable CVM firmware. Once Azure provides their CVM firmware with reproducible builds based on OpenHCL, (4) switches from *No* to *Yes*. Constellation will support OpenHCL based firmware on Azure in the future. - -## Google Cloud Platform (GCP) - -The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP. -Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements. -However, regarding (5), attestation is partially based on the [Shielded VM vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) for [measured boot](../architecture/attestation.md#measured-boot), which is a vTPM managed by Google's hypervisor. -Hence, the hypervisor is currently part of Constellation's TCB. -Regarding (4), the CVMs still include closed-source firmware. - -[TDX on Google](https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense) is in public preview. -With it, Constellation would have a similar TCB and attestation flow as with the current SEV-SNP offering. - -## STACKIT - -[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. - -## OpenStack - -OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. - -## Conclusion - -The different clouds and software like the Linux kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux kernel, we soon expect a normalization of features across infrastructures. diff --git a/docs/versioned_docs/version-2.23/overview/confidential-kubernetes.md b/docs/versioned_docs/version-2.23/overview/confidential-kubernetes.md deleted file mode 100644 index bff8c3322..000000000 --- a/docs/versioned_docs/version-2.23/overview/confidential-kubernetes.md +++ /dev/null @@ -1,42 +0,0 @@ -# Confidential Kubernetes - -We use the term *Confidential Kubernetes* to refer to the concept of using confidential-computing technology to shield entire Kubernetes clusters from the infrastructure. The three defining properties of this concept are: - -1. **Workload shielding**: the confidentiality and integrity of all workload-related data and code are enforced. -2. **Control plane shielding**: the confidentiality and integrity of the cluster's control plane, state, and workload configuration are enforced. -3. **Attestation and verifiability**: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates. - -Each of the above properties is equally important. Only with all three in conjunction, an entire cluster can be shielded without gaps. - -## Constellation security features - -Constellation implements the Confidential Kubernetes concept with the following security features. - -* **Runtime encryption**: Constellation runs all Kubernetes nodes inside Confidential VMs (CVMs). This gives runtime encryption for the entire cluster. -* **Network and storage encryption**: Constellation augments this with transparent encryption of the [network](../architecture/networking.md), [persistent storage](../architecture/encrypted-storage.md), and other managed storage like [AWS S3](../architecture/encrypted-storage.md#encrypted-s3-object-storage). Thus, workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime. -* **Transparent key management**: Constellation manages the corresponding [cryptographic keys](../architecture/keys.md) inside CVMs. -* **Node attestation and verification**: Constellation verifies the integrity of each new CVM-based node using [remote attestation](../architecture/attestation.md). Only "good" nodes receive the cryptographic keys required to access the network and storage of a cluster. -* **Confidential computing-optimized images**: A node is "good" if it's running a signed Constellation [node image](../architecture/images.md) inside a CVM and is in the expected state. (Node images are hardware-measured during boot. The measurements are reflected in the attestation statements that are produced by nodes and verified by Constellation.) -* **"Whole cluster" attestation**: Towards the DevOps engineer, Constellation provides a single hardware-rooted certificate from which all of the above can be verified. - -With the above, Constellation wraps an entire cluster into one coherent and verifiable *confidential context*. The concept is depicted in the following. - -![Confidential Kubernetes](../_media/concept-constellation.svg) - -## Comparison: Managed Kubernetes with CVMs - -In comparison, managed Kubernetes with CVMs, as it's for example offered in [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) and [GKE](https://cloud.google.com/kubernetes-engine), only provides runtime encryption for certain worker nodes. Here, each worker node is a separate (and typically unverified) confidential context. This only provides limited security benefits as it only prevents direct access to a worker node's memory. The large majority of potential attacks through the infrastructure remain unaffected. This includes attacks through the control plane, access to external key management, and the corruption of worker node images. This leaves many problems unsolved. For instance, *Node A* has no means to verify if *Node B* is "good" and if it's OK to share data with it. Consequently, this approach leaves a large attack surface, as is depicted in the following. - -![Concept: Managed Kubernetes plus CVMs](../_media/concept-managed.svg) - -The following table highlights the key differences in terms of features. - -| | Managed Kubernetes with CVMs | Confidential Kubernetes (Constellation✨) | -|-------------------------------------|------------------------------|--------------------------------------------| -| Runtime encryption | Partial (data plane only)| **Yes** | -| Node image verification | No | **Yes** | -| Full cluster attestation | No | **Yes** | -| Transparent network encryption | No | **Yes** | -| Transparent storage encryption | No | **Yes** | -| Confidential key management | No | **Yes** | -| Cloud agnostic / multi-cloud | No | **Yes** | diff --git a/docs/versioned_docs/version-2.23/overview/license.md b/docs/versioned_docs/version-2.23/overview/license.md deleted file mode 100644 index 98a9cbf94..000000000 --- a/docs/versioned_docs/version-2.23/overview/license.md +++ /dev/null @@ -1,15 +0,0 @@ -# License - -Constellation is available under the [Business Source License 1.1](https://github.com/edgelesssys/constellation/blob/main/LICENSE). - -You may use it free of charge for non-production use ("Community License"). - -## Enterprise License - -Enterprise Licenses permit production use and come with support and additional features. Find out more at the [product website](https://www.edgeless.systems/products/constellation/). - -Once you have received your Enterprise License file, place it in your [Constellation workspace](../architecture/orchestration.md#workspaces) in a file named `constellation.license`. - -## CSP Marketplaces - -Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/). diff --git a/docs/versioned_docs/version-2.23/overview/performance/application.md b/docs/versioned_docs/version-2.23/overview/performance/application.md deleted file mode 100644 index c67d59644..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/application.md +++ /dev/null @@ -1,102 +0,0 @@ -# Application benchmarks - -## HashiCorp Vault - -[HashiCorp Vault](https://www.vaultproject.io/) is a distributed secrets management software that can be deployed to Kubernetes. -HashiCorp maintains a benchmarking tool for vault, [vault-benchmark](https://github.com/hashicorp/vault-benchmark/). -Vault-benchmark generates load on a Vault deployment and measures response times. - -This article describes the results from running vault-benchmark on Constellation, AKS, and GKE. -You can find the setup for producing the data discussed in this article in the [vault-benchmarks](https://github.com/edgelesssys/vault-benchmarks) repository. - -The Vault API used during benchmarking is the [transits secret engine](https://developer.hashicorp.com/vault/docs/secrets/transit). -This allows services to send data to Vault for encryption, decryption, signing, and verification. - -## Results - -On each run, vault-benchmark sends requests and measures the latencies. -The measured latencies are aggregated through various statistical features. -After running the benchmark n times, the arithmetic mean over a subset of the reported statistics is calculated. -The selected features are arithmetic mean, 99th percentile, minimum, and maximum. - -Arithmetic mean gives a general sense of the latency on each target. -The 99th percentile shows performance in (most likely) erroneous states. -Minimum and maximum mark the range within which latency varies each run. - -The benchmark was configured with 1300 workers and 10 seconds per run. -Those numbers were chosen empirically. -The latency was stabilizing at 10 seconds runtime, not changing with further increase. -Increasing the number of workers beyond 1300 leads to request failures, marking the limit Vault was able to handle in this setup. -All results are based on 100 runs. - -The following data was generated while running five replicas, one primary, and four standby nodes. -All numbers are in seconds if not indicated otherwise. -``` -========== Results AKS ========== -Mean: mean: 1.632200, variance: 0.002057 -P99: mean: 5.480679, variance: 2.263700 -Max: mean: 6.651001, variance: 2.808401 -Min: mean: 0.011415, variance: 0.000133 -========== Results GKE ========== -Mean: mean: 1.656435, variance: 0.003615 -P99: mean: 6.030807, variance: 3.955051 -Max: mean: 7.164843, variance: 3.300004 -Min: mean: 0.010233, variance: 0.000111 -========== Results C11n ========== -Mean: mean: 1.651549, variance: 0.001610 -P99: mean: 5.780422, variance: 3.016106 -Max: mean: 6.942997, variance: 3.075796 -Min: mean: 0.013774, variance: 0.000228 -========== AKS vs C11n ========== -Mean: +1.171577 % (AKS is faster) -P99: +5.185495 % (AKS is faster) -Max: +4.205618 % (AKS is faster) -Min: +17.128781 % (AKS is faster) -========== GKE vs C11n ========== -Mean: -0.295851 % (GKE is slower) -P99: -4.331603 % (GKE is slower) -Max: -3.195248 % (GKE is slower) -Min: +25.710886 % (GKE is faster) -``` - -**Interpretation**: Latencies are all within ~5% of each other. -AKS performs slightly better than GKE and Constellation (C11n) in all cases except minimum latency. -Minimum latency is the lowest for GKE. -Compared to GKE, Constellation had slightly lower peak latencies (99th percentile and maximum), indicating that Constellation could have handled slightly more concurrent accesses than GKE. -Overall, performance is at comparable levels across all three distributions. -Based on these numbers, you can use a similarly sized Constellation cluster to run your existing Vault deployment. - -### Visualization - -The following plots visualize the data presented above as [box plots](https://en.wikipedia.org/wiki/Box_plot). -The whiskers denote the minimum and maximum. -The box stretches from the 25th to the 75th percentile, with the dividing bar marking the 50th percentile. -The circles outside the whiskers denote outliers. - -
-Mean Latency - -![Mean Latency](../../_media/benchmark_vault/5replicas/mean_latency.png) - -
- -
-99th Percentile Latency - -![99th Percentile Latency](../../_media/benchmark_vault/5replicas/p99_latency.png) - -
- -
-Maximum Latency - -![Maximum Latency](../../_media/benchmark_vault/5replicas/max_latency.png) - -
- -
-Minimum Latency - -![Minimum Latency](../../_media/benchmark_vault/5replicas/min_latency.png) - -
diff --git a/docs/versioned_docs/version-2.23/overview/performance/compute.md b/docs/versioned_docs/version-2.23/overview/performance/compute.md deleted file mode 100644 index 88dd4b1b2..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/compute.md +++ /dev/null @@ -1,11 +0,0 @@ -# Impact of runtime encryption on compute performance - -All nodes in a Constellation cluster are executed inside Confidential VMs (CVMs). Consequently, the performance of Constellation is inherently linked to the performance of these CVMs. - -## AMD and Azure benchmarking - -AMD and Azure have collectively released a [performance benchmark](https://community.amd.com/t5/business/microsoft-azure-confidential-computing-powered-by-3rd-gen-epyc/ba-p/497796) for CVMs that utilize 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. This benchmark, which included a variety of mostly compute-intensive tests such as SPEC CPU 2017 and CoreMark, demonstrated that CVMs experience only minor performance degradation (ranging from 2% to 8%) when compared to standard VMs. Such results are indicative of the performance that can be expected from compute-intensive workloads running with Constellation on Azure. - -## AMD and Google benchmarking - -Similarly, AMD and Google have jointly released a [performance benchmark](https://www.amd.com/system/files/documents/3rd-gen-epyc-gcp-c2d-conf-compute-perf-brief.pdf) for CVMs employing 3rd Gen AMD EPYC processors (Milan) with SEV-SNP. With high-performance computing workloads such as WRF, NAMD, Ansys CFS, and Ansys LS_DYNA, they observed analogous findings, with only minor performance degradation (between 2% and 4%) compared to standard VMs. These outcomes are reflective of the performance that can be expected for compute-intensive workloads running with Constellation on GCP. diff --git a/docs/versioned_docs/version-2.23/overview/performance/io.md b/docs/versioned_docs/version-2.23/overview/performance/io.md deleted file mode 100644 index 3ae796f8a..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/io.md +++ /dev/null @@ -1,204 +0,0 @@ -# I/O performance benchmarks - -To assess the overall performance of Constellation, this benchmark evaluates Constellation v2.6.0 in terms of storage I/O using [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) and network performance using the [Kubernetes Network Benchmark](https://github.com/InfraBuilder/k8s-bench-suite#knb--kubernetes-network-be). - -This benchmark tested Constellation on Azure and GCP and compared the results against the managed Kubernetes offerings AKS and GKE. - -## Configurations - -### Constellation - -The benchmark was conducted with Constellation v2.6.0, Kubernetes v1.25.7, and Cilium v1.12. -It ran on the following infrastructure configurations. - -Constellation on Azure: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `DC4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `true` -- Region: `West US` -- Zone: `2` - -Constellation on GCP: - -- Nodes: 3 (1 Control-plane, 2 Worker) -- Machines: `n2d-standard-4`: 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `true` -- Zone: `europe-west3-b` - -### AKS - -On AKS, the benchmark used Kubernetes `v1.24.9` and nodes with version `AKSUbuntu-1804gen2containerd-2023.02.15`. -AKS ran with the [`kubenet`](https://learn.microsoft.com/en-us/azure/aks/concepts-network#kubenet-basic-networking) CNI and the [default CSI driver](https://learn.microsoft.com/en-us/azure/aks/azure-disk-csi) for Azure Disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `D4as_v5`: 3rd Generation AMD EPYC 7763v (Milan) processor with 4 Cores, 16 GiB memory -- CVM: `false` -- Region: `West US` -- Zone: `2` - -### GKE - -On GKE, the benchmark used Kubernetes `v1.24.9` and nodes with version `1.24.9-gke.3200`. -GKE ran with the [`kubenet`](https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview) CNI and the [default CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) for Compute Engine persistent disk. - -The following infrastructure configurations was used: - -- Nodes: 2 (2 Worker) -- Machines: `n2d-standard-4` 2nd Generation AMD EPYC (Rome) processor with 4 Cores, 16 GiB of memory -- CVM: `false` -- Zone: `europe-west3-b` - -## Results - -### Network - -This section gives a thorough analysis of the network performance of Constellation, specifically focusing on measuring TCP and UDP bandwidth. -The benchmark measured the bandwidth of pod-to-pod and pod-to-service connections between two different nodes using [`iperf`](https://iperf.fr/). - -GKE and Constellation on GCP had a maximum network bandwidth of [10 Gbps](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines). -AKS with `Standard_D4as_v5` machines a maximum network bandwidth of [12.5 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series). -The Confidential VM equivalent `Standard_DC4as_v5` currently has a network bandwidth of [1.25 Gbps](https://learn.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series#dcasv5-series-products). -Therefore, to make the test comparable, both AKS and Constellation on Azure were running with `Standard_DC4as_v5` machines and 1.25 Gbps bandwidth. - -Constellation on Azure and AKS used an MTU of 1500. -Constellation on GCP used an MTU of 8896. GKE used an MTU of 1450. - -The difference in network bandwidth can largely be attributed to two factors. - -- Constellation's [network encryption](../../architecture/networking.md) via Cilium and WireGuard, which protects data in-transit. -- [AMD SEV using SWIOTLB bounce buffers](https://lore.kernel.org/all/20200204193500.GA15564@ashkalra_ubuntu_server/T/) for all DMA including network I/O. - -#### Pod-to-Pod - -In this scenario, the client Pod connects directly to the server pod via its IP address. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] - end - subgraph Node B - Server[Server] - end - Client ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2Pod Azure benchmark graph](../../_media/benchmark_net_p2p_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2Pod GCP benchmark graph](../../_media/benchmark_net_p2p_gcp.png) - -#### Pod-to-Service - -In this scenario, the client Pod connects to the server Pod via a ClusterIP service. This is more relevant to real-world use cases. - -```mermaid -flowchart LR - subgraph Node A - Client[Client] ==>|traffic| Service[Service] - end - subgraph Node B - Server[Server] - end - Service ==>|traffic| Server -``` - -The results for "Pod-to-Pod" on Azure are as follows: - -![Network Pod2SVC Azure benchmark graph](../../_media/benchmark_net_p2svc_azure.png) - -The results for "Pod-to-Pod" on GCP are as follows: - -![Network Pod2SVC GCP benchmark graph](../../_media/benchmark_net_p2svc_gcp.png) - -In our recent comparison of Constellation on GCP with GKE, Constellation has 58% less TCP bandwidth. However, UDP bandwidth was slightly better with Constellation, thanks to its higher MTU. - -Similarly, when comparing Constellation on Azure with AKS using CVMs, Constellation achieved approximately 10% less TCP and 40% less UDP bandwidth. - -### Storage I/O - -Azure and GCP offer persistent storage for their Kubernetes services AKS and GKE via the Container Storage Interface (CSI). CSI storage in Kubernetes is available via `PersistentVolumes` (PV) and consumed via `PersistentVolumeClaims` (PVC). -Upon requesting persistent storage through a PVC, GKE and AKS will provision a PV as defined by a default [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). -Constellation provides persistent storage on Azure and GCP [that's encrypted on the CSI layer](../../architecture/encrypted-storage.md). -Similarly, upon a PVC request, Constellation will provision a PV via a default storage class. - -For Constellation on Azure and AKS, the benchmark ran with Azure Disk storage [Standard SSD](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) of 400 GiB size. -The [DC4as machine type](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dasv5-series) with four cores provides the following maximum performance: - -- 6400 (20000 burst) IOPS -- 144 MB/s (600 MB/s burst) throughput - -However, the performance is bound by the capabilities of the [512 GiB Standard SSD size](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) (the size class of 400 GiB volumes): - -- 500 (600 burst) IOPS -- 60 MB/s (150 MB/s burst) throughput - -For Constellation on GCP and GKE, the benchmark ran with Compute Engine Persistent Disk Storage [pd-balanced](https://cloud.google.com/compute/docs/disks) of 400 GiB size. -The N2D machine type with four cores and pd-balanced provides the following [maximum performance](https://cloud.google.com/compute/docs/disks/performance#n2d_vms): - -- 3,000 read IOPS -- 15,000 write IOPS -- 240 MB/s read throughput -- 240 MB/s write throughput - -However, the performance is bound by the capabilities of a [`Zonal balanced PD`](https://cloud.google.com/compute/docs/disks/performance#zonal-persistent-disks) with 400 GiB size: - -- 2400 read IOPS -- 2400 write IOPS -- 112 MB/s read throughput -- 112 MB/s write throughput - -The [`fio`](https://fio.readthedocs.io/en/latest/fio_doc.html) benchmark consists of several tests. -The benchmark used [`Kubestr`](https://github.com/kastenhq/kubestr) to run `fio` in Kubernetes. -The default test performs randomized access patterns that accurately depict worst-case I/O scenarios for most applications. - -The following `fio` settings were used: - -- No Cloud caching -- No OS caching -- Single CPU -- 60 seconds runtime -- 10 seconds ramp-up time -- 10 GiB file -- IOPS: 4 KB blocks and 128 iodepth -- Bandwidth: 1024 KB blocks and 128 iodepth - -For more details, see the [`fio` test configuration](https://github.com/edgelesssys/constellation/blob/main/.github/actions/e2e_benchmark/fio.ini). - -The results for IOPS on Azure are as follows: - -![I/O IOPS Azure benchmark graph](../../_media/benchmark_fio_azure_iops.png) - -The results for IOPS on GCP are as follows: - -![I/O IOPS GCP benchmark graph](../../_media/benchmark_fio_gcp_iops.png) - -The results for bandwidth on Azure are as follows: - -![I/O bandwidth Azure benchmark graph](../../_media/benchmark_fio_azure_bw.png) - -The results for bandwidth on GCP are as follows: - -![I/O bandwidth GCP benchmark graph](../../_media/benchmark_fio_gcp_bw.png) - -On GCP, the results exceed the maximum performance guarantees of the chosen disk type. There are two possible explanations for this. The first is that there may be cloud caching in place that isn't configurable. Alternatively, the underlying provisioned disk size may be larger than what was requested, resulting in higher performance boundaries. - -When comparing Constellation on GCP with GKE, Constellation has similar bandwidth but about 10% less IOPS performance. On Azure, Constellation has similar IOPS performance compared to AKS, where both likely hit the maximum storage performance. However, Constellation has approximately 15% less read and write bandwidth. - -## Conclusion - -Despite the added [security benefits](../security-benefits.md) that Constellation provides, it only incurs a slight performance overhead when compared to managed Kubernetes offerings such as AKS and GKE. In most compute benchmarks, Constellation is on par with it's alternatives. -While it may be slightly slower in certain I/O scenarios due to network and storage encryption, there is ongoing work to reduce this overhead to single digits. - -For instance, storage encryption only adds between 10% to 15% overhead in terms of bandwidth and IOPS. -Meanwhile, the biggest performance impact that Constellation currently faces is network encryption, which can incur up to 58% overhead on a 10 Gbps network. -However, the Cilium team has conducted [benchmarks with Cilium using WireGuard encryption](https://docs.cilium.io/en/latest/operations/performance/benchmark/#encryption-wireguard-ipsec) on a 100 Gbps network that yielded over 15 Gbps. -We're confident that Constellation will provide a similar level of performance with an upcoming release. - -Overall, Constellation strikes a great balance between security and performance, and we're continuously working to improve its performance capabilities while maintaining its high level of security. diff --git a/docs/versioned_docs/version-2.23/overview/performance/performance.md b/docs/versioned_docs/version-2.23/overview/performance/performance.md deleted file mode 100644 index 59bf86602..000000000 --- a/docs/versioned_docs/version-2.23/overview/performance/performance.md +++ /dev/null @@ -1,17 +0,0 @@ -# Performance analysis of Constellation - -This section provides a comprehensive examination of the performance characteristics of Constellation. - -## Runtime encryption - -Runtime encryption affects compute performance. [Benchmarks by Azure and Google](compute.md) show that the performance degradation of Confidential VMs (CVMs) is small, ranging from 2% to 8% for compute-intensive workloads. - -## I/O performance benchmarks - -We evaluated the [I/O performance](io.md) of Constellation, utilizing a collection of synthetic benchmarks targeting networking and storage. -We further compared this performance to native managed Kubernetes offerings from various cloud providers, to better understand how Constellation stands in relation to standard practices. - -## Application benchmarking - -To gauge Constellation's applicability to well-known applications, we performed a [benchmark of HashiCorp Vault](application.md) running on Constellation. -The results were then compared to deployments on the managed Kubernetes offerings from different cloud providers, providing a tangible perspective on Constellation's performance in actual deployment scenarios. diff --git a/docs/versioned_docs/version-2.23/overview/product.md b/docs/versioned_docs/version-2.23/overview/product.md deleted file mode 100644 index 4b5d90706..000000000 --- a/docs/versioned_docs/version-2.23/overview/product.md +++ /dev/null @@ -1,12 +0,0 @@ -# Product features - -Constellation is a Kubernetes engine that aims to provide the best possible data security in combination with enterprise-grade scalability and reliability features---and a smooth user experience. - -From a security perspective, Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and corresponding security features, which shield your entire cluster from the underlying infrastructure. - -From an operational perspective, Constellation provides the following key features: - -* **Native support for different clouds**: Constellation works on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). -* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability. -* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command. -* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform. diff --git a/docs/versioned_docs/version-2.23/overview/security-benefits.md b/docs/versioned_docs/version-2.23/overview/security-benefits.md deleted file mode 100644 index 51a8b64f5..000000000 --- a/docs/versioned_docs/version-2.23/overview/security-benefits.md +++ /dev/null @@ -1,22 +0,0 @@ -# Security benefits and threat model - -Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md). - -![TCB comparison](../_media/tcb.svg) - -Given this background, the following describes the concrete threat classes that Constellation addresses. - -## Insider access - -Employees and third-party contractors of cloud service providers (CSPs) have access to different layers of the cloud infrastructure. -This opens up a large attack surface where workloads and data can be read, copied, or manipulated. With Constellation, Kubernetes deployments are shielded from the infrastructure and thus such accesses are prevented. - -## Infrastructure-based attacks - -Malicious cloud users ("hackers") may break out of their tenancy and access other tenants' data. Advanced attackers may even be able to establish a permanent foothold within the infrastructure and access data over a longer period. Analogously to the *insider access* scenario, Constellation also prevents access to a deployment's data in this scenario. - -## Supply chain attacks - -Supply chain security is receiving lots of attention recently due to an [increasing number of recorded attacks](https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks). For instance, a malicious actor could attempt to tamper Constellation node images (including Kubernetes and other software) before they're loaded in the confidential VMs of a cluster. Constellation uses [remote attestation](../architecture/attestation.md) in conjunction with public [transparency logs](../workflows/verify-cli.md) to prevent this. - -In the future, Constellation will extend this feature to customer workloads. This will enable cluster owners to create auditable policies that precisely define which containers can run in a given deployment. diff --git a/docs/versioned_docs/version-2.23/reference/cli.md b/docs/versioned_docs/version-2.23/reference/cli.md deleted file mode 100644 index 7cbc0be8d..000000000 --- a/docs/versioned_docs/version-2.23/reference/cli.md +++ /dev/null @@ -1,873 +0,0 @@ -# CLI reference - - - -Use the Constellation CLI to create and manage your clusters. - -Usage: - -``` -constellation [command] -``` -Commands: - -* [config](#constellation-config): Work with the Constellation configuration file - * [generate](#constellation-config-generate): Generate a default configuration and state file - * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image - * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers - * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI - * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version -* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster -* [apply](#constellation-apply): Apply a configuration to a Constellation cluster -* [mini](#constellation-mini): Manage MiniConstellation clusters - * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster - * [down](#constellation-mini-down): Destroy a MiniConstellation cluster -* [status](#constellation-status): Show status of a Constellation cluster -* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster -* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster - * [check](#constellation-upgrade-check): Check for possible upgrades - * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster -* [recover](#constellation-recover): Recover a completely stopped Constellation cluster -* [terminate](#constellation-terminate): Terminate a Constellation cluster -* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider - * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster - * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster - * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster - * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster - * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files - * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile - * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile -* [version](#constellation-version): Display version of this CLI -* [init](#constellation-init): Initialize the Constellation cluster -* [ssh](#constellation-ssh): Generate a certificate for emergency SSH access - -## constellation config - -Work with the Constellation configuration file - -### Synopsis - -Work with the Constellation configuration file. - -### Options - -``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config generate - -Generate a default configuration and state file - -### Synopsis - -Generate a default configuration and state file for your selected cloud provider. - -``` -constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] -``` - -### Options - -``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used - -h, --help help for generate - -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.30") - -t, --tags strings additional tags for created resources given a list of key=value -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config fetch-measurements - -Fetch measurements for configured cloud provider and image - -### Synopsis - -Fetch measurements for configured cloud provider and image. - -A config needs to be generated first. - -``` -constellation config fetch-measurements [flags] -``` - -### Options - -``` - -h, --help help for fetch-measurements - -s, --signature-url string alternative URL to fetch measurements' signature from - -u, --url string alternative URL to fetch measurements from -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config instance-types - -Print the supported instance types for all cloud providers - -### Synopsis - -Print the supported instance types for all cloud providers. - -``` -constellation config instance-types [flags] -``` - -### Options - -``` - -h, --help help for instance-types -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config kubernetes-versions - -Print the Kubernetes versions supported by this CLI - -### Synopsis - -Print the Kubernetes versions supported by this CLI. - -``` -constellation config kubernetes-versions [flags] -``` - -### Options - -``` - -h, --help help for kubernetes-versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation config migrate - -Migrate a configuration file to a new version - -### Synopsis - -Migrate a configuration file to a new version. - -``` -constellation config migrate [flags] -``` - -### Options - -``` - -h, --help help for migrate -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation create - -Create instances on a cloud platform for your Constellation cluster - -### Synopsis - -Create instances on a cloud platform for your Constellation cluster. - -``` -constellation create [flags] -``` - -### Options - -``` - -h, --help help for create - -y, --yes create the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation apply - -Apply a configuration to a Constellation cluster - -### Synopsis - -Apply a configuration to a Constellation cluster to initialize or upgrade the cluster. - -``` -constellation apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s } - -y, --yes run command without further confirmation - WARNING: the command might delete or update existing resources without additional checks. Please read the docs. - -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini - -Manage MiniConstellation clusters - -### Synopsis - -Manage MiniConstellation clusters. - -### Options - -``` - -h, --help help for mini -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini up - -Create and initialize a new MiniConstellation cluster - -### Synopsis - -Create and initialize a new MiniConstellation cluster. - -A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. - -``` -constellation mini up [flags] -``` - -### Options - -``` - -h, --help help for up - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation mini down - -Destroy a MiniConstellation cluster - -### Synopsis - -Destroy a MiniConstellation cluster. - -``` -constellation mini down [flags] -``` - -### Options - -``` - -h, --help help for down - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation status - -Show status of a Constellation cluster - -### Synopsis - -Show the status of a constellation cluster. - -Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. - -``` -constellation status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation verify - -Verify the confidential properties of a Constellation cluster - -### Synopsis - -Verify the confidential properties of a Constellation cluster. -If arguments aren't specified, values are read from `constellation-state.yaml`. - -``` -constellation verify [flags] -``` - -### Options - -``` - --cluster-id string expected cluster identifier - -h, --help help for verify - -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] - -o, --output string print the attestation document in the output format {json|raw} -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade - -Find and apply upgrades to your Constellation cluster - -### Synopsis - -Find and apply upgrades to your Constellation cluster. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade check - -Check for possible upgrades - -### Synopsis - -Check which upgrades can be applied to your Constellation Cluster. - -``` -constellation upgrade check [flags] -``` - -### Options - -``` - -h, --help help for check - --ref string the reference to use for querying new versions (default "-") - --stream string the stream to use for querying new versions (default "stable") - -u, --update-config update the specified config file with the suggested versions -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation upgrade apply - -Apply an upgrade to a Constellation cluster - -### Synopsis - -Apply an upgrade to a Constellation cluster by applying the chosen configuration. - -``` -constellation upgrade apply [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for apply - --skip-helm-wait install helm charts without waiting for deployments to be ready - --skip-phases strings comma-separated list of upgrade phases to skip - one or multiple of { infrastructure | helm | image | k8s } - -y, --yes run upgrades without further confirmation - WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. - WARNING: might unintentionally overwrite measurements in the running cluster. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation recover - -Recover a completely stopped Constellation cluster - -### Synopsis - -Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. - -This is only required if instances restart without other instances available for bootstrapping. - -``` -constellation recover [flags] -``` - -### Options - -``` - -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] - -h, --help help for recover -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation terminate - -Terminate a Constellation cluster - -### Synopsis - -Terminate a Constellation cluster. - -The cluster can't be started again, and all persistent storage will be lost. - -``` -constellation terminate [flags] -``` - -### Options - -``` - -h, --help help for terminate - -y, --yes terminate the cluster without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam - -Work with the IAM configuration on your cloud provider - -### Synopsis - -Work with the IAM configuration on your cloud provider. - -### Options - -``` - -h, --help help for iam -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create - -Create IAM configuration on a cloud platform for your Constellation cluster - -### Synopsis - -Create IAM configuration on a cloud platform for your Constellation cluster. - -### Options - -``` - -h, --help help for create - --update-config update the config file with the specific IAM information - -y, --yes create the IAM configuration without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam create aws - -Create IAM configuration on AWS for your Constellation cluster - -### Synopsis - -Create IAM configuration on AWS for your Constellation cluster. - -``` -constellation iam create aws [flags] -``` - -### Options - -``` - -h, --help help for aws - --prefix string name prefix for all resources (required) - --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) - See the Constellation docs for a list of currently supported regions. -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create azure - -Create IAM configuration on Microsoft Azure for your Constellation cluster - -### Synopsis - -Create IAM configuration on Microsoft Azure for your Constellation cluster. - -``` -constellation iam create azure [flags] -``` - -### Options - -``` - -h, --help help for azure - --region string region the resources will be created in, e.g., westus (required) - --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) - --servicePrincipal string name of the service principal that will be created (required) - --subscriptionID string subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam create gcp - -Create IAM configuration on GCP for your Constellation cluster - -### Synopsis - -Create IAM configuration on GCP for your Constellation cluster. - -``` -constellation iam create gcp [flags] -``` - -### Options - -``` - -h, --help help for gcp - --prefix string Prefix for the service account ID and VM ID that will be created (required) - Must be letters, digits, or hyphens. - --projectID string ID of the GCP project the configuration will be created in (required) - Find it on the welcome screen of your project: https://console.cloud.google.com/welcome - --zone string GCP zone the cluster will be deployed in (required) - Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - --update-config update the config file with the specific IAM information - -C, --workspace string path to the Constellation workspace - -y, --yes create the IAM configuration without further confirmation -``` - -## constellation iam destroy - -Destroy an IAM configuration and delete local Terraform files - -### Synopsis - -Destroy an IAM configuration and delete local Terraform files. - -``` -constellation iam destroy [flags] -``` - -### Options - -``` - -h, --help help for destroy - -y, --yes destroy the IAM configuration without asking for confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade - -Find and apply upgrades to your IAM profile - -### Synopsis - -Find and apply upgrades to your IAM profile. - -### Options - -``` - -h, --help help for upgrade -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation iam upgrade apply - -Apply an upgrade to an IAM profile - -### Synopsis - -Apply an upgrade to an IAM profile. - -``` -constellation iam upgrade apply [flags] -``` - -### Options - -``` - -h, --help help for apply - -y, --yes run upgrades without further confirmation -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation version - -Display version of this CLI - -### Synopsis - -Display version of this CLI. - -``` -constellation version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation init - -Initialize the Constellation cluster - -### Synopsis - -Initialize the Constellation cluster. - -Start your confidential Kubernetes. - -``` -constellation init [flags] -``` - -### Options - -``` - --conformance enable conformance mode - -h, --help help for init - --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config - --skip-helm-wait install helm charts without waiting for deployments to be ready -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - -## constellation ssh - -Generate a certificate for emergency SSH access - -### Synopsis - -Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster. - -``` -constellation ssh [flags] -``` - -### Options - -``` - -h, --help help for ssh - --key string the path to an existing SSH public key -``` - -### Options inherited from parent commands - -``` - --debug enable debug logging - --force disable version compatibility checks - might result in corrupted clusters - --tf-log string Terraform log level (default "NONE") - -C, --workspace string path to the Constellation workspace -``` - diff --git a/docs/versioned_docs/version-2.23/reference/migration.md b/docs/versioned_docs/version-2.23/reference/migration.md deleted file mode 100644 index eb55d650b..000000000 --- a/docs/versioned_docs/version-2.23/reference/migration.md +++ /dev/null @@ -1,140 +0,0 @@ -# Migrations - -This document describes breaking changes and migrations between Constellation releases. -Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Migrations to v2.23.0 - -### GCP - -GCP will require the additional permission `compute.forwardingRules.list`. Please update your IAM roles using `constellation iam upgrade apply`. - -## Migrations to v2.19.1 - -### Azure - -* During the upgrade, security rules are migrated and the old ones need to be cleaned up manually by the user. The below script shows how to delete them through the Azure CLI: - -```bash -#!/usr/bin/env bash -name="" # the name provided in the config -uid="" # the cluster id can be retrieved via `yq '.infrastructure.uid' constellation-state.yaml` -resource_group="" # the RG can be retrieved via `yq '.provider.azure.resourceGroup' constellation-conf.yaml` - -rules=( - "kubernetes" - "bootstrapper" - "verify" - "recovery" - "join" - "debugd" - "konnectivity" -) - -for rule in "${rules[@]}"; do - echo "Deleting rule: ${rule}" - az network nsg rule delete \ - --resource-group "${resource_group}" \ - --nsg-name "${name}-${uid}" \ - --name "${rule}" -done - -echo "All specified rules have been deleted." -``` - -## Migrating from CLI versions before 2.21.1 - -### AWS - -* AWS clusters that use `LoadBalancer` resources require more IAM permissions. Please upgrade your IAM roles using `constellation iam upgrade apply`. This will show necessary changes and apply them, if desired. - -## Migrating from CLI versions before 2.19.0 - -### Azure - -* To allow seamless upgrades on Azure when Kubernetes services of type `LoadBalancer` are deployed, the target - load balancer in which the `cloud-controller-manager` creates load balancing rules was changed. Instead of using the load balancer - created and maintained by the CLI's Terraform code, the `cloud-controller-manager` now creates its own load balancer in Azure. - If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them - afterward. - -## Migrating from CLI versions before 2.18.0 - -* The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. -* To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. -* Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI. -* To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions: - 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. - 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. - 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. - -## Migrating from CLI versions before 2.10 - -* AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. -* The global `nodeGroups` field was added. -* The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups. -* The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field. - -## Migrating from CLI versions before 2.9 - -* The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication - -## Migrating from CLI versions before 2.8 - -* The `measurements` field for each cloud service provider was replaced with a global `attestation` field. -* The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field. -* The optional global field `attestationVariant` was replaced by the now required `attestation` field. - -## Migrating from CLI versions before 2.3 - -* The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3. - As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access). -* The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration: -
- Show all - - | CSP | old image | new image | - | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | - | AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` | - | AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` | - | AWS | `ami-028ead928a9034b2f` | `v2.2.2` | - | AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` | - | AWS | `ami-032e0d57cc4395088` | `v2.2.1` | - | AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` | - | AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` | - | AWS | `ami-098cd37f66523b7c3` | `v2.2.0` | - | AWS | `ami-04a87d302e2509aad` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` | - | Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` | - | GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` | - | GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` | - -
-* The `enforcedMeasurements` field has been removed and merged with the `measurements` field. - * To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements` - * To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below: - - ```diff - measurements: - - 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + 0: - + expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8= - + warnOnly: true - - 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + 8: - + expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= - + warnOnly: false - -enforcedMeasurements: - - - 8 - ``` diff --git a/docs/versioned_docs/version-2.23/reference/slsa.md b/docs/versioned_docs/version-2.23/reference/slsa.md deleted file mode 100644 index 21f4e713c..000000000 --- a/docs/versioned_docs/version-2.23/reference/slsa.md +++ /dev/null @@ -1,73 +0,0 @@ -# Supply chain levels for software artifacts (SLSA) adoption - -[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation. - -:::info -SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined. -::: - -## Level 1 - Adopted - -**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)** - -All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). - -## Level 2 - Adopted - -**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)** - -Constellation is hosted on GitHub using git. - -**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)** - -All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)** - -Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time. - -**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)** - -Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions. - -## Level 3 - Adopted - -**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)** - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members. - -**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)** - -Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required. - -The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval. - -The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy. - -**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)** - -All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github). - -**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)** - -All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow. - -We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - -**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)** - -As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build. - -Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs. - -**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)** - -As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity. - -## Level 4 - In Progress - -We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4. diff --git a/docs/versioned_docs/version-2.23/reference/terraform.md b/docs/versioned_docs/version-2.23/reference/terraform.md deleted file mode 100644 index 9825a8bb8..000000000 --- a/docs/versioned_docs/version-2.23/reference/terraform.md +++ /dev/null @@ -1,37 +0,0 @@ -# Terraform usage - -[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation. - -:::info -Information on this page is intended for users who are familiar with Terraform. -It's not required for common usage of Constellation. -See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it. -::: - -## Terraform state files - -Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata. -The subdirectories are created on the first Constellation CLI action that uses Terraform internally. - -Currently, these subdirectories are: - -* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster -* `constellation-iam-terraform` - Terraform state files for IAM configuration - -As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually. - -## Interacting with Terraform manually - -Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient. - -## Terraform debugging - -To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging): -* `JSON` (JSON-formatted logs at `TRACE` level) -* `TRACE` -* `DEBUG` -* `INFO` -* `WARN` -* `ERROR` - -The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run. diff --git a/docs/versioned_docs/version-2.23/workflows/cert-manager.md b/docs/versioned_docs/version-2.23/workflows/cert-manager.md deleted file mode 100644 index 1d847e8bf..000000000 --- a/docs/versioned_docs/version-2.23/workflows/cert-manager.md +++ /dev/null @@ -1,13 +0,0 @@ -# Install cert-manager - -:::caution -If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls. -::: - -Constellation ships with cert-manager preinstalled. -The default installation is part of the `kube-system` namespace, as all other Constellation-managed microservices. -You are free to install more instances of cert-manager into other namespaces. -However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions. -Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances. -It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs. -CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release. diff --git a/docs/versioned_docs/version-2.23/workflows/config.md b/docs/versioned_docs/version-2.23/workflows/config.md deleted file mode 100644 index 7868ff1be..000000000 --- a/docs/versioned_docs/version-2.23/workflows/config.md +++ /dev/null @@ -1,353 +0,0 @@ -# Configure your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Before you can create your cluster, you need to configure the identity and access management (IAM) for your cloud service provider (CSP) and choose machine types for the nodes. - -## Creating the configuration file - -You can generate a configuration file for your CSP by using the following CLI command: - - - - -```bash -constellation config generate aws -``` - - - - -```bash -constellation config generate azure -``` - - - - -```bash -constellation config generate gcp -``` - - - - -```bash -constellation config generate stackit -``` - - - - -This creates the file `constellation-conf.yaml` in the current directory. - -## Choosing a VM type - -Constellation supports the following VM types: - - - -By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. -If you are using the default attestation variant `awsSEVSNP`, you can use the instance types described in [AWS's AMD SEV-SNP docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html). -Please mind the region restrictions mentioned in the [Getting started](../getting-started/first-steps.md#create-a-cluster) section. - -If you are using the attestation variant `awsNitroTPM`, you can choose any of the [nitroTPM-enabled instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported. - -You can also run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options. - - - - -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. -Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. - -The following instance types are known to be supported: - -| name | vCPUs | GB RAM | -|----------|-------|--------| -| m1a.4cd | 4 | 30 | -| m1a.8cd | 8 | 60 | -| m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 230 | - -You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). - -The Constellation CLI can also print the supported instance types with: `constellation config instance-types`. - - - - -Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file. - -## Creating additional node groups - -By default, Constellation creates the node groups `control_plane_default` and `worker_default` for control-plane nodes and workers, respectively. -If you require additional control-plane or worker groups with different instance types, zone placements, or disk sizes, you can add additional node groups to the `constellation-conf.yml` file. -Each node group can be scaled individually. - -Consider the following example for AWS: - -```yaml -nodeGroups: - control_plane_default: - role: control-plane - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 3 - worker_default: - role: worker - instanceType: c6a.xlarge - stateDiskSizeGB: 30 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 2 - high_cpu: - role: worker - instanceType: c6a.24xlarge - stateDiskSizeGB: 128 - stateDiskType: gp3 - zone: eu-west-1c - initialCount: 1 -``` - -This configuration creates an additional node group `high_cpu` with a larger instance type and disk. - -You can use the field `zone` to specify what availability zone nodes of the group are placed in. -On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2`, and `eu01-3` zones. -Consult the documentation of your cloud provider for more information: - -* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) -* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones) -* [GCP](https://cloud.google.com/compute/docs/regions-zones) -* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html) - -## Choosing a Kubernetes version - -To learn which Kubernetes versions can be installed with your current CLI, you can run `constellation config kubernetes-versions`. -See also Constellation's [Kubernetes support policy](../architecture/versions.md#kubernetes-support-policy). - -## Creating an IAM configuration - -You can create an IAM configuration for your cluster automatically using the `constellation iam create` command. -If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet. - - - - -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create aws --zone=us-east-2a --prefix=constellTest -``` - -This command creates IAM configuration for the AWS zone `us-east-2a` using the prefix `constellTest` for all named resources being created. - -Constellation OS images are currently replicated to the following regions: - -* `eu-central-1` -* `eu-west-1` -* `eu-west-3` -* `us-east-2` -* `ap-south-1` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - -You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest -``` - -This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. - -CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - -* `germanywestcentral` -* `westus` -* `eastus` -* `northeurope` -* `westeurope` -* `southeastasia` - -If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - -You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). - -```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --prefix=constell-test -``` - -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. - -Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. - -Paste the output into the corresponding fields of the `constellation-conf.yaml` file. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - - -
-Alternatively, you can manually create the IAM configuration on your CSP. - -The following describes the configuration fields and how you obtain the required information or create the required resources. - - - - -* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`. - - Constellation OS images are currently replicated to the following regions: - * `eu-central-1` - * `eu-west-1` - * `eu-west-3` - * `us-east-2` - * `ap-south-1` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x). - - You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions). - -* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`. - - Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones). - -* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`. - -* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes. - - You can create the resource with [Terraform](https://www.terraform.io/). For that, use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile_name`. - - Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`. - - - - -* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`. - - You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription). - -* **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`. - - You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant). - -* **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. - - CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following: - - * `germanywestcentral` - * `westus` - * `eastus` - * `northeurope` - * `westeurope` - * `southeastasia` - - If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+Azure+image+region:+xx-xxxx-x). - - You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). - -* **resourceGroup**: [Create a new resource group in Azure](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal) for your Constellation cluster. Set this configuration field to the name of the created resource group. - -* **userAssignedIdentity**: [Create a new managed identity in Azure](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. - - Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. - - Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. - - The user-assigned identity is used by instances of the cluster to access other cloud resources. - For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). - - - - -* **project**: The ID of your GCP project, e.g., `constellation-129857`. - - You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). - -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. - - You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. - - You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). - -* **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions: - - * `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)` - * `Compute Network Admin (roles/compute.networkAdmin)` - * `Compute Security Admin (roles/compute.securityAdmin)` - * `Compute Storage Admin (roles/compute.storageAdmin)` - * `Service Account User (roles/iam.serviceAccountUser)` - - Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`. - - - - -STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information. - - - -
- -Now that you've configured your CSP, you can [create your cluster](./create.md). - -## Deleting an IAM configuration - -You can keep a created IAM configuration and reuse it for new clusters. Alternatively, you can also delete it if you don't want to use it anymore. - -Delete the IAM configuration by executing the following command in the same directory where you executed `constellation iam create` (the directory that contains [`constellation-iam-terraform`](../reference/terraform.md) as a subdirectory): - -```bash -constellation iam destroy -``` - -:::caution -For Azure, deleting the IAM configuration by executing `constellation iam destroy` will delete the whole resource group created by `constellation iam create`. -This also includes any additional resources in the resource group that weren't created by Constellation. -::: diff --git a/docs/versioned_docs/version-2.23/workflows/create.md b/docs/versioned_docs/version-2.23/workflows/create.md deleted file mode 100644 index 6074ebb16..000000000 --- a/docs/versioned_docs/version-2.23/workflows/create.md +++ /dev/null @@ -1,93 +0,0 @@ -# Create your cluster - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Creating your cluster happens through multiple phases. -The most significant ones are: - -1. Creating the necessary resources in your cloud environment -2. Bootstrapping the Constellation cluster and setting up a connection -3. Installing the necessary Kubernetes components - -`constellation apply` handles all this in a single command. -You can use the `--skip-phases` flag to skip specific phases of the process. -For example, if you created the infrastructure manually, you can skip the cloud resource creation phase. - -See the [architecture](../architecture/orchestration.md) section for details on the inner workings of this process. - -:::tip -If you don't have a cloud subscription, you can also set up a [local Constellation cluster using virtualization](../getting-started/first-steps-local.md) for testing. -::: - -Before you create the cluster, make sure to have a [valid configuration file](./config.md). - - - - -```bash -constellation apply -``` - -`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace. - - - - -Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management. -This provides flexibility in DevOps and can meet potential regulatory requirements. -It's recommended to use Terraform for infrastructure management, but you can use any tool of your choice. - -:::info - - When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle. - -::: - -You can refer to the Terraform files for the selected CSP from the [Constellation GitHub repository](https://github.com/edgelesssys/constellation/tree/main/terraform/infrastructure) for a minimum Constellation cluster configuration. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure -management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. - - - -:::info - - On Azure, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration). - - ```bash - constellation maa-patch - ``` - -::: - - - -Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. - -Fill these outputs into the corresponding fields of the `Infrastructure` block inside the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. - -With the required cloud resources set up, continue with initializing your cluster. - -```bash -constellation apply --skip-phases=infrastructure -``` - - - - -Finally, configure `kubectl` for your cluster: - -```bash -export KUBECONFIG="$PWD/constellation-admin.conf" -``` - -🏁 That's it. You've successfully created a Constellation cluster. - -### Troubleshooting - -In case `apply` fails, the CLI collects logs from the bootstrapping instance and stores them inside `constellation-cluster.log`. diff --git a/docs/versioned_docs/version-2.23/workflows/lb.md b/docs/versioned_docs/version-2.23/workflows/lb.md deleted file mode 100644 index 868e61076..000000000 --- a/docs/versioned_docs/version-2.23/workflows/lb.md +++ /dev/null @@ -1,28 +0,0 @@ -# Expose a service - -Constellation integrates the native load balancers of each CSP. Therefore, to expose a service simply [create a service of type `LoadBalancer`](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer). - -## Internet-facing LB service on AWS - -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. - -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). - -For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). - -:::caution -Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources. -::: - -## Ingress on AWS - -The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. -AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). -The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. -If a service can be exposed on a `NodePort`, the target type `instance` can be used. - -See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. - -:::caution -Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic! -::: diff --git a/docs/versioned_docs/version-2.23/workflows/recovery.md b/docs/versioned_docs/version-2.23/workflows/recovery.md deleted file mode 100644 index 592ae247b..000000000 --- a/docs/versioned_docs/version-2.23/workflows/recovery.md +++ /dev/null @@ -1,179 +0,0 @@ -# Recover your cluster - -Recovery of a Constellation cluster means getting it back into a healthy state after too many concurrent node failures in the control plane. -Reasons for an unhealthy cluster can vary from a power outage, or planned reboot, to migration of nodes and regions. -Recovery events are rare, because Constellation is built for high availability and automatically and securely replaces failed nodes. When a node is replaced, Constellation's control plane first verifies the new node before it sends the node the cryptographic keys required to decrypt its [state disk](../architecture/images.md#state-disk). - -Constellation provides a recovery mechanism for cases where the control plane has failed and is unable to replace nodes. -The `constellation recover` command securely connects to all nodes in need of recovery using [attested TLS](../architecture/attestation.md#attested-tls-atls) and provides them with the keys to decrypt their state disks and continue booting. - -## Identify unhealthy clusters - -The first step to recovery is identifying when a cluster becomes unhealthy. -Usually, this can be first observed when the Kubernetes API server becomes unresponsive. - -You can check the health status of the nodes via the cloud service provider (CSP). -Constellation provides logging information on the boot process and status via serial console output. -In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP. - - - - -First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `--control-plane` and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -In the Azure portal, find the cluster's resource group. -Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-`. -On the left, go to **Settings** > **Instances** and check that enough members are in a *Running* state. - -Second, check the boot logs of these *Instances*. -In the scale set's *Instances* view, open the details page of the desired instance. -On the left, go to **Support + troubleshooting** > **Serial console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T09:56:41Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"azure"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["10.9.0.5:30090","10.9.0.6:30090"]} -{"level":"INFO","ts":"2022-09-08T09:56:43Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.5:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.5:30090: i/o timeout\"","endpoint":"10.9.0.5:30090"} -{"level":"INFO","ts":"2022-09-08T09:57:03Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"10.9.0.6:30090"} -{"level":"WARN","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 10.9.0.6:30090: i/o timeout\"","endpoint":"10.9.0.6:30090"} -{"level":"ERROR","ts":"2022-09-08T09:57:23Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, check that the control plane *Instance Group* has enough members in a *Ready* state. -In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `-control-plane-`. - -Second, check the status of the *VM Instances*. -Go to **VM Instances** and open the details of the desired instance. -Check the serial console output of that instance by opening the **Logs** > **Serial port 1 (console)** page: - -![GCP portal serial console link](../_media/recovery-gcp-serial-console-link.png) - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. - -Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. - -In the serial console output, search for `Waiting for decryption key`. -Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} -``` - -The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. -If this fails due to an unhealthy control plane, you will see log messages similar to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} -{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} -{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} -{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} -{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} -``` - -This means that you have to recover the node manually. - - - - -## Recover a cluster - -Recovering a cluster requires the following parameters: - -* The `constellation-state.yaml` file in your working directory or the cluster's endpoint -* The master secret of the cluster - -A cluster can be recovered like this: - -```bash -$ constellation recover -Pushed recovery key. -Pushed recovery key. -Pushed recovery key. -Recovered 3 control-plane nodes. -``` - -In the serial console output of the node you'll see a similar output to the following: - -```json -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:93","msg":"Received recover call"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer","caller":"recoveryserver/server.go:125","msg":"Received state disk key and measurement secret, shutting down server"} -{"level":"INFO","ts":"2022-09-08T10:26:59Z","logger":"recoveryServer.gRPC","caller":"zap/server_interceptors.go:61","msg":"finished streaming call with code OK","grpc.start_time":"2022-09-08T10:26:59Z","system":"grpc","span.kind":"server","grpc.service":"recoverproto.API","grpc.method":"Recover","peer.address":"192.0.2.3:41752","grpc.code":"OK","grpc.time_ms":15.701} -{"level":"INFO","ts":"2022-09-08T10:27:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:87","msg":"RejoinClient stopped"} -``` diff --git a/docs/versioned_docs/version-2.23/workflows/reproducible-builds.md b/docs/versioned_docs/version-2.23/workflows/reproducible-builds.md deleted file mode 100644 index e3bc46095..000000000 --- a/docs/versioned_docs/version-2.23/workflows/reproducible-builds.md +++ /dev/null @@ -1,63 +0,0 @@ -# Reproduce released artifacts - -Constellation has first-class support for [reproducible builds](https://reproducible-builds.org). -Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process. -The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit. - -## Build environment prerequisites - -The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds. -These two dependencies should be the only prerequisites for a successful build. -However, it can't be ruled out completely that peculiarities of the host affect the build result. -Thus, we recommend the following host setup for best results: - -1. A Linux operating system not older than v5.4. -2. The GNU C library not older than v2.31 (avoid `musl`). -3. GNU `coreutils` not older than v8.30 (avoid `busybox`). -4. An `ext4` filesystem for building. -5. AppArmor turned off. - -This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests. - -:::note - -To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release. - -::: - -## Run the build - -The following instructions outline qualitatively how to reproduce a build. -Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility. -The workflow is a good place to look up specific version numbers and build steps. - -1. Check out the Constellation repository at the tag corresponding to the release. - - ```bash - git clone https://github.com/edgelesssys/constellation.git - cd constellation - git checkout v2.20.0 - ``` - -2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`. -3. [Install Nix](https://nixos.org/download/) (any recent version should do). -4. Run the build with `bazel build $target` for one of the following targets of interest: - - ```data - //cli:cli_enterprise_darwin_amd64 - //cli:cli_enterprise_darwin_arm64 - //cli:cli_enterprise_linux_amd64 - //cli:cli_enterprise_linux_arm64 - //cli:cli_enterprise_windows_amd64 - ``` - -5. Compare the build result with the downloaded release artifact. - - - -## Feedback - -Reproduction failures often indicate a bug in the build system or in the build definitions. -Therefore, we're interested in any reproducibility issues you might encounter. -[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment. -Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible. diff --git a/docs/versioned_docs/version-2.23/workflows/s3proxy.md b/docs/versioned_docs/version-2.23/workflows/s3proxy.md deleted file mode 100644 index 121e8a461..000000000 --- a/docs/versioned_docs/version-2.23/workflows/s3proxy.md +++ /dev/null @@ -1,58 +0,0 @@ -# Install s3proxy - -Constellation includes a transparent client-side encryption proxy for [AWS S3](https://aws.amazon.com/de/s3/) and compatible stores. -s3proxy encrypts objects before sending them to S3 and automatically decrypts them on retrieval, without requiring changes to your application. -With s3proxy, you can use S3 for storage in a confidential way without having to trust the storage provider. - -## Limitations - -Currently, s3proxy has the following limitations: -- Only `PutObject` and `GetObject` requests are encrypted/decrypted by s3proxy. -By default, s3proxy will block requests that may expose unencrypted data to S3 (e.g. UploadPart). -The `allow-multipart` flag disables request blocking for evaluation purposes. -- Using the [Range](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html#API_GetObject_RequestSyntax) header on `GetObject` is currently not supported and will result in an error. - -These limitations will be removed with future iterations of s3proxy. -If you want to use s3proxy but these limitations stop you from doing so, consider [opening an issue](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&projects=&template=feature_request.yml). - -## Deployment - -You can add the s3proxy to your Constellation cluster as follows: -1. Add the Edgeless Systems chart repository: - ```bash - helm repo add edgeless https://helm.edgeless.systems/stable - helm repo update - ``` -2. Set ACCESS_KEY and ACCESS_SECRET to valid credentials you want s3proxy to use to interact with S3. -3. Deploy s3proxy: - ```bash - helm install s3proxy edgeless/s3proxy --set awsAccessKeyID="$ACCESS_KEY" --set awsSecretAccessKey="$ACCESS_SECRET" - ``` - -If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example. - - -## Technical details - -### Encryption - -s3proxy relies on Google's [Tink Cryptographic Library](https://developers.google.com/tink) to implement cryptographic operations securely. -The used cryptographic primitives are [NIST SP 800 38f](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) for key wrapping and [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-[GCM](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Galois/counter_(GCM)) with 256 bit keys for data encryption. - -s3proxy uses [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption) to encrypt objects. -This means s3proxy uses a key encryption key (KEK) issued by the [KeyService](../architecture/microservices.md#keyservice) to encrypt data encryption keys (DEKs). -Each S3 object is encrypted with its own DEK. -The encrypted DEK is then saved as metadata of the encrypted object. -This enables key rotation of the KEK without re-encrypting the data in S3. -The approach also allows access to objects from different locations, as long as each location has access to the KEK. - -### Traffic interception - -To use s3proxy, you have to redirect your outbound S3 traffic to s3proxy. -This can either be done by modifying your client application or by changing the deployment of your application. - -The necessary deployment modifications are to add DNS redirection and a trusted TLS certificate to the client's trust store. -DNS redirection can be defined for each pod, allowing you to use s3proxy for one application without changing other applications in the same cluster. -Adding a trusted TLS certificate is necessary as clients communicate with s3proxy via HTTPS. -To have your client application trust s3proxy's TLS certificate, the certificate has to be added to the client's certificate trust store. -The [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example shows how to do this. diff --git a/docs/versioned_docs/version-2.23/workflows/sbom.md b/docs/versioned_docs/version-2.23/workflows/sbom.md deleted file mode 100644 index 6c1702dee..000000000 --- a/docs/versioned_docs/version-2.23/workflows/sbom.md +++ /dev/null @@ -1,93 +0,0 @@ -# Consume software bill of materials (SBOMs) - - - ---- - -Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/microservices.md). -You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities. - -SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). - -Make sure the key is available in a file named `cosign.pub` to execute the following examples. -::: - -## Verify and download SBOMs - -The following sections detail how to work with each type of artifact to verify and extract the SBOM. - -### Constellation CLI - -The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system. - -```bash -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom -curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig -cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom -``` - -### Container Images - -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/signing/other_types/#sboms-software-bill-of-materials) and uploaded to the same registry. - -As a consumer, use cosign to download and verify the SBOM: - -```bash -# Verify and download the attestation statement -cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json -# Extract SBOM from attestation statement -jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom -``` - -A successful verification should result in similar output: - -```shell-session -$ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom - -Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - The signatures were verified against the specified public key -$ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom -``` - -:::note - -This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation). - -::: - - - -## Vulnerability scanning - -You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work. - -Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type. - -### Grype - -[Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go. - -```bash -grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q -``` - -### Dependency Track - -[Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/). diff --git a/docs/versioned_docs/version-2.23/workflows/scale.md b/docs/versioned_docs/version-2.23/workflows/scale.md deleted file mode 100644 index 28f19e3f1..000000000 --- a/docs/versioned_docs/version-2.23/workflows/scale.md +++ /dev/null @@ -1,122 +0,0 @@ -# Scale your cluster - -Constellation provides all features of a Kubernetes cluster including scaling and autoscaling. - -## Worker node scaling - -### Autoscaling - -Constellation comes with autoscaling disabled by default. To enable autoscaling, find the scaling group of -worker nodes: - -```bash -kubectl get scalinggroups -o json | yq '.items | .[] | select(.spec.role == "Worker") | [{"name": .metadata.name, "nodeGoupName": .spec.nodeGroupName}]' -``` - -This will output a list of scaling groups with the corresponding cloud provider name (`name`) and the cloud provider agnostic name of the node group (`nodeGroupName`). - -Then, patch the `autoscaling` field of the scaling group resource with the desired `name` to `true`: - -```bash -# Replace with the name of the scaling group you want to enable autoscaling for -worker_group= -kubectl patch scalinggroups $worker_group --patch '{"spec":{"autoscaling": true}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler now automatically provisions additional worker nodes so that all pods have a place to run. -You can configure the minimum and maximum number of worker nodes in the scaling group by patching the `min` or -`max` fields of the scaling group resource: - -```bash -kubectl patch scalinggroups $worker_group --patch '{"spec":{"max": 5}}' --type='merge' -kubectl get scalinggroup $worker_group -o jsonpath='{.spec}' | yq -P -``` - -The cluster autoscaler will now never provision more than 5 worker nodes. - -If you want to see the autoscaling in action, try to add a deployment with a lot of replicas, like the -following Nginx deployment. The number of replicas needed to trigger the autoscaling depends on the size of -and count of your worker nodes. Wait for the rollout of the deployment to finish and compare the number of -worker nodes before and after the deployment: - -```bash -kubectl create deployment nginx --image=nginx --replicas 150 -kubectl -n kube-system get nodes -kubectl rollout status deployment nginx -kubectl -n kube-system get nodes -``` - -### Manual scaling - -Alternatively, you can manually scale your cluster up or down: - - - - -1. Go to Auto Scaling Groups and select the worker ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-workers`. -3. Go to **settings** and **scaling**. -4. Set the new **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **worker** instance group. -3. Set the new **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -## Control-plane node scaling - -Control-plane nodes can **only be scaled manually and only scaled up**! - -To increase the number of control-plane nodes, follow these steps: - - - - -1. Go to Auto Scaling Groups and select the control-plane ASG to scale up. -2. Click **Edit** -3. Set the new (increased) **Desired capacity** and **Update**. - - - - -1. Find your Constellation resource group. -2. Select the `scale-set-controlplanes`. -3. Go to **settings** and **scaling**. -4. Set the new (increased) **instance count** and **save**. - - - - -1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/). -2. **Edit** the **control-plane** instance group. -3. Set the new (increased) **number of instances** and **save**. - - - - -Dynamic cluster scaling isn't yet supported for STACKIT. -Support will be introduced in one of the upcoming releases. - - - - -If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane. diff --git a/docs/versioned_docs/version-2.23/workflows/storage.md b/docs/versioned_docs/version-2.23/workflows/storage.md deleted file mode 100644 index a5c52be90..000000000 --- a/docs/versioned_docs/version-2.23/workflows/storage.md +++ /dev/null @@ -1,281 +0,0 @@ -# Use persistent storage - -Persistent storage in Kubernetes requires cloud-specific configuration. -For abstraction of container storage, Kubernetes offers [volumes](https://kubernetes.io/docs/concepts/storage/volumes/), -allowing users to mount storage solutions directly into containers. -The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. -Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. - -## Confidential storage - -Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). -Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT. -However, their encryption takes place in the storage backend and is managed by the CSP. -Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data. - -To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage. - -For more details see [encrypted persistent storage](../architecture/encrypted-storage.md). - -## CSI drivers - -Constellation supports the following drivers, which offer node-level encryption and optional integrity protection. - - - - -**Constellation CSI driver for AWS Elastic Block Store** -Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information. - - - - -**Constellation CSI driver for Azure Disk**: -Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. -See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. -Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod. - - - - -**Constellation CSI driver for GCP Persistent Disk**: -Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information. - - - - -**Constellation CSI driver for STACKIT / OpenStack Cinder** -Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster. -Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information. - - - - -Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet. - -## Installation - -The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster. -If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file. - - - - -AWS comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -Azure comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -GCP comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [standard persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -STACKIT comes with two storage classes by default. - -* `encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk -* `integrity-encrypted-rwo` - * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html) - * ext-4 filesystem - * Encryption of all data written to disk - * Integrity protection of data written to disk - -For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms). - -:::info - -The default storage class is set to `encrypted-rwo` for performance reasons. -If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`. - -Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`. -Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`. - -Note that volume expansion isn't supported for integrity-protected disks. - -::: - - - - -1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) - - A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. - It can refer to a storage class. - The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class: - - ```bash - cat < - ---- - -You can terminate your cluster using the CLI. For this, you need the Terraform state directory named [`constellation-terraform`](../reference/terraform.md) in the current directory. - -:::danger - -All ephemeral storage and state of your cluster will be lost. Make sure any data is safely stored in persistent storage. Constellation can recreate your cluster and the associated encryption keys, but won't backup your application data automatically. - -::: - - - -Terminate the cluster by running: - -```bash -constellation terminate -``` - -Or without confirmation (e.g., for automation purposes): - -```bash -constellation terminate --yes -``` - -This deletes all resources created by Constellation in your cloud environment. -All local files created by the `apply` command are deleted as well, except for `constellation-mastersecret.json` and the configuration file. - -:::caution - -Termination can fail if additional resources have been created that depend on the ones managed by Constellation. In this case, you need to delete these additional -resources manually. Just run the `terminate` command again afterward to continue the termination process of the cluster. - -::: - - - -Terminate the cluster by running: - -```bash -terraform destroy -``` - -Delete all files that are no longer needed: - -```bash -rm constellation-state.yaml constellation-admin.conf -``` - -Only the `constellation-mastersecret.json` and the configuration file remain. - - - diff --git a/docs/versioned_docs/version-2.23/workflows/terraform-provider.md b/docs/versioned_docs/version-2.23/workflows/terraform-provider.md deleted file mode 100644 index c7a795d3f..000000000 --- a/docs/versioned_docs/version-2.23/workflows/terraform-provider.md +++ /dev/null @@ -1,140 +0,0 @@ -# Use the Terraform provider - -The Constellation Terraform provider allows to manage the full lifecycle of a Constellation cluster (namely creation, upgrades, and deletion) via Terraform. -The provider is available through the [Terraform registry](https://registry.terraform.io/providers/edgelesssys/constellation/latest) and is released in lock-step with Constellation releases. - -## Prerequisites - -- a Linux / Mac operating system (ARM64/AMD64) -- a Terraform installation of version `v1.4.4` or above - -## Quick setup - -This example shows how to set up a Constellation cluster with the reference IAM and infrastructure setup. This setup is also used when creating a Constellation cluster through the Constellation CLI. You can either consume the IAM / infrastructure modules through a remote source (recommended) or local files. The latter requires downloading the infrastructure and IAM modules for the corresponding CSP from `terraform-modules.zip` on the [Constellation release page](https://github.com/edgelesssys/constellation/releases/latest) and placing them in the Terraform workspace directory. - -1. Create a directory (workspace) for your Constellation cluster. - - ```bash - mkdir constellation-workspace - cd constellation-workspace - ``` - -2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes. -3. Initialize and apply the Terraform configuration. - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -:::info -On SEV-SNP, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you can also do it manually. - - ```bash - terraform init - terraform apply -target module.azure_iam # adjust resource path if not using the example configuration - terraform apply -target module.azure_infrastructure # adjust resource path if not using the example configuration - constellation maa-patch $(terraform output -raw maa_url) # adjust output path / input if not using the example configuration or manually patch the resource - terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the example configuration - ``` - - Use the following policy if manually performing the patch. - - ``` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited to use the MAA provider within Constellation. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - }; - ``` - -::: - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - Initialize the providers and apply the configuration. - - ```bash - terraform init - terraform apply - ``` - - Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. - - - -4. Connect to the cluster. - - ```bash - terraform output -raw kubeconfig > constellation-admin.conf - export KUBECONFIG=$(realpath constellation-admin.conf) - ``` - -## Bringing your own infrastructure - -Instead of using the example infrastructure used in the [quick setup](#quick-setup), you can also provide your own infrastructure. -If you need a starting point for a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact. -The module contains: - -- `{csp}`: cloud resources the cluster runs on -- `iam/{csp}`: IAM resources used within the cluster - -When upgrading your cluster, make sure to check the Constellation release notes for potential breaking changes in the reference infrastructure / IAM modules that need to be considered. - -## Cluster upgrades - -:::tip -Also see the [general documentation on cluster upgrades](./upgrade.md). -::: - -The steps for applying the upgrade are as follows: - -1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration. -2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported. -3. Update the IAM / infrastructure configuration. - - For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version. - - For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly. -4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration. - -```bash - terraform init -upgrade - terraform apply -``` diff --git a/docs/versioned_docs/version-2.23/workflows/troubleshooting.md b/docs/versioned_docs/version-2.23/workflows/troubleshooting.md deleted file mode 100644 index 903c829e0..000000000 --- a/docs/versioned_docs/version-2.23/workflows/troubleshooting.md +++ /dev/null @@ -1,200 +0,0 @@ -# Troubleshooting - -This section aids you in finding problems when working with Constellation. - -## Common issues - -### Issues with creating new clusters - -When you create a new cluster, you should always use the [latest release](https://github.com/edgelesssys/constellation/releases/latest). -If something doesn't work, check out the [known issues](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22). - -### Azure: Resource Providers can't be registered - -On Azure, you may receive the following error when running `apply` or `terminate` with limited IAM permissions: - -```shell-session -Error: Error ensuring Resource Providers are registered. - -Terraform automatically attempts to register the Resource Providers it supports to -ensure it's able to provision resources. - -If you don't have permission to register Resource Providers you may wish to use the -"skip_provider_registration" flag in the Provider block to disable this functionality. - -[...] -``` - -To continue, please ensure that the [required resource providers](../getting-started/install.md#required-permissions) have been registered in your subscription by your administrator. - -Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `apply` or `terminate` again. -For example: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation apply -``` - -Or alternatively, for `terminate`: - -```bash -ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate -``` - -### Azure: Can't update attestation policy - -On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM: - -```shell-session -An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden -``` - -The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential). - -We decided not to deviate from this behavior and comply with the ordering of credentials. - -A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment. For example, the managed identity of your Azure VM, instead of the account that you've authenticated with in the Azure CLI. - -If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. - - - -### Nodes fail to join with error `untrusted measurement value` - -This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). -This may for example happen if the cloud provider updates the VM's firmware such that it influences the [runtime measurements](../architecture/attestation.md#runtime-measurements) in an unforeseen way. -A failed upgrade due to an erroneous attestation config can also cause this error. -You can change the expected measurements to resolve the failure. - -:::caution - -Attestation and trusted measurements are crucial for the security of your cluster. -Be extra careful when manually changing these settings. -When in doubt, check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -:::tip - -During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config` config map in the `kube-system` namespace under the `attestationConfig_backup` key. To restore the old attestation config after a failed upgrade, replace the value of `attestationConfig` with the value from `attestationConfig_backup`: - -```bash -kubectl patch configmaps -n kube-system join-config -p "{\"data\":{\"attestationConfig\":\"$(kubectl get configmaps -n kube-system join-config -o "jsonpath={.data.attestationConfig_backup}")\"}}" -``` - -::: - -You can use the `apply` command to change measurements of a running cluster: - -1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values. -2. Run `constellation apply`. - -Keep in mind that running `apply` also applies any version changes from your config to the cluster. - -You can run these commands to learn about the versions currently configured in the cluster: - -- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` -- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` -- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - -### Upgrading Kubernetes resources fails - -Constellation manages its Kubernetes resources using Helm. -When applying an upgrade, the charts that are about to be installed, and a values override file `overrides.yaml`, -are saved to disk in your current workspace under `constellation-upgrade/upgrade-/helm-charts/`. -If upgrading the charts using the Constellation CLI fails, you can review these charts and try to manually apply the upgrade. - -:::caution - -Changing and manually applying the charts may destroy cluster resources and can lead to broken Constellation deployments. -Proceed with caution and when in doubt, -check if the encountered [issue is known](https://github.com/edgelesssys/constellation/issues?q=is%3Aopen+is%3Aissue+label%3A%22known+issue%22) or [contact support](https://github.com/edgelesssys/constellation#support). - -::: - -## Diagnosing issues - -### Logs - -To get started on diagnosing issues with Constellation, it's often helpful to collect logs from nodes, pods, or other resources in the cluster. Most logs are available through Kubernetes' standard -[logging interfaces](https://kubernetes.io/docs/concepts/cluster-administration/logging/). - -To debug issues occurring at boot time of the nodes, you can use the serial console interface of the CSP while the machine boots to get a read-only view of the boot logs. - -Apart from that, Constellation also offers further [observability integrations](../architecture/observability.md). - -### Node shell access - -Debugging via a shell on a node is [directly supported by Kubernetes](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session). - -1. Figure out which node to connect to: - - ```bash - kubectl get nodes - # or to see more information, such as IPs: - kubectl get nodes -o wide - ``` - -2. Connect to the node: - - ```bash - kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox - ``` - - You will be presented with a prompt. - - The nodes file system is mounted at `/host`. - -3. Once finished, clean up the debug pod: - - ```bash - kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj - ``` - -### Emergency SSH access - -Emergency SSH access to nodes can be useful to diagnose issues or download important data even if the Kubernetes API isn't reachable anymore. - -1. Enter the `constellation-terraform` directory in your Constellation workspace and enable emergency SSH access to the cluster: - - ```bash - cd constellation-terraform - echo "emergency_ssh = true" >> ./terraform.tfvars - terraform apply - ``` - -2. Sign an existing SSH key with your master secret: - - ```bash - cd ../ # go back to your Constellation workspace - constellation ssh --key your_public_key.pub - ``` - - A certificate is written to `constellation_cert.pub`. - - The certificate is valid for 24 hours and enables you to access your Constellation nodes using - [certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication). - -3. Now you can connect to any Constellation node using your certificate and your private key. - - ```bash - ssh -o CertificateFile=constellation_cert.pub -i root@ - ``` - - Normally, you don't have access to the Constellation nodes since they reside in a private network. - To access those nodes anyways, you can use your Constellation load balancer as a proxy jump host. - For this, use something along the following SSH client configuration: - - ```text - Host - ProxyJump none - - Host * - IdentityFile - PreferredAuthentications publickey - CertificateFile=constellation_cert.pub - User root - ProxyJump - ``` - - With this configuration you can connect to a Constellation node using `ssh -F `. - You can obtain the private node IP and the domain name of the load balancer using your CSP's web UI. diff --git a/docs/versioned_docs/version-2.23/workflows/trusted-launch.md b/docs/versioned_docs/version-2.23/workflows/trusted-launch.md deleted file mode 100644 index d6d01d8eb..000000000 --- a/docs/versioned_docs/version-2.23/workflows/trusted-launch.md +++ /dev/null @@ -1,54 +0,0 @@ -# Use Azure trusted launch VMs - -Constellation also supports [trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch) on Microsoft Azure. Trusted launch VMs don't offer the same level of security as Confidential VMs, but are available in more regions and in larger quantities. The main difference between trusted launch VMs and normal VMs is that the former offer vTPM-based remote attestation. When used with trusted launch VMs, Constellation relies on vTPM-based remote attestation to verify nodes. - -:::caution - -Trusted launch VMs don't provide runtime encryption and don't keep the cloud service provider (CSP) out of your trusted computing base. - -::: - -Constellation supports trusted launch VMs with instance types `Standard_D*_v4` and `Standard_E*_v4`. Run `constellation config instance-types` for a list of all supported instance types. - -## VM images - -Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription. - -The latest image is available at `https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img`. Simply adjust the version number to download a newer version. - -After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. -You can use a script to do this: - -```bash -wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh -chmod +x importAzure.sh -AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh -``` - -The script creates the following resources: - -1. A new image gallery with the default name `constellation-import` -2. A new image definition with the default name `constellation` -3. The actual image with the provided version. In this case `2.2.0` - -Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. - -Fetch the image measurements: - -```bash -IMAGE_VERSION=2.2.0 -URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml -constellation config fetch-measurements -u$URL -s$URL.sig -``` - -:::info - -The [`constellation apply`](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: - -```shell-session -Configured image doesn't look like a released production image. Double check image before deploying to production. -``` - -Please ignore this warning. - -::: diff --git a/docs/versioned_docs/version-2.23/workflows/upgrade.md b/docs/versioned_docs/version-2.23/workflows/upgrade.md deleted file mode 100644 index 3db2ecad6..000000000 --- a/docs/versioned_docs/version-2.23/workflows/upgrade.md +++ /dev/null @@ -1,110 +0,0 @@ -# Upgrade your cluster - -Constellation provides an easy way to upgrade all components of your cluster, without disrupting its availability. -Specifically, you can upgrade the Kubernetes version, the nodes' image, and the Constellation microservices. -You configure the desired versions in your local Constellation configuration and trigger upgrades with the `apply` command. -To learn about available versions you use the `upgrade check` command. -Which versions are available depends on the CLI version you are using. - -## Update the CLI - -Each CLI comes with a set of supported microservice and Kubernetes versions. -Most importantly, a given CLI version can only upgrade a cluster of the previous minor version, but not older ones. -This means that you have to upgrade your CLI and cluster one minor version at a time. - -For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should - -* upgrade the CLI to v2.7, -* upgrade the cluster to v2.7, -* and only then continue upgrading the CLI (and the cluster) to v2.8 after. - -Also note that if your current Kubernetes version isn't supported by the next CLI version, use your current CLI to upgrade to a newer Kubernetes version first. - -To learn which Kubernetes versions are supported by a particular CLI, run [constellation config kubernetes-versions](../reference/cli.md#constellation-config-kubernetes-versions). - -## Migrate the configuration - -The Constellation configuration file is located in the file `constellation-conf.yaml` in your workspace. -Refer to the [migration reference](../reference/migration.md) to check if you need to update fields in your configuration file. -Use [`constellation config migrate`](../reference/cli.md#constellation-config-migrate) to automatically update an old config file to a new format. - -## Check for upgrades - -To learn which versions the current CLI can upgrade to and what's installed in your cluster, run: - -```bash -# Show possible upgrades -constellation upgrade check - -# Show possible upgrades and write them to config file -constellation upgrade check --update-config -``` - -You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. -When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade. - -## Apply the upgrade - -Once you updated your config with the desired versions, you can trigger the upgrade with this command: - -```bash -constellation apply -``` - -Microservice upgrades will be finished within a few minutes, depending on the cluster size. -If you are interested, you can monitor pods restarting in the `kube-system` namespace with your tool of choice. - -Image and Kubernetes upgrades take longer. -For each node in your cluster, a new node has to be created and joined. -The process usually takes up to ten minutes per node. - -When applying an upgrade, the Helm charts for the upgrade as well as backup files of Constellation-managed Custom Resource Definitions, Custom Resources, and Terraform state are created. -You can use the Terraform state backup to restore previous resources in case an upgrade misconfigured or erroneously deleted a resource. -You can use the Custom Resource (Definition) backup files to restore Custom Resources and Definitions manually (e.g., via `kubectl apply`) if the automatic migration of those resources fails. -You can use the Helm charts to manually apply upgrades to the Kubernetes resources, should an upgrade fail. - -:::note - -For advanced users: the upgrade consists of several phases that can be individually skipped through the `--skip-phases` flag. -The phases are `infrastracture` for the cloud resource management through Terraform, `helm` for the chart management of the microservices, `image` for OS image upgrades, and `k8s` for Kubernetes version upgrades. - -::: - -## Check the status - -Upgrades are asynchronous operations. -After you run `apply`, it will take a while until the upgrade has completed. -To understand if an upgrade is finished, you can run: - -```bash -constellation status -``` - -This command displays the following information: - -* The installed services and their versions -* The image and Kubernetes version the cluster is expecting on each node -* How many nodes are up to date - -Here's an example output: - -```shell-session -Target versions: - Image: v2.6.0 - Kubernetes: v1.25.8 -Service versions: - Cilium: v1.12.1 - cert-manager: v1.10.0 - constellation-operators: v2.6.0 - constellation-services: v2.6.0 -Cluster status: Some node versions are out of date - Image: 23/25 - Kubernetes: 25/25 -``` - -This output indicates that the cluster is running Kubernetes version `1.25.8`, and all nodes have the appropriate binaries installed. -23 out of 25 nodes have already upgraded to the targeted image version of `2.6.0`, while two are still in progress. - -## Apply further upgrades - -After the upgrade is finished, you can run `constellation upgrade check` again to see if there are more upgrades available. If so, repeat the process. diff --git a/docs/versioned_docs/version-2.23/workflows/verify-cli.md b/docs/versioned_docs/version-2.23/workflows/verify-cli.md deleted file mode 100644 index e33569d37..000000000 --- a/docs/versioned_docs/version-2.23/workflows/verify-cli.md +++ /dev/null @@ -1,129 +0,0 @@ -# Verify the CLI - -:::info -This recording presents the essence of this page. It's recommended to read it in full for the motivation and all details. -::: - - - ---- - -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/signing/overview/), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at `https://rekor.sigstore.dev`. - -:::note -The public key for Edgeless Systems' long-term code-signing key is: - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT -JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== ------END PUBLIC KEY----- -``` - -The public key is also available for download at [https://edgeless.systems/es.pub](https://edgeless.systems/es.pub) and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). -::: - -The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures. - -You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following. - -:::info -You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation. -::: - -## Verify the signature - -:::info -This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. -::: - -First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: - -```shell-session -$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -Verified OK -``` - -The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`: - -```shell-session -$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 - -tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047 -Verified OK -``` - -🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems. - -### Optional: Manually inspect the transparency log - -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) - -```shell-session -$ rekor-cli search --artifact constellation-linux-amd64 - -Found matching entries (listed by UUID): -362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -``` - -With this UUID you can get the full entry from the transparency log: - -```shell-session -$ rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 - -LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d -Index: 3477047 -IntegratedTime: 2022-09-12T22:28:16Z -UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 -Body: { - "HashedRekordObj": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff" - } - }, - "signature": { - "content": "MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=", - "publicKey": { - "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" - } - } - } -} -``` - -The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding. - -You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command: - -```bash -rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509 -``` - -Edgeless Systems monitors this list to detect potential unauthorized use of its private key. - -## Verify the provenance - -Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2) and learn about the [adoption of SLSA for Constellation](../reference/slsa.md). - -Just as checking its signature proves that the CLI hasn't been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn't been tampered with. - -To verify the provenance, first install the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Then make sure you have the provenance file (`constellation.intoto.jsonl`) and Constellation CLI downloaded. Both are available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). - -:::info -The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform. -::: - -Use the verifier to perform the check: - -```shell-session -$ slsa-verifier verify-artifact constellation-linux-amd64 \ - --provenance-path constellation.intoto.jsonl \ - --source-uri github.com/edgelesssys/constellation - -Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5... -Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a -PASSED: Verified SLSA provenance -``` diff --git a/docs/versioned_docs/version-2.23/workflows/verify-cluster.md b/docs/versioned_docs/version-2.23/workflows/verify-cluster.md deleted file mode 100644 index b6595ebf2..000000000 --- a/docs/versioned_docs/version-2.23/workflows/verify-cluster.md +++ /dev/null @@ -1,97 +0,0 @@ -# Verify your cluster - -Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster. - -## Fetch measurements - -To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI: - -```bash -constellation config fetch-measurements -``` - -This command performs the following steps: - -1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry. -2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub). -3. Write measurements into configuration file. - -The configuration file then contains a list of `measurements` similar to the following: - -```yaml -# ... -measurements: - 0: - expected: "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" - warnOnly: false - 4: - expected: "02c7a67c01ec70ffaf23d73a12f749ab150a8ac6dc529bda2fe1096a98bf42ea" - warnOnly: false - 5: - expected: "e6949026b72e5045706cd1318889b3874480f7a3f7c5c590912391a2d15e6975" - warnOnly: true - 8: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 9: - expected: "f0a6e8601b00e2fdc57195686cd4ef45eb43a556ac1209b8e25d993213d68384" - warnOnly: false - 11: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 12: - expected: "da99eb6cf7c7fbb692067c87fd5ca0b7117dc293578e4fea41f95d3d3d6af5e2" - warnOnly: false - 13: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false - 14: - expected: "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" - warnOnly: true - 15: - expected: "0000000000000000000000000000000000000000000000000000000000000000" - warnOnly: false -# ... -``` - -Each entry specifies the expected value of the Constellation node, and whether the measurement should be enforced (`warnOnly: false`), or only a warning should be logged (`warnOnly: true`). -By default, the subset of the [available measurements](../architecture/attestation.md#runtime-measurements) that can be locally reproduced and verified is enforced. - -During attestation, the validating side (CLI or [join service](../architecture/microservices.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually. -For mismatching measurements that have set `warnOnly` to `true` only a warning is emitted. -For mismatching measurements that have set `warnOnly` to `false` an error is emitted and attestation fails. -If attestation fails for a new node, it isn't permitted to join the cluster. - -## The *verify* command - -:::note -The steps below are purely optional. They're automatically executed by `constellation apply` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose. -::: - -The `verify` command obtains and verifies an attestation statement from a running Constellation cluster. - -```bash -constellation verify [--cluster-id ...] -``` - -From the attestation statement, the command verifies the following properties: - -* The cluster is using the correct Confidential VM (CVM) type. -* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step. -* The unique ID of the cluster matches the one from your `constellation-state.yaml` file or passed in via `--cluster-id`. - -Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape. - -### Custom arguments - -The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following: - -* The IP address of a running Constellation cluster's [VerificationService](../architecture/microservices.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`. -* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details. -* A `constellation-conf.yaml` file with the expected measurements of the cluster in your working directory. - -For example: - -```shell-session -constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ= -``` diff --git a/docs/versioned_docs/version-2.3/getting-started/first-steps.md b/docs/versioned_docs/version-2.3/getting-started/first-steps.md index d1cd06cf6..02fbdb696 100644 --- a/docs/versioned_docs/version-2.3/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.3/getting-started/first-steps.md @@ -62,10 +62,10 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. diff --git a/docs/versioned_docs/version-2.3/workflows/config.md b/docs/versioned_docs/version-2.3/workflows/config.md index 20aa0dada..652e58a38 100644 --- a/docs/versioned_docs/version-2.3/workflows/config.md +++ b/docs/versioned_docs/version-2.3/workflows/config.md @@ -90,10 +90,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -183,11 +183,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.4/getting-started/first-steps.md b/docs/versioned_docs/version-2.4/getting-started/first-steps.md index 44e66ea95..d277b9e09 100644 --- a/docs/versioned_docs/version-2.4/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.4/getting-started/first-steps.md @@ -62,10 +62,10 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. diff --git a/docs/versioned_docs/version-2.4/workflows/config.md b/docs/versioned_docs/version-2.4/workflows/config.md index 20aa0dada..652e58a38 100644 --- a/docs/versioned_docs/version-2.4/workflows/config.md +++ b/docs/versioned_docs/version-2.4/workflows/config.md @@ -90,10 +90,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -183,11 +183,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.5/getting-started/first-steps.md b/docs/versioned_docs/version-2.5/getting-started/first-steps.md index 9ce1d6be2..02b60d45a 100644 --- a/docs/versioned_docs/version-2.5/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.5/getting-started/first-steps.md @@ -34,10 +34,10 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. diff --git a/docs/versioned_docs/version-2.5/workflows/config.md b/docs/versioned_docs/version-2.5/workflows/config.md index 71f2d019d..2edf3bdf6 100644 --- a/docs/versioned_docs/version-2.5/workflows/config.md +++ b/docs/versioned_docs/version-2.5/workflows/config.md @@ -96,10 +96,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -189,11 +189,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.6/getting-started/first-steps.md b/docs/versioned_docs/version-2.6/getting-started/first-steps.md index df489f52a..aba09f5c7 100644 --- a/docs/versioned_docs/version-2.6/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.6/getting-started/first-steps.md @@ -38,10 +38,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.6/workflows/config.md b/docs/versioned_docs/version-2.6/workflows/config.md index 56979ee13..5a1ba92d1 100644 --- a/docs/versioned_docs/version-2.6/workflows/config.md +++ b/docs/versioned_docs/version-2.6/workflows/config.md @@ -109,10 +109,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -202,11 +202,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.7/getting-started/first-steps.md b/docs/versioned_docs/version-2.7/getting-started/first-steps.md index c1c3a3fe0..eca497438 100644 --- a/docs/versioned_docs/version-2.7/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.7/getting-started/first-steps.md @@ -38,10 +38,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.7/workflows/config.md b/docs/versioned_docs/version-2.7/workflows/config.md index 032b22943..5640bfd7d 100644 --- a/docs/versioned_docs/version-2.7/workflows/config.md +++ b/docs/versioned_docs/version-2.7/workflows/config.md @@ -109,10 +109,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -204,11 +204,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.8/getting-started/first-steps.md b/docs/versioned_docs/version-2.8/getting-started/first-steps.md index 8d5cc5cbb..43ed0f923 100644 --- a/docs/versioned_docs/version-2.8/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.8/getting-started/first-steps.md @@ -39,10 +39,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --generate-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --generate-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also creates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.8/workflows/config.md b/docs/versioned_docs/version-2.8/workflows/config.md index f10ba14ec..3330abe8a 100644 --- a/docs/versioned_docs/version-2.8/workflows/config.md +++ b/docs/versioned_docs/version-2.8/workflows/config.md @@ -110,10 +110,10 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -206,11 +206,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_docs/version-2.9/getting-started/first-steps.md b/docs/versioned_docs/version-2.9/getting-started/first-steps.md index 6b0a06a06..a29ff276c 100644 --- a/docs/versioned_docs/version-2.9/getting-started/first-steps.md +++ b/docs/versioned_docs/version-2.9/getting-started/first-steps.md @@ -67,10 +67,10 @@ If you encounter any problem with the following steps, make sure to use the [lat ```bash - constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test --update-config + constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config ``` - This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. + This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`. diff --git a/docs/versioned_docs/version-2.9/workflows/config.md b/docs/versioned_docs/version-2.9/workflows/config.md index 22a2821d8..43313d88e 100644 --- a/docs/versioned_docs/version-2.9/workflows/config.md +++ b/docs/versioned_docs/version-2.9/workflows/config.md @@ -117,10 +117,10 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west3-a --serviceAccountID=constell-test +constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test ``` -This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west3-a` creating a new service account `constell-test`. +This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `N2D`. @@ -197,11 +197,11 @@ The following describes the configuration fields and how you obtain the required You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113). -* **region**: The GCP region you want to deploy your cluster in, e.g., `us-central1`. +* **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). -* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-central1-a`. +* **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`. You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available). diff --git a/docs/versioned_sidebars/version-2.20-sidebars.json b/docs/versioned_sidebars/version-2.20-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.20-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versioned_sidebars/version-2.21-sidebars.json b/docs/versioned_sidebars/version-2.21-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.21-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versioned_sidebars/version-2.22-sidebars.json b/docs/versioned_sidebars/version-2.22-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.22-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versioned_sidebars/version-2.23-sidebars.json b/docs/versioned_sidebars/version-2.23-sidebars.json deleted file mode 100644 index c9937ab4f..000000000 --- a/docs/versioned_sidebars/version-2.23-sidebars.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "docs": [ - { - "type": "doc", - "label": "Introduction", - "id": "intro" - }, - { - "type": "category", - "label": "Basics", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Confidential Kubernetes", - "id": "overview/confidential-kubernetes" - }, - { - "type": "doc", - "label": "Security benefits", - "id": "overview/security-benefits" - }, - { - "type": "doc", - "label": "Product features", - "id": "overview/product" - }, - { - "type": "doc", - "label": "Feature status of clouds", - "id": "overview/clouds" - }, - { - "type": "category", - "label": "Performance", - "link": { - "type": "doc", - "id": "overview/performance/performance" - }, - "items": [ - { - "type": "doc", - "label": "Compute benchmarks", - "id": "overview/performance/compute" - }, - { - "type": "doc", - "label": "I/O benchmarks", - "id": "overview/performance/io" - }, - { - "type": "doc", - "label": "Application benchmarks", - "id": "overview/performance/application" - } - ] - }, - { - "type": "doc", - "label": "License", - "id": "overview/license" - } - ] - }, - { - "type": "category", - "label": "Getting started", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Installation", - "id": "getting-started/install" - }, - { - "type": "doc", - "label": "First steps (cloud)", - "id": "getting-started/first-steps" - }, - { - "type": "doc", - "label": "First steps (local)", - "id": "getting-started/first-steps-local" - }, - { - "type": "doc", - "label": "Cloud Marketplaces", - "id": "getting-started/marketplaces" - }, - { - "type": "category", - "label": "Examples", - "link": { - "type": "doc", - "id": "getting-started/examples" - }, - "items": [ - { - "type": "doc", - "label": "Emojivoto", - "id": "getting-started/examples/emojivoto" - }, - { - "type": "doc", - "label": "Online Boutique", - "id": "getting-started/examples/online-boutique" - }, - { - "type": "doc", - "label": "Horizontal Pod Autoscaling", - "id": "getting-started/examples/horizontal-scaling" - }, - { - "type": "doc", - "label": "Filestash with s3proxy", - "id": "getting-started/examples/filestash-s3proxy" - } - ] - } - ] - }, - { - "type": "category", - "label": "Workflows", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Verify the CLI", - "id": "workflows/verify-cli" - }, - { - "type": "doc", - "label": "Configure your cluster", - "id": "workflows/config" - }, - { - "type": "doc", - "label": "Create your cluster", - "id": "workflows/create" - }, - { - "type": "doc", - "label": "Scale your cluster", - "id": "workflows/scale" - }, - { - "type": "doc", - "label": "Upgrade your cluster", - "id": "workflows/upgrade" - }, - { - "type": "doc", - "label": "Expose a service", - "id": "workflows/lb" - }, - { - "type": "doc", - "label": "Install cert-manager", - "id": "workflows/cert-manager" - }, - { - "type": "doc", - "label": "Install s3proxy", - "id": "workflows/s3proxy" - }, - { - "type": "doc", - "label": "Terminate your cluster", - "id": "workflows/terminate" - }, - { - "type": "doc", - "label": "Recover your cluster", - "id": "workflows/recovery" - }, - { - "type": "doc", - "label": "Verify your cluster", - "id": "workflows/verify-cluster" - }, - { - "type": "doc", - "label": "Use persistent storage", - "id": "workflows/storage" - }, - { - "type": "doc", - "label": "Use the Terraform provider", - "id": "workflows/terraform-provider" - }, - { - "type": "doc", - "label": "Consume SBOMs", - "id": "workflows/sbom" - }, - { - "type": "doc", - "label": "Reproduce release artifacts", - "id": "workflows/reproducible-builds" - }, - { - "type": "doc", - "label": "Troubleshooting", - "id": "workflows/troubleshooting" - } - ] - }, - { - "type": "category", - "label": "Architecture", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "Overview", - "id": "architecture/overview" - }, - { - "type": "doc", - "label": "Cluster orchestration", - "id": "architecture/orchestration" - }, - { - "type": "doc", - "label": "Versions and support", - "id": "architecture/versions" - }, - { - "type": "doc", - "label": "Microservices", - "id": "architecture/microservices" - }, - { - "type": "doc", - "label": "Attestation", - "id": "architecture/attestation" - }, - { - "type": "doc", - "label": "Images", - "id": "architecture/images" - }, - { - "type": "doc", - "label": "Keys and cryptographic primitives", - "id": "architecture/keys" - }, - { - "type": "doc", - "label": "Encrypted persistent storage", - "id": "architecture/encrypted-storage" - }, - { - "type": "doc", - "label": "Networking", - "id": "architecture/networking" - }, - { - "type": "doc", - "label": "Observability", - "id": "architecture/observability" - } - ] - }, - { - "type": "category", - "label": "Reference", - "link": { - "type": "generated-index" - }, - "items": [ - { - "type": "doc", - "label": "CLI", - "id": "reference/cli" - }, - { - "type": "doc", - "label": "Configuration migrations", - "id": "reference/migration" - }, - { - "type": "doc", - "label": "Terraform usage", - "id": "reference/terraform" - }, - { - "type": "doc", - "label": "SLSA adoption", - "id": "reference/slsa" - } - ] - } - ] -} diff --git a/docs/versions.json b/docs/versions.json index 8cc6150df..89f88399a 100644 --- a/docs/versions.json +++ b/docs/versions.json @@ -1,8 +1,4 @@ [ - "2.23", - "2.22", - "2.21", - "2.20", "2.19", "2.18", "2.17", diff --git a/e2e/e2e.go b/e2e/e2e.go index 4c23c394c..43a0044e7 100644 --- a/e2e/e2e.go +++ b/e2e/e2e.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // End-to-end tests which are executed from our GitHub action pipelines. diff --git a/e2e/internal/kubectl/kubectl.go b/e2e/internal/kubectl/kubectl.go index e44abd446..2fb191b30 100644 --- a/e2e/internal/kubectl/kubectl.go +++ b/e2e/internal/kubectl/kubectl.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Provides functionality to easily interact with the K8s API, which can be used diff --git a/e2e/internal/lb/lb.go b/e2e/internal/lb/lb.go index b38202079..2cd01237b 100644 --- a/e2e/internal/lb/lb.go +++ b/e2e/internal/lb/lb.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package lb tests that the cloud load balancer works as expected. diff --git a/e2e/internal/lb/lb_test.go b/e2e/internal/lb/lb_test.go index c8a3d2d16..94c8d2ff3 100644 --- a/e2e/internal/lb/lb_test.go +++ b/e2e/internal/lb/lb_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // End-to-end tests for our cloud load balancer functionality. @@ -12,6 +12,7 @@ package lb import ( "bufio" "bytes" + "context" "fmt" "io" "net/http" @@ -69,7 +70,7 @@ func TestLoadBalancer(t *testing.T) { t.Log("Change port of service to 8044") svc.Spec.Ports[0].Port = newPort - svc, err = k.CoreV1().Services(namespaceName).Update(t.Context(), svc, metaV1.UpdateOptions{}) + svc, err = k.CoreV1().Services(namespaceName).Update(context.Background(), svc, metaV1.UpdateOptions{}) require.NoError(err) assert.Equal(newPort, svc.Spec.Ports[0].Port) @@ -92,7 +93,7 @@ func gatherDebugInfo(t *testing.T, k *kubernetes.Clientset) { t.Log("Gathering additional debug information.") - pods, err := k.CoreV1().Pods(namespaceName).List(t.Context(), metaV1.ListOptions{ + pods, err := k.CoreV1().Pods(namespaceName).List(context.Background(), metaV1.ListOptions{ LabelSelector: "app=whoami", }) if err != nil { @@ -105,7 +106,7 @@ func gatherDebugInfo(t *testing.T, k *kubernetes.Clientset) { req := k.CoreV1().Pods(namespaceName).GetLogs(pod.Name, &coreV1.PodLogOptions{ LimitBytes: func() *int64 { i := int64(1024 * 1024); return &i }(), }) - logs, err := req.Stream(t.Context()) + logs, err := req.Stream(context.Background()) if err != nil { t.Logf("fetching logs: %v", err) return @@ -154,7 +155,7 @@ func testEventuallyStatusOK(t *testing.T, url string) { require := require.New(t) assert.Eventually(func() bool { - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) resp, err := http.DefaultClient.Do(req) @@ -182,7 +183,7 @@ func testEventuallyExternalIPAvailable(t *testing.T, k *kubernetes.Clientset) *c require.Eventually(t, func() bool { var err error - svc, err = k.CoreV1().Services(namespaceName).Get(t.Context(), serviceName, metaV1.GetOptions{}) + svc, err = k.CoreV1().Services(namespaceName).Get(context.Background(), serviceName, metaV1.GetOptions{}) if err != nil { t.Log("Getting service failed: ", err.Error()) return false @@ -211,7 +212,7 @@ func testEndpointAvailable(t *testing.T, url string, allHostnames []string, reqI assert := assert.New(t) require := require.New(t) - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) resp, err := http.DefaultClient.Do(req) diff --git a/e2e/internal/upgrade/BUILD.bazel b/e2e/internal/upgrade/BUILD.bazel index b97119e5f..8acfc7e94 100644 --- a/e2e/internal/upgrade/BUILD.bazel +++ b/e2e/internal/upgrade/BUILD.bazel @@ -20,7 +20,7 @@ go_library( "//internal/versions", "@com_github_spf13_afero//:afero", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", "@io_k8s_apimachinery//pkg/apis/meta/v1:meta", "@io_k8s_client_go//kubernetes", "@sh_helm_helm_v3//pkg/action", diff --git a/e2e/internal/upgrade/helm.go b/e2e/internal/upgrade/helm.go index 23b55d327..18b48a13c 100644 --- a/e2e/internal/upgrade/helm.go +++ b/e2e/internal/upgrade/helm.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package upgrade diff --git a/e2e/internal/upgrade/upgrade.go b/e2e/internal/upgrade/upgrade.go index 09452bf13..fd2483259 100644 --- a/e2e/internal/upgrade/upgrade.go +++ b/e2e/internal/upgrade/upgrade.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package upgrade tests that the CLI's apply command works as expected and @@ -90,7 +90,7 @@ func testStatusEventuallyWorks(t *testing.T, cli string, timeout time.Duration) // Show versions set in cluster. // The string after "Cluster status:" in the output might not be updated yet. // This is only updated after the operator finishes one reconcile loop. - cmd := exec.CommandContext(t.Context(), cli, "status") + cmd := exec.CommandContext(context.Background(), cli, "status") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) if err != nil { log.Printf("Stdout: %s\nStderr: %s", string(stdout), string(stderr)) @@ -121,7 +121,7 @@ func testMicroservicesEventuallyHaveVersion(t *testing.T, wantMicroserviceVersio func testNodesEventuallyHaveVersion(t *testing.T, k *kubernetes.Clientset, targetVersions VersionContainer, totalNodeCount int, timeout time.Duration) { require.Eventually(t, func() bool { - nodes, err := k.CoreV1().Nodes().List(t.Context(), metaV1.ListOptions{}) + nodes, err := k.CoreV1().Nodes().List(context.Background(), metaV1.ListOptions{}) if err != nil { log.Println(err) return false diff --git a/e2e/internal/upgrade/upgrade_test.go b/e2e/internal/upgrade/upgrade_test.go index 6f1a7b517..be47bb197 100644 --- a/e2e/internal/upgrade/upgrade_test.go +++ b/e2e/internal/upgrade/upgrade_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package upgrade @@ -72,7 +72,7 @@ func TestUpgrade(t *testing.T) { targetVersions := WriteUpgradeConfig(require, *targetImage, *targetKubernetes, *targetMicroservices, constants.ConfigFilename) log.Println("Fetching measurements for new image.") - cmd := exec.CommandContext(t.Context(), cli, "config", "fetch-measurements", "--insecure", "--debug") + cmd := exec.CommandContext(context.Background(), cli, "config", "fetch-measurements", "--insecure", "--debug") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) require.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) log.Println(string(stdout)) @@ -83,10 +83,10 @@ func TestUpgrade(t *testing.T) { log.Println("Checking upgrade.") assert := assert.New(t) // use assert because this part is more brittle and should not fail the entire test - runUpgradeCheck(t.Context(), assert, cli, *targetKubernetes) + runUpgradeCheck(assert, cli, *targetKubernetes) log.Println("Triggering upgrade.") - runUpgradeApply(t.Context(), require, cli) + runUpgradeApply(require, cli) AssertUpgradeSuccessful(t, cli, targetVersions, k, *wantControl, *wantWorker, *timeout) } @@ -96,7 +96,7 @@ func TestUpgrade(t *testing.T) { // 2) all pods have good status conditions. func testPodsEventuallyReady(t *testing.T, k *kubernetes.Clientset, namespace string) { require.Eventually(t, func() bool { - pods, err := k.CoreV1().Pods(namespace).List(t.Context(), metaV1.ListOptions{}) + pods, err := k.CoreV1().Pods(namespace).List(context.Background(), metaV1.ListOptions{}) if err != nil { log.Println(err) return false @@ -127,7 +127,7 @@ func testPodsEventuallyReady(t *testing.T, k *kubernetes.Clientset, namespace st // 2) the expected number of nodes have joined the cluster. func testNodesEventuallyAvailable(t *testing.T, k *kubernetes.Clientset, wantControlNodeCount, wantWorkerNodeCount int) { require.Eventually(t, func() bool { - nodes, err := k.CoreV1().Nodes().List(t.Context(), metaV1.ListOptions{}) + nodes, err := k.CoreV1().Nodes().List(context.Background(), metaV1.ListOptions{}) if err != nil { log.Println(err) return false @@ -172,8 +172,8 @@ func testNodesEventuallyAvailable(t *testing.T, k *kubernetes.Clientset, wantCon // runUpgradeCheck executes 'upgrade check' and does basic checks on the output. // We can not check images upgrades because we might use unpublished images. CLI uses public CDN to check for available images. -func runUpgradeCheck(ctx context.Context, assert *assert.Assertions, cli, targetKubernetes string) { - cmd := exec.CommandContext(ctx, cli, "upgrade", "check", "--debug") +func runUpgradeCheck(assert *assert.Assertions, cli, targetKubernetes string) { + cmd := exec.CommandContext(context.Background(), cli, "upgrade", "check", "--debug") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) assert.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) @@ -204,16 +204,16 @@ func containsAny(text string, substrs []string) bool { return false } -func runUpgradeApply(ctx context.Context, require *require.Assertions, cli string) { +func runUpgradeApply(require *require.Assertions, cli string) { tfLogFlag := "" - cmd := exec.CommandContext(ctx, cli, "--help") + cmd := exec.CommandContext(context.Background(), cli, "--help") stdout, stderr, err := runCommandWithSeparateOutputs(cmd) require.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) if strings.Contains(string(stdout), "--tf-log") { tfLogFlag = "--tf-log=DEBUG" } - cmd = exec.CommandContext(ctx, cli, "apply", "--debug", "--yes", tfLogFlag) + cmd = exec.CommandContext(context.Background(), cli, "apply", "--debug", "--yes", tfLogFlag) stdout, stderr, err = runCommandWithSeparateOutputs(cmd) require.NoError(err, "Stdout: %s\nStderr: %s", string(stdout), string(stderr)) require.NoError(containsUnexepectedMsg(string(stdout))) diff --git a/e2e/malicious-join/malicious-join.go b/e2e/malicious-join/malicious-join.go index c32885af3..7e416242a 100644 --- a/e2e/malicious-join/malicious-join.go +++ b/e2e/malicious-join/malicious-join.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // End-to-end test that issues various types of malicious join requests to a cluster. diff --git a/e2e/miniconstellation/.terraform.lock.hcl b/e2e/miniconstellation/.terraform.lock.hcl index 87cddd3bb..d988c947c 100644 --- a/e2e/miniconstellation/.terraform.lock.hcl +++ b/e2e/miniconstellation/.terraform.lock.hcl @@ -2,91 +2,91 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.7" - constraints = "2.3.7" + version = "2.3.5" + constraints = "2.3.5" hashes = [ - "h1:/hny5kXmhcnuJDD1V+5XCrZOYDIqja2U47VM4DPEnBA=", - "h1:A9COAUjeBJ+fgYAI/PKtDs4Wzs50srFSY+KkfpSVGLw=", - "h1:Lt8lqrdNgZRlkOTwSXZTyuJkiVXnpwTsWAqHQPL6sIY=", - "h1:M9TpQxKAE/hyOwytdX9MUNZw30HoD/OXqYIug5fkqH8=", - "h1:coZHiZww6hWZoOoWw0p+6oeYb/tMh1uTvX1Y2ZzzXqE=", - "h1:dgBaiMxxU61piW30emM6251LMFW66TbKR+p5ylPZvqc=", - "h1:h1Pr6uNwq+iDEGrnQJEHzOTz+yVTW0AJgZrGXuoO4Qs=", - "h1:ht83gEvyri0BD3sata7BDhx31N/KbCECIozG7UM/kC8=", - "h1:iZ27qylcH/2bs685LJTKOKcQ+g7cF3VwN3kHMrzm4Ow=", - "h1:ll35IR++uaXwfwqZFFRWrvS0idO1mX43Y/embsaOe4k=", - "h1:rafNPmTutVTO2Horq45DG9Pjqrs+vx42oc7b/3aVGEc=", - "zh:06f1c54e919425c3139f8aeb8fcf9bceca7e560d48c9f0c1e3bb0a8ad9d9da1e", - "zh:0e1e4cf6fd98b019e764c28586a386dc136129fef50af8c7165a067e7e4a31d5", - "zh:1871f4337c7c57287d4d67396f633d224b8938708b772abfc664d1f80bd67edd", - "zh:2b9269d91b742a71b2248439d5e9824f0447e6d261bfb86a8a88528609b136d1", - "zh:3d8ae039af21426072c66d6a59a467d51f2d9189b8198616888c1b7fc42addc7", - "zh:3ef4e2db5bcf3e2d915921adced43929214e0946a6fb11793085d9a48995ae01", - "zh:42ae54381147437c83cbb8790cc68935d71b6357728a154109d3220b1beb4dc9", - "zh:4496b362605ae4cbc9ef7995d102351e2fe311897586ffc7a4a262ccca0c782a", - "zh:652a2401257a12706d32842f66dac05a735693abcb3e6517d6b5e2573729ba13", - "zh:7406c30806f5979eaed5f50c548eced2ea18ea121e01801d2f0d4d87a04f6a14", - "zh:7848429fd5a5bcf35f6fee8487df0fb64b09ec071330f3ff240c0343fe2a5224", + "h1:C//ncldNugV8TpMQaj9ygoPXRVYOqltIxNB8LKrpzgU=", + "h1:HCoabXm6NQwCivl1q24+l9VUufc2mFqNeulsQBA9iFg=", + "h1:NCYXIt7zhG0pRLV9UAlBrKi4Rty/jRhRRHIZFEigUm8=", + "h1:Sf1Lt21oTADbzsnlU38ylpkl8YXP0Beznjcy5F/Yx64=", + "h1:TUljFfEUFn6szDfglwv150tNRUKPgqa5YiCTdF9Tc6c=", + "h1:W+6XNutLOfQxlm8XWg4wKAYvyDt/eoE1roSeFkn/KA4=", + "h1:cKe6NmJzRHiK0n73R5Dzkw8nK5i0nC4SedZhanMbQD0=", + "h1:jPzwR4Um4NU8EE6o5AIx2SoeGZG5bW9aAeFpcbodjHQ=", + "h1:sfaNIqomGVkYy6gGHbaFS2ehzh5CqoeBwR4QYae+cBY=", + "h1:wbw64JlCobcQCAdlzHpxksQ1GabewTW1yxnACBVZh4A=", + "h1:y0qqdBKvRt2MMcga7AVMkUb/vmJSKVBaimHaIHKLucs=", + "zh:17c20574de8eb925b0091c9b6a4d859e9d6e399cd890b44cfbc028f4f312ac7a", + "zh:348664d9a900f7baf7b091cf94d657e4c968b240d31d9e162086724e6afc19d5", + "zh:5a876a468ffabff0299f8348e719cb704daf81a4867f8c6892f3c3c4add2c755", + "zh:6ef97ee4c8c6a69a3d36746ba5c857cf4f4d78f32aa3d0e1ce68f2ece6a5dba5", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8283e5a785e3c518a440f6ac6e7cc4fc07fe266bf34974246f4e2ef05762feda", + "zh:a44eb5077950168b571b7eb65491246c00f45409110f0f172cc3a7605f19dba9", + "zh:aa0806cbff72b49c1b389c0b8e6904586e5259c08dabb7cb5040418568146530", + "zh:bec4613c3beaad9a7be7ca99cdb2852073f782355b272892e6ee97a22856aec1", + "zh:d7fe368577b6c8d1ae44c751ed42246754c10305c7f001cc0109833e95aa107d", + "zh:df2409fc6a364b1f0a0f8a9cd8a86e61e80307996979ce3790243c4ce88f2915", + "zh:ed3c263396ff1f4d29639cc43339b655235acf4d06296a7c120a80e4e0fd6409", ] } provider "registry.terraform.io/hashicorp/tls" { - version = "4.1.0" - constraints = "4.1.0" + version = "4.0.6" + constraints = "4.0.6" hashes = [ - "h1:4gd/jiOS0zJxjTd5Q4o/gOp24RxcuwQ/TxwjTYQNPz4=", - "h1:C0J7AsrVHVqnDT9tICDNaKvA9iH6WTLS2EYzCEegpx0=", - "h1:Ka8mEwRFXBabR33iN/WTIEW6RP0z13vFsDlwn11Pf2I=", - "h1:ReNkTkCM64bktu54eGwQc29rhIejMLQsYA6kYNyBWno=", - "h1:UklaKJOCynnEJbpCVN0zJKIJ3SvO7RQJ00/6grBatnw=", - "h1:ZHcr1WIomuU6ZV+dzEwAG1+52JP0e0d/+l7bo3N5p88=", - "h1:eZa3vbx1pbiwnajuKvGWE7jWK+nHQ8lcLc/mO6Rhf4o=", - "h1:iSgnCUoLGMkt31RlflnL09NyjpAH0DX6bb9QBw5IE9Y=", - "h1:uDtqTpFJOseNUlPDx4TT/lXf6ie3CarsimL7sYCiVH4=", - "h1:y9cHrgcuaZt592In6xQzz1lx7k/B9EeWrAb8K7QqOgU=", - "h1:zEv9tY1KR5vaLSyp2lkrucNJ+Vq3c+sTFK9GyQGLtFs=", - "zh:14c35d89307988c835a7f8e26f1b83ce771e5f9b41e407f86a644c0152089ac2", - "zh:2fb9fe7a8b5afdbd3e903acb6776ef1be3f2e587fb236a8c60f11a9fa165faa8", - "zh:35808142ef850c0c60dd93dc06b95c747720ed2c40c89031781165f0c2baa2fc", - "zh:35b5dc95bc75f0b3b9c5ce54d4d7600c1ebc96fbb8dfca174536e8bf103c8cdc", - "zh:38aa27c6a6c98f1712aa5cc30011884dc4b128b4073a4a27883374bfa3ec9fac", - "zh:51fb247e3a2e88f0047cb97bb9df7c228254a3b3021c5534e4563b4007e6f882", - "zh:62b981ce491e38d892ba6364d1d0cdaadcee37cc218590e07b310b1dfa34be2d", - "zh:bc8e47efc611924a79f947ce072a9ad698f311d4a60d0b4dfff6758c912b7298", - "zh:c149508bd131765d1bc085c75a870abb314ff5a6d7f5ac1035a8892d686b6297", - "zh:d38d40783503d278b63858978d40e07ac48123a2925e1a6b47e62179c046f87a", + "h1:/GYlCthGsP6ooHpCFuMkjnuFoBX0xnvCNohf3suVw2A=", + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "h1:17Y+vdYNKgphpe1/SU5PBnGuYKEJkJZ7MZCnmAwsAGQ=", + "h1:3hTE3Ifpfh4ogQN60xa3Dw2Cbk2QyK8rJ5Zi2f5cYTo=", + "h1:N7VxdRDiNZoRS9dnXJ+QuKWKn514ahS+U6f9K3cF44s=", + "h1:QAuzEStYipyCgx5On0Rym6EiFfqXnBQOrgUjBY7MIbU=", + "h1:W1r1GqxtFMYVCcqFpN7U8WGjbpvpA/YPcqjZbx5THG8=", + "h1:dYSb3V94K5dDMtrBRLPzBpkMTPn+3cXZ/kIJdtFL+2M=", + "h1:dr3jNQWLXzZ2IJ1XH2XIHScQd4HGKo+7ZoyoEP9hRpY=", + "h1:irxVvxMIETCpSsiJKpu4A3htA0v2ohIkpPNXVt++pio=", + "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fb07f708e3316615f6d218cec198504984c0ce7000b9f1eebff7516e384f4b54", ] } diff --git a/e2e/miniconstellation/BUILD.bazel b/e2e/miniconstellation/BUILD.bazel index 47dd3b278..e8df73984 100644 --- a/e2e/miniconstellation/BUILD.bazel +++ b/e2e/miniconstellation/BUILD.bazel @@ -1,5 +1,4 @@ load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun") -load("@rules_shell//shell:sh_library.bzl", "sh_library") load("//bazel/sh:def.bzl", "sh_template") filegroup( diff --git a/e2e/miniconstellation/main.tf b/e2e/miniconstellation/main.tf index 2054a63a9..838008fa5 100644 --- a/e2e/miniconstellation/main.tf +++ b/e2e/miniconstellation/main.tf @@ -2,15 +2,15 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } tls = { source = "hashicorp/tls" - version = "4.1.0" + version = "4.0.6" } cloudinit = { source = "hashicorp/cloudinit" - version = "2.3.7" + version = "2.3.5" } } } diff --git a/e2e/provider-upgrade/upgrade_test.go b/e2e/provider-upgrade/upgrade_test.go index 821158ac6..78bcd65b7 100644 --- a/e2e/provider-upgrade/upgrade_test.go +++ b/e2e/provider-upgrade/upgrade_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // End-to-end test that is used by the e2e Terraform provider test. diff --git a/flake.lock b/flake.lock index b424b9c4a..a633bfa33 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -18,13 +18,29 @@ "type": "github" } }, - "nixpkgs": { + "nixpkgsBazel": { "locked": { - "lastModified": 1743938762, - "narHash": "sha256-UgFYn8sGv9B8PoFpUfCa43CjMZBl1x/ShQhRDHBFQdI=", + "lastModified": 1717414489, + "narHash": "sha256-fhvJv8hkJwotkqxhoSQfvh6UfKG+sTYIQ3hchariEDk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "74a40410369a1c35ee09b8a1abee6f4acbedc059", + "rev": "c429fa2ffa21229eeadbe37c11a47aff35f53ce0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c429fa2ffa21229eeadbe37c11a47aff35f53ce0", + "type": "github" + } + }, + "nixpkgsUnstable": { + "locked": { + "lastModified": 1725816686, + "narHash": "sha256-0Kq2MkQ/sQX1rhWJ/ySBBQlBJBUK8mPMDcuDhhdBkSU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "add0443ee587a0c44f22793b8c8649a0dbc3bb00", "type": "github" }, "original": { @@ -37,7 +53,9 @@ "root": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgsBazel": "nixpkgsBazel", + "nixpkgsUnstable": "nixpkgsUnstable", + "uplosi": "uplosi" } }, "systems": { @@ -54,6 +72,29 @@ "repo": "default", "type": "github" } + }, + "uplosi": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgsUnstable" + ] + }, + "locked": { + "lastModified": 1725522308, + "narHash": "sha256-AtsFZ92WkVkH8fd0Xa0D6/PR84/dtOH6gpM4mtn32Hk=", + "owner": "edgelesssys", + "repo": "uplosi", + "rev": "c8a482de299b5442f558d7381f0cbf898e0de0e1", + "type": "github" + }, + "original": { + "owner": "edgelesssys", + "repo": "uplosi", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 1e1304460..ddd1521c7 100644 --- a/flake.nix +++ b/flake.nix @@ -2,70 +2,48 @@ description = "Constellation"; inputs = { - nixpkgs = { + nixpkgsUnstable = { url = "github:NixOS/nixpkgs/nixpkgs-unstable"; }; + # TODO(msanft): Remove once https://github.com/NixOS/nixpkgs/commit/c429fa2ffa21229eeadbe37c11a47aff35f53ce0 + # lands in nixpkgs-unstable. + nixpkgsBazel = { + url = "github:NixOS/nixpkgs/c429fa2ffa21229eeadbe37c11a47aff35f53ce0"; + }; flake-utils = { url = "github:numtide/flake-utils"; }; + uplosi = { + url = "github:edgelesssys/uplosi"; + inputs.nixpkgs.follows = "nixpkgsUnstable"; + inputs.flake-utils.follows = "flake-utils"; + }; }; outputs = { self, - nixpkgs, + nixpkgsUnstable, + nixpkgsBazel, flake-utils, + uplosi, }: flake-utils.lib.eachDefaultSystem ( system: let - overlay = final: prev: { - rpm = prev.rpm.overrideAttrs (old: { - nativeBuildInputs = old.nativeBuildInputs ++ [ prev.makeWrapper ]; - postFixup = '' - wrapProgram $out/lib/rpm/sysusers.sh \ - --set PATH ${ - prev.lib.makeBinPath ( - with prev; - [ - coreutils - findutils - su.out - gnugrep - ] - ) - } - ''; - }); + pkgsUnstable = import nixpkgsUnstable { inherit system; }; - # dnf5 assumes a TTY with a very small width by default, truncating its output instead of line-wrapping - # it. Force it to use more VT columns to avoid this, and make debugging errors easier. - dnf5-stub = prev.writeScriptBin "dnf5" '' - #!/usr/bin/env bash - FORCE_COLUMNS=200 ${final.dnf5}/bin/dnf5 $@ - ''; - }; + bazelPkgsUnstable = import nixpkgsBazel { inherit system; }; - pkgs = import nixpkgs { - inherit system; - config.allowUnfree = true; - - overlays = [ - (_final: prev: (import ./nix/packages { inherit (prev) lib callPackage; })) - (_final: prev: { lib = prev.lib // (import ./nix/lib { inherit (prev) lib callPackage; }); }) - overlay - ]; - }; - - callPackage = pkgs.callPackage; + callPackage = pkgsUnstable.callPackage; mkosiDev = ( - pkgs.mkosi.override { - extraDeps = ( - with pkgs; - [ + pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec { + propagatedBuildInputs = + oldAttrs.propagatedBuildInputs + ++ (with pkgsUnstable; [ # package management - dnf5-stub + dnf5 rpm createrepo_c @@ -83,54 +61,58 @@ # utils gnused # sed gnugrep # grep - ] - ); - } + ]); + }) ); + + uplosiDev = uplosi.outputs.packages."${system}".uplosi; + + openssl-static = pkgsUnstable.openssl.override { static = true; }; + + bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { + pkgs = bazelPkgsUnstable; + nixpkgs = nixpkgsBazel; + }; + in { - # Use `legacyPackages` instead of `packages` for the reason explained here: - # https://github.com/NixOS/nixpkgs/blob/34def00657d7c45c51b0762eb5f5309689a909a5/flake.nix#L138-L156 - # Note that it's *not* a legacy attribute. - legacyPackages = { - generate = pkgs.callPackage ./nix/generate.nix { }; - } // pkgs; - packages.mkosi = mkosiDev; - packages.uplosi = pkgs.uplosi; + packages.uplosi = uplosiDev; - packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgs; }; + packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; }; packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; packages.libvirt = callPackage ./nix/cc/libvirt.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; packages.vpn = callPackage ./nix/container/vpn/vpn.nix { - pkgs = pkgs; - pkgsLinux = import nixpkgs { system = "x86_64-linux"; }; + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; - packages.awscli2 = pkgs.awscli2; + packages.awscli2 = pkgsUnstable.awscli2; - packages.createrepo_c = pkgs.createrepo_c; + packages.bazel_7 = bazel_7; - packages.dnf5 = pkgs.dnf5; + packages.createrepo_c = pkgsUnstable.createrepo_c; - devShells.default = callPackage ./nix/shells/default.nix { }; + packages.dnf5 = pkgsUnstable.dnf5; - formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt; + devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; }; + + formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt; } ); } diff --git a/go.mod b/go.mod index b609d2d6c..27dae14d0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/edgelesssys/constellation/v2 -go 1.24.4 +go 1.23.2 // TODO(daniel-weisse): revert after merging https://github.com/martinjungblut/go-cryptsetup/pull/16. replace github.com/martinjungblut/go-cryptsetup => github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c @@ -11,150 +11,150 @@ replace github.com/martinjungblut/go-cryptsetup => github.com/daniel-weisse/go-c // See this issue: https://github.com/kubernetes/kubernetes/issues/79384 // And this README: https://github.com/kubernetes/kubernetes/blob/master/staging/README.md replace ( - k8s.io/cloud-provider => k8s.io/cloud-provider v0.33.1 - k8s.io/controller-manager => k8s.io/controller-manager v0.33.1 - k8s.io/cri-client => k8s.io/cri-client v0.33.1 - k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.33.1 - k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.33.1 - k8s.io/endpointslice => k8s.io/endpointslice v0.33.1 - k8s.io/externaljwt => k8s.io/externaljwt v0.33.1 - k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.33.1 - k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.33.1 - k8s.io/kube-proxy => k8s.io/kube-proxy v0.33.1 - k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.33.1 - k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.13 - k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.33.1 - k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.33.1 + k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.3 + k8s.io/controller-manager => k8s.io/controller-manager v0.31.3 + k8s.io/cri-client => k8s.io/cri-client v0.31.1 + k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.31.3 + k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.31.1 + k8s.io/endpointslice => k8s.io/endpointslice v0.31.1 + k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.31.3 + k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.31.3 + k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.3 + k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.3 + k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.7 + k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.3 + k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.31.3 ) require ( - cloud.google.com/go/compute v1.38.0 - cloud.google.com/go/compute/metadata v0.7.0 - cloud.google.com/go/kms v1.22.0 - cloud.google.com/go/secretmanager v1.14.7 - cloud.google.com/go/storage v1.55.0 - dario.cat/mergo v1.0.2 + cloud.google.com/go/compute v1.29.0 + cloud.google.com/go/compute/metadata v0.5.2 + cloud.google.com/go/kms v1.20.1 + cloud.google.com/go/secretmanager v1.14.2 + cloud.google.com/go/storage v1.47.0 + dario.cat/mergo v1.0.1 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0 - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 - github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 - github.com/BurntSushi/toml v1.5.0 - github.com/aws/aws-sdk-go v1.55.7 - github.com/aws/aws-sdk-go-v2 v1.36.3 - github.com/aws/aws-sdk-go-v2/config v1.29.14 - github.com/aws/aws-sdk-go-v2/credentials v1.17.67 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.77 - github.com/aws/aws-sdk-go-v2/service/autoscaling v1.53.0 - github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.224.0 - github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.2 - github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.3 - github.com/aws/aws-sdk-go-v2/service/s3 v1.80.0 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.4 - github.com/aws/smithy-go v1.22.3 - github.com/bazelbuild/buildtools v0.0.0-20250530102019-b02f80d9ea9c - github.com/bazelbuild/rules_go v0.54.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0 + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0 + github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 + github.com/BurntSushi/toml v1.4.0 + github.com/aws/aws-sdk-go v1.55.5 + github.com/aws/aws-sdk-go-v2 v1.32.5 + github.com/aws/aws-sdk-go-v2/config v1.28.5 + github.com/aws/aws-sdk-go-v2/credentials v1.17.46 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 + github.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0 + github.com/aws/aws-sdk-go-v2/service/cloudfront v1.43.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.194.0 + github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.0 + github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.25.6 + github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6 + github.com/aws/smithy-go v1.22.1 + github.com/bazelbuild/buildtools v0.0.0-20240918101019-be1c24cc9a44 + github.com/bazelbuild/rules_go v0.50.1 github.com/coreos/go-systemd/v22 v22.5.0 - github.com/docker/docker v28.2.2+incompatible - github.com/edgelesssys/go-azguestattestation v0.0.0-20250408071817-8c4457b235ff - github.com/edgelesssys/go-tdx-qpl v0.0.0-20250129202750-607ac61e2377 - github.com/foxboron/go-uefi v0.0.0-20250207204325-69fb7dba244f - github.com/fsnotify/fsnotify v1.9.0 + github.com/docker/docker v27.3.1+incompatible + github.com/edgelesssys/go-azguestattestation v0.0.0-20240513062303-05f8770a633d + github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f + github.com/foxboron/go-uefi v0.0.0-20241017190036-fab4fdf2f2f3 + github.com/fsnotify/fsnotify v1.8.0 github.com/go-playground/locales v0.14.1 github.com/go-playground/universal-translator v0.18.1 - github.com/go-playground/validator/v10 v10.26.0 - github.com/golang-jwt/jwt/v5 v5.2.2 - github.com/google/go-sev-guest v0.13.0 - github.com/google/go-tdx-guest v0.3.2-0.20250505161510-9efd53b4a100 - github.com/google/go-tpm v0.9.5 + github.com/go-playground/validator/v10 v10.23.0 + github.com/golang-jwt/jwt/v5 v5.2.1 + github.com/google/go-sev-guest v0.11.2-0.20241122204452-64cd695124b1 + github.com/google/go-tdx-guest v0.3.1 + github.com/google/go-tpm v0.9.1 github.com/google/go-tpm-tools v0.4.4 github.com/google/uuid v1.6.0 - github.com/googleapis/gax-go/v2 v2.14.2 - github.com/gophercloud/gophercloud/v2 v2.7.0 - github.com/gophercloud/utils/v2 v2.0.0-20250506092640-af27464b6166 - github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 - github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 - github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11 - github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.14 - github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13 + github.com/googleapis/gax-go/v2 v2.14.0 + github.com/gophercloud/gophercloud/v2 v2.2.0 + github.com/gophercloud/utils/v2 v2.0.0-20241108144456-f4302a5ad8c6 + github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 + github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 + github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9 + github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11 + github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12 github.com/hashicorp/go-version v1.7.0 - github.com/hashicorp/hc-install v0.9.2 + github.com/hashicorp/hc-install v0.9.0 github.com/hashicorp/hcl/v2 v2.23.0 - github.com/hashicorp/terraform-exec v0.23.0 - github.com/hashicorp/terraform-json v0.25.0 - github.com/hashicorp/terraform-plugin-framework v1.15.0 - github.com/hashicorp/terraform-plugin-framework-validators v0.18.0 - github.com/hashicorp/terraform-plugin-go v0.28.0 + github.com/hashicorp/terraform-exec v0.21.0 + github.com/hashicorp/terraform-json v0.23.0 + github.com/hashicorp/terraform-plugin-framework v1.13.0 + github.com/hashicorp/terraform-plugin-framework-validators v0.15.0 + github.com/hashicorp/terraform-plugin-go v0.25.0 github.com/hashicorp/terraform-plugin-log v0.9.0 - github.com/hashicorp/terraform-plugin-testing v1.13.1 + github.com/hashicorp/terraform-plugin-testing v1.11.0 github.com/hexops/gotextdiff v1.0.3 github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6 github.com/mattn/go-isatty v0.0.20 github.com/mitchellh/go-homedir v1.1.0 - github.com/onsi/ginkgo/v2 v2.23.4 - github.com/onsi/gomega v1.37.0 + github.com/onsi/ginkgo/v2 v2.22.0 + github.com/onsi/gomega v1.36.0 github.com/pkg/errors v0.9.1 - github.com/regclient/regclient v0.8.3 - github.com/rogpeppe/go-internal v1.14.1 - github.com/samber/slog-multi v1.4.0 - github.com/schollz/progressbar/v3 v3.18.0 - github.com/secure-systems-lab/go-securesystemslib v0.9.0 - github.com/siderolabs/talos/pkg/machinery v1.10.3 - github.com/sigstore/rekor v1.3.10 - github.com/sigstore/sigstore v1.9.4 - github.com/spf13/afero v1.14.0 - github.com/spf13/cobra v1.9.1 - github.com/spf13/pflag v1.0.6 + github.com/regclient/regclient v0.7.2 + github.com/rogpeppe/go-internal v1.13.1 + github.com/samber/slog-multi v1.2.4 + github.com/schollz/progressbar/v3 v3.17.1 + github.com/secure-systems-lab/go-securesystemslib v0.8.0 + github.com/siderolabs/talos/pkg/machinery v1.8.3 + github.com/sigstore/rekor v1.3.7 + github.com/sigstore/sigstore v1.8.10 + github.com/spf13/afero v1.11.0 + github.com/spf13/cobra v1.8.1 + github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.10.0 - github.com/tink-crypto/tink-go/v2 v2.4.0 + github.com/tink-crypto/tink-go/v2 v2.2.0 github.com/vincent-petithory/dataurl v1.0.0 - go.etcd.io/etcd/api/v3 v3.6.0 - go.etcd.io/etcd/client/pkg/v3 v3.6.0 - go.etcd.io/etcd/client/v3 v3.6.0 + go.etcd.io/etcd/api/v3 v3.5.17 + go.etcd.io/etcd/client/pkg/v3 v3.5.17 + go.etcd.io/etcd/client/v3 v3.5.17 go.uber.org/goleak v1.3.0 - golang.org/x/crypto v0.39.0 - golang.org/x/exp v0.0.0-20250531010427-b6e5de432a8b - golang.org/x/mod v0.25.0 - golang.org/x/sys v0.33.0 - golang.org/x/text v0.26.0 - golang.org/x/tools v0.33.0 - google.golang.org/api v0.235.0 - google.golang.org/grpc v1.72.2 - google.golang.org/protobuf v1.36.6 + golang.org/x/crypto v0.29.0 + golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f + golang.org/x/mod v0.22.0 + golang.org/x/sys v0.27.0 + golang.org/x/text v0.20.0 + golang.org/x/tools v0.27.0 + google.golang.org/api v0.209.0 + google.golang.org/grpc v1.68.0 + google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.18.4 - k8s.io/api v0.33.2 - k8s.io/apiextensions-apiserver v0.33.2 - k8s.io/apimachinery v0.33.2 - k8s.io/apiserver v0.33.2 - k8s.io/client-go v0.33.2 - k8s.io/cluster-bootstrap v0.33.1 - k8s.io/kubelet v0.33.1 - k8s.io/kubernetes v1.33.2 - k8s.io/mount-utils v0.33.1 - k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 - libvirt.org/go/libvirt v1.11002.0 - sigs.k8s.io/controller-runtime v0.21.0 + helm.sh/helm/v3 v3.16.3 + k8s.io/api v0.31.3 + k8s.io/apiextensions-apiserver v0.31.3 + k8s.io/apimachinery v0.31.3 + k8s.io/apiserver v0.31.3 + k8s.io/client-go v0.31.3 + k8s.io/cluster-bootstrap v0.31.3 + k8s.io/kubelet v0.31.3 + k8s.io/kubernetes v1.31.3 + k8s.io/mount-utils v0.31.3 + k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 + libvirt.org/go/libvirt v1.10009.0 + sigs.k8s.io/controller-runtime v0.19.2 sigs.k8s.io/yaml v1.4.0 ) require ( - cel.dev/expr v0.23.1 // indirect - cloud.google.com/go v0.121.1 // indirect - cloud.google.com/go/auth v0.16.1 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect - cloud.google.com/go/iam v1.5.2 // indirect - cloud.google.com/go/longrunning v0.6.7 // indirect - cloud.google.com/go/monitoring v1.24.2 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect + cel.dev/expr v0.16.2 // indirect + cloud.google.com/go v0.116.0 // indirect + cloud.google.com/go/auth v0.10.2 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect + cloud.google.com/go/iam v1.2.2 // indirect + cloud.google.com/go/longrunning v0.6.2 // indirect + cloud.google.com/go/monitoring v1.21.2 // indirect + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect - github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect + github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect @@ -163,134 +163,137 @@ require ( github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/ProtonMail/go-crypto v1.1.6 // indirect + github.com/ProtonMail/go-crypto v1.1.0-alpha.5.0.20240827111422-b5837fa4476e // indirect github.com/agext/levenshtein v1.2.2 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/blang/semver/v4 v4.0.0 // indirect + github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect - github.com/cloudflare/circl v1.6.1 // indirect - github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect - github.com/containerd/containerd v1.7.27 // indirect - github.com/containerd/errdefs v1.0.0 // indirect - github.com/containerd/errdefs/pkg v0.3.0 // indirect + github.com/cloudflare/circl v1.3.9 // indirect + github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect + github.com/containerd/containerd v1.7.23 // indirect + github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/coredns/caddy v1.1.1 // indirect - github.com/coredns/corefile-migration v1.0.25 // indirect + github.com/coredns/corefile-migration v1.0.23 // indirect github.com/coreos/go-semver v0.3.1 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect - github.com/danieljoos/wincred v1.2.1 // indirect + github.com/cyphar/filepath-securejoin v0.3.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.6.0 // indirect + github.com/docker/cli v27.1.1+incompatible // indirect + github.com/docker/distribution v2.8.3+incompatible // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.5.0 // indirect + github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect - github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect - github.com/evanphx/json-patch v5.9.11+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.9.11 // indirect - github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fatih/color v1.18.0 // indirect + github.com/envoyproxy/go-control-plane v0.13.0 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/evanphx/json-patch v5.9.0+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect + github.com/fatih/color v1.17.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect - github.com/gabriel-vasile/mimetype v1.4.8 // indirect + github.com/gabriel-vasile/mimetype v1.4.3 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.4 // indirect - github.com/go-jose/go-jose/v4 v4.0.5 // indirect + github.com/go-jose/go-jose/v3 v3.0.3 // indirect + github.com/go-jose/go-jose/v4 v4.0.2 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/analysis v0.23.0 // indirect - github.com/go-openapi/errors v0.22.1 // indirect + github.com/go-openapi/errors v0.22.0 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/loads v0.22.0 // indirect github.com/go-openapi/runtime v0.28.0 // indirect github.com/go-openapi/spec v0.21.0 // indirect github.com/go-openapi/strfmt v0.23.0 // indirect - github.com/go-openapi/swag v0.23.1 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect - github.com/gofrs/uuid/v5 v5.3.2 // indirect + github.com/gofrs/uuid/v5 v5.3.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/btree v1.1.3 // indirect + github.com/google/btree v1.1.2 // indirect github.com/google/certificate-transparency-go v1.1.8 // indirect - github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-attestation v0.5.1 // indirect - github.com/google/go-cmp v0.7.0 // indirect - github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc // indirect - github.com/google/go-containerregistry v0.20.3 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/go-configfs-tsm v0.2.2 // indirect + github.com/google/go-containerregistry v0.20.2 // indirect github.com/google/go-tspi v0.3.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect github.com/google/logger v1.1.1 // indirect - github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect - github.com/google/s2a-go v0.1.9 // indirect + github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect + github.com/google/s2a-go v0.1.8 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect - github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect + github.com/gorilla/mux v1.8.1 // indirect + github.com/gorilla/websocket v1.5.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect - github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect + github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-checkpoint v0.5.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-cty v1.5.0 // indirect + github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect github.com/hashicorp/go-hclog v1.6.3 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-plugin v1.6.3 // indirect + github.com/hashicorp/go-plugin v1.6.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 // indirect - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 // indirect - github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect - github.com/hashicorp/go-sockaddr v1.0.6 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/logutils v1.0.0 // indirect - github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0 // indirect - github.com/hashicorp/terraform-registry-address v0.2.5 // indirect + github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0 // indirect + github.com/hashicorp/terraform-registry-address v0.2.3 // indirect github.com/hashicorp/terraform-svchost v0.1.1 // indirect github.com/hashicorp/yamux v0.1.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.18.0 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect @@ -298,9 +301,8 @@ require ( github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/lib/pq v1.10.9 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/lithammer/dedent v1.1.0 // indirect - github.com/mailru/easyjson v0.9.0 // indirect - github.com/mattn/go-colorable v0.1.14 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -309,10 +311,10 @@ require ( github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect - github.com/moby/spdystream v0.5.0 // indirect - github.com/moby/sys/atomicwriter v0.1.0 // indirect - github.com/moby/sys/mountinfo v0.7.2 // indirect - github.com/moby/term v0.5.2 // indirect + github.com/moby/locker v1.0.1 // indirect + github.com/moby/spdystream v0.4.0 // indirect + github.com/moby/sys/mountinfo v0.7.1 // indirect + github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect @@ -321,27 +323,26 @@ require ( github.com/oklog/run v1.0.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.1 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect + github.com/opencontainers/runc v1.1.13 // indirect + github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect - github.com/planetscale/vtprotobuf v0.6.1-0.20241121165744-79df5c4772f2 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.22.0 // indirect + github.com/prometheus/client_golang v1.20.5 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.62.0 // indirect + github.com/prometheus/common v0.55.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/rivo/uniseg v0.4.7 // indirect - github.com/rubenv/sql-migrate v1.8.0 // indirect + github.com/rubenv/sql-migrate v1.7.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/ryanuber/go-glob v1.0.0 // indirect - github.com/samber/lo v1.49.1 // indirect + github.com/samber/lo v1.47.0 // indirect github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/shopspring/decimal v1.4.0 // indirect - github.com/sigstore/protobuf-specs v0.4.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cast v1.7.0 // indirect - github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect github.com/stretchr/objx v0.5.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect @@ -356,43 +357,42 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - github.com/zclconf/go-cty v1.16.2 // indirect - github.com/zeebo/errs v1.4.0 // indirect + github.com/zclconf/go-cty v1.15.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect - go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect - go.opentelemetry.io/otel v1.36.0 // indirect - go.opentelemetry.io/otel/metric v1.36.0 // indirect - go.opentelemetry.io/otel/sdk v1.36.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect - go.opentelemetry.io/otel/trace v1.36.0 // indirect - go.uber.org/automaxprocs v1.6.0 // indirect + go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect + go.opentelemetry.io/otel v1.29.0 // indirect + go.opentelemetry.io/otel/metric v1.29.0 // indirect + go.opentelemetry.io/otel/sdk v1.29.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect + go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.15.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/time v0.11.0 // indirect + golang.org/x/net v0.31.0 // indirect + golang.org/x/oauth2 v0.24.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/term v0.26.0 // indirect + golang.org/x/time v0.8.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250512202823-5a2f75b736a9 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 // indirect + google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gotest.tools/v3 v3.4.0 // indirect - k8s.io/cli-runtime v0.33.2 // indirect - k8s.io/component-base v0.33.2 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/cli-runtime v0.31.1 // indirect + k8s.io/component-base v0.31.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - k8s.io/kubectl v0.33.2 // indirect - oras.land/oras-go/v2 v2.6.0 // indirect - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect - sigs.k8s.io/kustomize/api v0.19.0 // indirect - sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect - sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/kubectl v0.31.1 // indirect + oras.land/oras-go v1.2.5 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/kustomize/api v0.17.2 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index 362f2af9d..081bdc46c 100644 --- a/go.sum +++ b/go.sum @@ -1,33 +1,34 @@ -cel.dev/expr v0.23.1 h1:K4KOtPCJQjVggkARsjG9RWXP6O4R73aHeJMa/dmCQQg= -cel.dev/expr v0.23.1/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= -cloud.google.com/go v0.121.1 h1:S3kTQSydxmu1JfLRLpKtxRPA7rSrYPRPEUmL/PavVUw= -cloud.google.com/go v0.121.1/go.mod h1:nRFlrHq39MNVWu+zESP2PosMWA0ryJw8KUBZ2iZpxbw= -cloud.google.com/go/auth v0.16.1 h1:XrXauHMd30LhQYVRHLGvJiYeczweKQXZxsTbV9TiguU= -cloud.google.com/go/auth v0.16.1/go.mod h1:1howDHJ5IETh/LwYs3ZxvlkXF48aSqqJUM+5o02dNOI= -cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= -cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= -cloud.google.com/go/compute v1.38.0 h1:MilCLYQW2m7Dku8hRIIKo4r0oKastlD74sSu16riYKs= -cloud.google.com/go/compute v1.38.0/go.mod h1:oAFNIuXOmXbK/ssXm3z4nZB8ckPdjltJ7xhHCdbWFZM= -cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU= -cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo= -cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8= -cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE= -cloud.google.com/go/kms v1.22.0 h1:dBRIj7+GDeeEvatJeTB19oYZNV0aj6wEqSIT/7gLqtk= -cloud.google.com/go/kms v1.22.0/go.mod h1:U7mf8Sva5jpOb4bxYZdtw/9zsbIjrklYwPcvMk34AL8= -cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc= -cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA= -cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE= -cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY= -cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM= -cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U= -cloud.google.com/go/secretmanager v1.14.7 h1:VkscIRzj7GcmZyO4z9y1EH7Xf81PcoiAo7MtlD+0O80= -cloud.google.com/go/secretmanager v1.14.7/go.mod h1:uRuB4F6NTFbg0vLQ6HsT7PSsfbY7FqHbtJP1J94qxGc= -cloud.google.com/go/storage v1.55.0 h1:NESjdAToN9u1tmhVqhXCaCwYBuvEhZLLv0gBr+2znf0= -cloud.google.com/go/storage v1.55.0/go.mod h1:ztSmTTwzsdXe5syLVS0YsbFxXuvEmEyZj7v7zChEmuY= -cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4= -cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI= -dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= -dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= +cel.dev/expr v0.16.2 h1:RwRhoH17VhAu9U5CMvMhH1PDVgf0tuz9FT+24AfMLfU= +cel.dev/expr v0.16.2/go.mod h1:gXngZQMkWJoSbE8mOzehJlXQyubn/Vg0vR9/F3W7iw8= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE= +cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U= +cloud.google.com/go/auth v0.10.2 h1:oKF7rgBfSHdp/kuhXtqU/tNDr0mZqhYbEh+6SiqzkKo= +cloud.google.com/go/auth v0.10.2/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI= +cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk= +cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= +cloud.google.com/go/compute v1.29.0 h1:Lph6d8oPi38NHkOr6S55Nus/Pbbcp37m/J0ohgKAefs= +cloud.google.com/go/compute v1.29.0/go.mod h1:HFlsDurE5DpQZClAGf/cYh+gxssMhBxBovZDYkEn/Og= +cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo= +cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= +cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA= +cloud.google.com/go/iam v1.2.2/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY= +cloud.google.com/go/kms v1.20.1 h1:og29Wv59uf2FVaZlesaiDAqHFzHaoUyHI3HYp9VUHVg= +cloud.google.com/go/kms v1.20.1/go.mod h1:LywpNiVCvzYNJWS9JUcGJSVTNSwPwi0vBAotzDqn2nc= +cloud.google.com/go/logging v1.12.0 h1:ex1igYcGFd4S/RZWOCU51StlIEuey5bjqwH9ZYjHibk= +cloud.google.com/go/logging v1.12.0/go.mod h1:wwYBt5HlYP1InnrtYI0wtwttpVU1rifnMT7RejksUAM= +cloud.google.com/go/longrunning v0.6.2 h1:xjDfh1pQcWPEvnfjZmwjKQEcHnpz6lHjfy7Fo0MK+hc= +cloud.google.com/go/longrunning v0.6.2/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI= +cloud.google.com/go/monitoring v1.21.2 h1:FChwVtClH19E7pJ+e0xUhJPGksctZNVOk2UhMmblmdU= +cloud.google.com/go/monitoring v1.21.2/go.mod h1:hS3pXvaG8KgWTSz+dAdyzPrGUYmi2Q+WFX8g2hqVEZU= +cloud.google.com/go/secretmanager v1.14.2 h1:2XscWCfy//l/qF96YE18/oUaNJynAx749Jg3u0CjQr8= +cloud.google.com/go/secretmanager v1.14.2/go.mod h1:Q18wAPMM6RXLC/zVpWTlqq2IBSbbm7pKBlM3lCKsmjw= +cloud.google.com/go/storage v1.47.0 h1:ajqgt30fnOMmLfWfu1PWcb+V9Dxz6n+9WKjdNg5R4HM= +cloud.google.com/go/storage v1.47.0/go.mod h1:Ks0vP374w0PW6jOUameJbapbQKXqkjGd/OJRp2fb9IQ= +cloud.google.com/go/trace v1.11.2 h1:4ZmaBdL8Ng/ajrgKqY5jfvzqMXbrDcBsUGXOT9aqTtI= +cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= @@ -36,36 +37,36 @@ github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjq github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 h1:j8BorDEigD8UFOSZQiSqAMOOleyQOOQPnUAwV+Ls1gA= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4= -github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= -github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0/go.mod h1:fiPSssYvltE08HJchL04dOy+RD4hgrjph0cwGGMntdI= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvULkDNfdXOgrjtg6UYJPFBJyuEcRCAw= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM= github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE= github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw= github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0 h1:z7Mqz6l0EFH549GvHEqfjKvi+cRScxLWbaoeLm9wxVQ= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0/go.mod h1:v6gbfH+7DG7xH2kUNs+ZJ9tF6O3iNnR85wMtmr+F54o= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 h1:zDeQI/PaWztI2tcrGO/9RIMey9NvqYbnyttf/0P3QWM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsIIvxVT+uE6yrNldntJKlLRgxGbZ85kgtz5SNBhMw= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0 h1:HYGD75g0bQ3VO/Omedm54v4LrD3B1cGImuRF3AJ5wLo= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0/go.mod h1:ulHyBFJOI0ONiRL4vcJTmS7rx18jQQlEPmAgo80cRdM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0 h1:Fd+iaEa+JBwzYo6OTWYSNqyvlPSLciMGsmsnYCKcXM0= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0/go.mod h1:ulHyBFJOI0ONiRL4vcJTmS7rx18jQQlEPmAgo80cRdM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0 h1:LR0kAX9ykz8G4YgLCaRDVJ3+n43R8MneB5dTy2konZo= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0/go.mod h1:DWAciXemNf++PQJLeXUB4HHH5OpsAh12HZnu2wXE1jA= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 h1:mrkDCdkMsD4l9wjFGhofFHFrV43Y3c53RSLKOCJ5+Ow= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1/go.mod h1:hPv41DbqMmnxcGralanA/kVlfdH5jv3T4LxGku2E1BY= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww= -github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 h1:lhZdRq7TIx0GJQvSyX2Si406vrYsov2FXGp/RnSEtcs= -github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1/go.mod h1:8cl44BDmi+effbARHMQjgOKA2AYvcohNm7KEt42mSV8= -github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= -github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0 h1:PiSrjRPpkQNjrM8H0WwKMnZUdu1RGMtd/LdGKUrOo+c= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0/go.mod h1:oDrbWx4ewMylP7xHivfgixbfGBT6APAwsSoHRKotnIc= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0 h1:WLUIpeyv04H0RCcQHaA4TNoyrQ39Ox7V+re+iaqzTe0= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0/go.mod h1:hd8hTTIY3VmUVPRHNH7GVCHO3SHgXkJKZHReby/bnUQ= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 h1:eXnN9kaS8TiDwXjoie3hMRLuwdUBUMW9KRgOqB3mCaw= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0/go.mod h1:XIpam8wumeZ5rVMuhdDQLMfIPDf1WO3IzrCRO3e3e3o= +github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 h1:mlmW46Q0B79I+Aj4azKC6xDMFN9a9SyZWESlGWYXbFs= +github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0/go.mod h1:PXe2h+LKcWTX9afWdZoHyODqR4fBa5boUM/8uJfZ0Jo= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= @@ -88,20 +89,21 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs= -github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= -github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= -github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1 h1:gUDtaZk8heteyfdmv+pcfHvhR9llnh7c7GMwZ8RVG04= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= +github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0/go.mod h1:yAZHSGnqScoU556rBOVkwLze6WP5N+U11RHuWaGVxwY= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 h1:fYE9p3esPxA/C0rQ0AHhP0drtPXDRhaWiwg1DPqO7IU= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0/go.mod h1:BnBReJLvVYx2CS/UHOgVz2BXKXD9wsQPxZug20nZhd0= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.51.0 h1:OqVGm6Ei3x5+yZmSJG1Mh2NwHvpVmZ08CB5qJhT9Nuk= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.51.0/go.mod h1:SZiPHWGOOk3bl8tkevxkoiwPgsIl6CwrWcbwjfHZpdM= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 h1:6/0iUd0xrnX7qt+mLNRwg5c0PGv8wpE8K90ryANQwMI= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0/go.mod h1:otE2jQekW/PqXk1Awf5lmfokJx4uwuqcj1ab5SpGeW0= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 h1:pB2F2JKCj1Znmp2rwxxt1J0Fg0wezTMgWYk5Mpbi1kg= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 h1:UQ0AhxogsIRZDkElkblfnwjc3IaltCm2HUMvezQaL7s= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1/go.mod h1:jyqM3eLpJ3IbIFDTKVz2rF9T/xWGW0rIriGwnz8l9Tk= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.48.1 h1:oTX4vsorBZo/Zdum6OKPA4o7544hm6smoRv1QjpTwGo= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.48.1/go.mod h1:0wEl7vrAD8mehJyohS9HZy+WyEOaQO2mJx86Cvh93kM= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 h1:8nn+rsCvTq9axyEh382S0PFLBeaFwNsT43IrPWzctRU= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1/go.mod h1:viRWSEhtMZqz1rhwmOVKkWl6SwmVowfL9O2YR5gI2PE= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= @@ -114,10 +116,16 @@ github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw= -github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/Microsoft/hcsshim v0.11.7 h1:vl/nj3Bar/CvJSYo7gIQPyRWc9f3c6IeSNavBTSZNZQ= +github.com/Microsoft/hcsshim v0.11.7/go.mod h1:MV8xMfmECjl5HdO7U/3/hFVnkmSBjAjmA09d4bExKcU= +github.com/ProtonMail/go-crypto v1.1.0-alpha.5.0.20240827111422-b5837fa4476e h1:O1cSHAcGcbGEO66Qi2AIJeYmXO8iP4L/PNrbdN+RjJA= +github.com/ProtonMail/go-crypto v1.1.0-alpha.5.0.20240827111422-b5837fa4476e/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= +github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE= github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= @@ -128,62 +136,64 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= -github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= -github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM= -github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14= -github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM= -github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g= -github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.77 h1:xaRN9fags7iJznsMEjtcEuON1hGfCZ0y5MVfEMKtrx8= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.77/go.mod h1:lolsiGkT47AZ3DWqtxgEQM/wVMpayi7YWNjl3wHSRx8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 h1:ZNTqv4nIdE/DiBfUUfXcLZ/Spcuz+RjeziUtNJackkM= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34/go.mod h1:zf7Vcd1ViW7cPqYWEHLHJkS50X0JS2IKz9Cgaj6ugrs= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.53.0 h1:uYhWKm7FhOKF5chyd2QSVXWqchI+ikht+aIkDJUIg9U= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.53.0/go.mod h1:CDqMoc3KRdZJ8qziW96J35lKH01Wq3B2aihtHj2JbRs= -github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1 h1:6xZNYtuVwzBs8k+TmraERt0vL68Ppg9aUi+aTQmPaVM= -github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1/go.mod h1:FIBJ48TS+qJb+Ne4qJ+0NeIhtPTVXItXooTeNeVI4Po= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.224.0 h1:i7FB/N5pSvEzNOGHm7n6KQiBx2/X8UkrE/Ppb5Bh3QQ= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.224.0/go.mod h1:ouvGEfHbLaIlWwpDpOVWPWR+YwO0HDv3vm5tYLq8ImY= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.2 h1:vX70Z4lNSr7XsioU0uJq5yvxgI50sB66MvD+V/3buS4= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.2/go.mod h1:xnCC3vFBfOKpU6PcsCKL2ktgBTZfOwTGxj6V8/X3IS4= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.2 h1:BCG7DCXEXpNCcpwCxg1oi9pkJWH2+eZzTn9MY56MbVw= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.2/go.mod h1:iu6FSzgt+M2/x3Dk8zhycdIcHjEFb36IS8HVUVFoMg0= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91LiqT1nbvzDukyqAlCv89ZmwaHw/ZFlFZg= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA= -github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.3 h1:P87jejqS8WvQvRWyXlHUylt99VXt0y/WUIFuU6gBU7A= -github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.3/go.mod h1:cgPfPTC/V3JqwCKed7Q6d0FrgarV7ltz4Bz6S4Q+Dqk= -github.com/aws/aws-sdk-go-v2/service/s3 v1.80.0 h1:fV4XIU5sn/x8gjRouoJpDVHj+ExJaUk4prYF+eb6qTs= -github.com/aws/aws-sdk-go-v2/service/s3 v1.80.0/go.mod h1:qbn305Je/IofWBJ4bJz/Q7pDEtnnoInw/dGt71v6rHE= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.4 h1:EKXYJ8kgz4fiqef8xApu7eH0eae2SrVG+oHCLFybMRI= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.4/go.mod h1:yGhDiLKguA3iFJYxbrQkQiNzuy+ddxesSZYWVeeEH5Q= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= -github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k= -github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= -github.com/bazelbuild/buildtools v0.0.0-20250530102019-b02f80d9ea9c h1:nrWEwyf4cOQNry6qdxHVRpdxNeslO37+wGnG0CUTKRo= -github.com/bazelbuild/buildtools v0.0.0-20250530102019-b02f80d9ea9c/go.mod h1:PLNUetjLa77TCCziPsz0EI8a6CUxgC+1jgmWv0H25tg= -github.com/bazelbuild/rules_go v0.54.0 h1:D9aCU7j5rdRxg2rXOZX5zHZ395XC0KbgC4rnyaQ3ofM= -github.com/bazelbuild/rules_go v0.54.0/go.mod h1:T90Gpyq4HDFlsrvtQa2CBdHNJ2P4rAu/uUTmQbanzf0= +github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= +github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.32.5 h1:U8vdWJuY7ruAkzaOdD7guwJjD06YSKmnKCJs7s3IkIo= +github.com/aws/aws-sdk-go-v2 v1.32.5/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7/go.mod h1:QraP0UcVlQJsmHfioCrveWOC1nbiWUl3ej08h4mXWoc= +github.com/aws/aws-sdk-go-v2/config v1.28.5 h1:Za41twdCXbuyyWv9LndXxZZv3QhTG1DinqlFsSuvtI0= +github.com/aws/aws-sdk-go-v2/config v1.28.5/go.mod h1:4VsPbHP8JdcdUDmbTVgNL/8w9SqOkM5jyY8ljIxLO3o= +github.com/aws/aws-sdk-go-v2/credentials v1.17.46 h1:AU7RcriIo2lXjUfHFnFKYsLCwgbz1E7Mm95ieIRDNUg= +github.com/aws/aws-sdk-go-v2/credentials v1.17.46/go.mod h1:1FmYyLGL08KQXQ6mcTlifyFXfJVCNJTVGuQP4m0d/UA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 h1:sDSXIrlsFSFJtWKLQS4PUWRvrT580rrnuLydJrCQ/yA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20/go.mod h1:WZ/c+w0ofps+/OUqMwWgnfrgzZH1DZO1RIkktICsqnY= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 h1:hqcxMc2g/MwwnRMod9n6Bd+t+9Nf7d5qRg7RaXKPd6o= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41/go.mod h1:d1eH0VrttvPmrCraU68LOyNdu26zFxQFjrVSb5vdhog= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 h1:4usbeaes3yJnCFC7kfeyhkdkPtoRYPa/hTmCqMpKpLI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24/go.mod h1:5CI1JemjVwde8m2WG3cz23qHKPOxbpkq0HaoreEgLIY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 h1:N1zsICrQglfzaBnrfM0Ys00860C+QFwu6u/5+LomP+o= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24/go.mod h1:dCn9HbJ8+K31i8IQ8EWmWj0EiIk0+vKiHNMxTTYveAg= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 h1:JX70yGKLj25+lMC5Yyh8wBtvB01GDilyRuJvXJ4piD0= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24/go.mod h1:+Ln60j9SUTD0LEwnhEB0Xhg61DHqplBrbZpLgyjoEHg= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0 h1:1KzQVZi7OTixxaVJ8fWaJAUBjme+iQ3zBOCZhE4RgxQ= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0/go.mod h1:I1+/2m+IhnK5qEbhS3CrzjeiVloo9sItE/2K+so0fkU= +github.com/aws/aws-sdk-go-v2/service/cloudfront v1.43.0 h1:Ny0HHch5IyjWd3Hh/csFvAZFPDHvu7eeePFh7+BnbZ8= +github.com/aws/aws-sdk-go-v2/service/cloudfront v1.43.0/go.mod h1:KC7JSdRScZQpZJDJp4ze9elsg8QIWIoABjmCzDS4rtg= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.194.0 h1:56YXcRmryw9wiTrvdVeJEUwBCoN/+o33R52PA7CCi08= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.194.0/go.mod h1:mzj8EEjIHSN2oZRXiw1Dd+uB4HZTl7hC8nBzX9IZMWw= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.0 h1:fIAJ5VM/ANpYV81C1Jbf4ePbElMSzuWFljezD6weU9k= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.0/go.mod h1:pZP3I+Ts+XuhJJtZE49+ABVjfxm7u9/hxcNUYSpY3OE= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 h1:gvZOjQKPxFXy1ft3QnEyXmT+IqneM9QAUWlM3r0mfqw= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5/go.mod h1:DLWnfvIcm9IET/mmjdxeXbBKmTCm0ZB8p1za9BVteM8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 h1:wtpJ4zcwrSbwhECWQoI/g6WM9zqCcSpHDJIWSbMLOu4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5/go.mod h1:qu/W9HXQbbQ4+1+JcZp0ZNPV31ym537ZJN+fiS7Ti8E= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 h1:P1doBzv5VEg1ONxnJss1Kh5ZG/ewoIE4MQtKKc6Crgg= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5/go.mod h1:NOP+euMW7W3Ukt28tAxPuoWao4rhhqJD3QEBk7oCg7w= +github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.25.6 h1:I+a2rKx253mIClu5QtBkYWtko1k3nC+SvAtWTomengI= +github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.25.6/go.mod h1:hmJ9BhvEvDx0TrC16/p9UdoBRyCD2+k23ritPq5ctdM= +github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0 h1:Q2ax8S21clKOnHhhr933xm3JxdJebql+R7aNo7p7GBQ= +github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0/go.mod h1:ralv4XawHjEMaHOWnTFushl0WRqim/gQWesAMF6hTow= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6 h1:1KDMKvOKNrpD667ORbZ/+4OgvUoaok1gg/MLzrHF9fw= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6/go.mod h1:DmtyfCfONhOyVAJ6ZMTrDSFIeyCBlEO93Qkfhxwbxu0= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 h1:3zu537oLmsPfDMyjnUS2g+F2vITgy5pB74tHI+JBNoM= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.6/go.mod h1:WJSZH2ZvepM6t6jwu4w/Z45Eoi75lPN7DcydSRtJg6Y= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 h1:K0OQAsDywb0ltlFrZm0JHPY3yZp/S9OaoLU33S7vPS8= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5/go.mod h1:ORITg+fyuMoeiQFiVGoqB3OydVTLkClw/ljbblMq6Cc= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 h1:6SZUVRQNvExYlMLbHdlKB48x0fLbc2iVROyaNEwBHbU= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.1/go.mod h1:GqWyYCwLXnlUB1lOAXQyNSPqPLQJvmo8J0DWBzp9mtg= +github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= +github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/bazelbuild/buildtools v0.0.0-20240918101019-be1c24cc9a44 h1:FGzENZi+SX9I7h9xvMtRA3rel8hCEfyzSixteBgn7MU= +github.com/bazelbuild/buildtools v0.0.0-20240918101019-be1c24cc9a44/go.mod h1:PLNUetjLa77TCCziPsz0EI8a6CUxgC+1jgmWv0H25tg= +github.com/bazelbuild/rules_go v0.50.1 h1:/BUvuaB8MEiUA2oLPPCGtuw5V+doAYyiGTFyoSWlkrw= +github.com/bazelbuild/rules_go v0.50.1/go.mod h1:Dhcz716Kqg1RHNWos+N6MlXNkjNP2EwZQ0LukRKJfMs= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= @@ -194,63 +204,84 @@ github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuP github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bufbuild/protocompile v0.6.0 h1:Uu7WiSQ6Yj9DbkdnOe7U4mNKp58y9WDMKDn28/ZlunY= github.com/bufbuild/protocompile v0.6.0/go.mod h1:YNP35qEYoYGme7QMtz5SBCoN4kL4g12jTtjuzRNdjpE= +github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng= +github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= +github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ= +github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= +github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= +github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/chengxilo/virtualterm v1.0.4 h1:Z6IpERbRVlfB8WkOmtbHiDbBANU7cimRIof7mk9/PwM= github.com/chengxilo/virtualterm v1.0.4/go.mod h1:DyxxBZz/x1iqJjFxTFcr6/x+jSpqN0iwWCOK1q10rlY= -github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= -github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= -github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk= -github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= -github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= -github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= -github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= -github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= -github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= -github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudflare/circl v1.3.9 h1:QFrlgFYf2Qpi8bSpVPK1HBvWpx16v/1TZivyo7pGuBE= +github.com/cloudflare/circl v1.3.9/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= +github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= +github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= +github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= +github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= +github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0= github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4= -github.com/coredns/corefile-migration v1.0.25 h1:/XexFhM8FFlFLTS/zKNEWgIZ8Gl5GaWrHsMarGj/PRQ= -github.com/coredns/corefile-migration v1.0.25/go.mod h1:56DPqONc3njpVPsdilEnfijCwNGC3/kTJLl7i7SPavY= +github.com/coredns/corefile-migration v1.0.23 h1:Fp4FETmk8sT/IRgnKX2xstC2dL7+QdcU+BL5AYIN3Jw= +github.com/coredns/corefile-migration v1.0.23/go.mod h1:8HyMhuyzx9RLZp8cRc9Uf3ECpEAafHOFxQWUPqktMQI= github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= -github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0= github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8= +github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c h1:ToajP6trZoiqlZ3Z4uoG1P02/wtqSw1AcowOXOYjATk= github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c/go.mod h1:gZoZ0+POlM1ge/VUxWpMmZVNPzzMJ7l436CgkQ5+qzU= -github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= -github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= +github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= +github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= -github.com/distribution/distribution/v3 v3.0.0 h1:q4R8wemdRQDClzoNNStftB2ZAfqOiN6UX90KJc4HjyM= -github.com/distribution/distribution/v3 v3.0.0/go.mod h1:tRNuFoZsUdyRVegq8xGNeds4KLjwLCRin/tTo6i1DhU= +github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= +github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/docker v28.2.2+incompatible h1:CjwRSksz8Yo4+RmQ339Dp/D2tGO5JxwYeqtMOEe0LDw= -github.com/docker/docker v28.2.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= -github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= +github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= +github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= @@ -261,63 +292,66 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4= github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= -github.com/edgelesssys/go-azguestattestation v0.0.0-20250408071817-8c4457b235ff h1:V6A5kD0+c1Qg4X72Lg+zxhCZk+par436sQdgLvMCBBc= -github.com/edgelesssys/go-azguestattestation v0.0.0-20250408071817-8c4457b235ff/go.mod h1:Lz4QaomI4wU2YbatD4/W7vatW2Q35tnkoJezB1clscc= -github.com/edgelesssys/go-tdx-qpl v0.0.0-20250129202750-607ac61e2377 h1:5JMJiBhvOUUR7EZ0UyeSy7a1WrqB2eM+DX3odLSHAh4= -github.com/edgelesssys/go-tdx-qpl v0.0.0-20250129202750-607ac61e2377/go.mod h1:IC72qyykUIWl0ZmSk53L4xbLCFDBEGZVaujUmPQOEyw= +github.com/edgelesssys/go-azguestattestation v0.0.0-20240513062303-05f8770a633d h1:XcoMVhZve0RRkSxFDn9Bs/z4FpHqZ3eHgVNWNCNOkqc= +github.com/edgelesssys/go-azguestattestation v0.0.0-20240513062303-05f8770a633d/go.mod h1:Lz4QaomI4wU2YbatD4/W7vatW2Q35tnkoJezB1clscc= +github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f h1:TCGUmmH50cQBGXPJsn32APf93fmWQXcSMi7pMbDPtV0= +github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f/go.mod h1:IC72qyykUIWl0ZmSk53L4xbLCFDBEGZVaujUmPQOEyw= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= -github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M= -github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA= -github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A= -github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4= -github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= -github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= -github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= -github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= -github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= -github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= -github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= +github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= -github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= -github.com/foxboron/go-uefi v0.0.0-20250207204325-69fb7dba244f h1:SGo7y1xmmGWiQzp7QU3ueehmdMVkjj9Yyo1IDEuHbYw= -github.com/foxboron/go-uefi v0.0.0-20250207204325-69fb7dba244f/go.mod h1:q85c4IRlhhwdRJgGIUWrisDjU8dgcMj8dnXZCXo3hus= +github.com/foxboron/go-uefi v0.0.0-20241017190036-fab4fdf2f2f3 h1:K8ADp66ulnZ0NhjzwVwE4E3g6Id5KMWu86l0vURusA8= +github.com/foxboron/go-uefi v0.0.0-20241017190036-fab4fdf2f2f3/go.mod h1:ffg/fkDeOYicEQLoO2yFFGt00KUTYVXI+rfnc8il6vQ= github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= -github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= -github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= -github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM= -github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8= +github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= +github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= -github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM= -github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= -github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60= -github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k= +github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= +github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow= +github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys= +github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= -github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= -github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= -github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= -github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= +github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= +github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= +github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -327,8 +361,8 @@ github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo= -github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU= -github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= +github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w= +github.com/go-openapi/errors v0.22.0/go.mod h1:J3DmZScxCDufmIMsdOuDHxJbdOGC0xtUynjIx092vXE= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= @@ -341,8 +375,8 @@ github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9Z github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk= github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c= github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4= -github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= -github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= @@ -351,12 +385,12 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= -github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k= -github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo= +github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o= +github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= -github.com/go-sql-driver/mysql v1.9.1 h1:FrjNGn/BsJQjVRuSa8CBrM5BWA9BWoXXat3KrtSb/iI= -github.com/go-sql-driver/mysql v1.9.1/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= @@ -366,47 +400,68 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gofrs/uuid/v5 v5.3.2 h1:2jfO8j3XgSwlz/wHqemAEugfnTlikAYHhnqQ8Xh4fE0= -github.com/gofrs/uuid/v5 v5.3.2/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= +github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk= +github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= -github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= -github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= -github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= -github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= -github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k= +github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to= github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-attestation v0.5.1 h1:jqtOrLk5MNdliTKjPbIPrAaRKJaKW+0LIU2n/brJYms= github.com/google/go-attestation v0.5.1/go.mod h1:KqGatdUhg5kPFkokyzSBDxwSCFyRgIgtRkMp6c3lOBQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= -github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc h1:SG12DWUUM5igxm+//YX5Yq4vhdoRnOG9HkCodkOn+YU= -github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo= -github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI= -github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI= -github.com/google/go-sev-guest v0.13.0 h1:DJB6ACdykyweMU0HGOp/TQ7cjsnbV2ecbYunu2E0qy0= -github.com/google/go-sev-guest v0.13.0/go.mod h1:SK9vW+uyfuzYdVN0m8BShL3OQCtXZe/JPF7ZkpD3760= -github.com/google/go-tdx-guest v0.3.2-0.20250505161510-9efd53b4a100 h1:E5ArM6vmtaUbgTZM8W3G+bgseO3i5l8BpJCKuUH7WVc= -github.com/google/go-tdx-guest v0.3.2-0.20250505161510-9efd53b4a100/go.mod h1:uHy3VaNXNXhl0fiPxKqTxieeouqQmW6A0EfLcaeCYBk= -github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU= -github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-configfs-tsm v0.2.2 h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98= +github.com/google/go-configfs-tsm v0.2.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= +github.com/google/go-sev-guest v0.11.2-0.20241122204452-64cd695124b1 h1:K33T2ardZgY4LVxPakM85KSip9aag2jTwmOZs4i1dJg= +github.com/google/go-sev-guest v0.11.2-0.20241122204452-64cd695124b1/go.mod h1:8+UOtSaqVIZjJJ9DDmgRko3J/kNc6jI5KLHxoeao7cA= +github.com/google/go-tdx-guest v0.3.1 h1:gl0KvjdsD4RrJzyLefDOvFOUH3NAJri/3qvaL5m83Iw= +github.com/google/go-tdx-guest v0.3.1/go.mod h1:/rc3d7rnPykOPuY8U9saMyEps0PZDThLk/RygXm04nE= +github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM= +github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY= github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98= github.com/google/go-tpm-tools v0.4.4/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= @@ -418,37 +473,39 @@ github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ= github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc= github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= -github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= -github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM= +github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4= -github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= -github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0= -github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w= -github.com/gophercloud/gophercloud/v2 v2.7.0 h1:o0m4kgVcPgHlcXiWAjoVxGd8QCmvM5VU+YM71pFbn0E= -github.com/gophercloud/gophercloud/v2 v2.7.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk= -github.com/gophercloud/utils/v2 v2.0.0-20250506092640-af27464b6166 h1:U82pil2tMV/BkeWmy3eKT9mTmodSfwOw+Czl/s5eBrw= -github.com/gophercloud/utils/v2 v2.0.0-20250506092640-af27464b6166/go.mod h1:WypkO28BNmRXS8EPyW6I58L3qrBUy3w60schxwx7ZVc= -github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= -github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= +github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= +github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA= +github.com/googleapis/gax-go/v2 v2.14.0 h1:f+jMrjBPl+DL9nI4IQzLUxMq7XrAqFYB7hBPqMNIe8o= +github.com/googleapis/gax-go/v2 v2.14.0/go.mod h1:lhBCnjdLrWRaPvLWhmc8IS24m9mr07qSYnHncrgo+zk= +github.com/gophercloud/gophercloud/v2 v2.2.0 h1:STqqnSXuhcg1OPBOZ14z6JDm8fKIN13H2bJg6bBuHp8= +github.com/gophercloud/gophercloud/v2 v2.2.0/go.mod h1:f2hMRC7Kakbv5vM7wSGHrIPZh6JZR60GVHryJlF/K44= +github.com/gophercloud/utils/v2 v2.0.0-20241108144456-f4302a5ad8c6 h1:NPpHSXdkl9OWs9W46zmFBADEDIkY+r+W71vuiHo3se4= +github.com/gophercloud/utils/v2 v2.0.0-20241108144456-f4302a5ad8c6/go.mod h1:Uvv82D3uPdyOormmJ9fZbQyf7q7CHo6By55QIT+0l+0= +github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= +github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= -github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 h1:sGm2vDRFUrQJO/Veii4h4zG2vvqG6uWNkBHSTqXOZk0= -github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2/go.mod h1:wd1YpapPLivG6nQgbf7ZkG1hhSOXDhhn4MLTknx2aAc= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 h1:pRhl55Yx1eC7BZ1N+BBWwnKaMyD8uC+34TLdndZMAKk= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0/go.mod h1:XKMd7iuf/RGPSMJ/U4HP0zS2Z9Fh8Ps9a+6X26m/tmI= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -457,66 +514,58 @@ github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuD github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-cty v1.5.0 h1:EkQ/v+dDNUqnuVpmS5fPqyY71NXVgT5gf32+57xY8g0= -github.com/hashicorp/go-cty v1.5.0/go.mod h1:lFUCG5kd8exDobgSfyj4ONE/dc822kiYMguVKdHGMLM= +github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI= +github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBMaudVLy8fmjf9Npq1dq9RalhveqZG5w/yz3mHWs= github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 h1:DLfC677GfKEpSAFpEWvl1vXsGpEcSHmbhBaPLrdDQHc= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.18/go.mod h1:t/eaR/mi2mw3klfl1WEAuiLKrlZ/Q8cosmsT+RIPLu0= -github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11 h1:J9zGa9SlcOHT3SQTj0Vv3shHo0anWbs58weURGCgChI= -github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11/go.mod h1:iAOCu7/lG5eugg8+k7NVvQt0IpWT8s2Q9wnMtC/guM4= -github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.14 h1:oK4OQ5EPbx/66dAvitksV+OdrQ86SZEj3B6VSZrbdEY= -github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.14/go.mod h1:fWxrv9YkAMqtsISde5mcutoMvuiH4kyg1AlDzzmqRh8= -github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13 h1:NGBZnF+yPRZ3gjFl69Y2m58/U0iyB2oH9HaznL9tekA= -github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13/go.mod h1:4Xb+6d8VPeDcUNuh4toPqJlDpkajeJyIQeg36TtWhKw= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 h1:WZeXfD26QMWYC35at25KgE021SF9L3u9UMHK8fJAdV0= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.16/go.mod h1:ZiKZctjRTLEppuRwrttWkp71VYMbTTCkazK4xT7U/NQ= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9 h1:qdxeZvDMRGZ3YSE4Oz0Pp7WUSUn5S6cWZguEOkEVL50= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9/go.mod h1:DcXbvVpgNWbxGmxgmu3QN64bEydMu14Cpe34RRR30HY= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11 h1:/7SKkYIhA8cr3l8m1EKT6Q90bPoSVqqVBuQ6HgoMIkw= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11/go.mod h1:LepS5s6ESGE0qQMpYaui5lX+mQYeiYiy06VzwWRioO8= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12 h1:PCqWzT/Hii0KL07JsBZ3lJbv/wx02IAHYlhWQq8rxRY= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12/go.mod h1:HSaOaX/lv3ShCdilUYbOTPnSvmoZ9xtQhgw+8hYcZkg= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-plugin v1.6.3 h1:xgHB+ZUSYeuJi96WtxEjzi23uh7YQpznjGh0U0UUrwg= -github.com/hashicorp/go-plugin v1.6.3/go.mod h1:MRobyh+Wc/nYy1V4KAXUiYfzxoYhs7V1mlH1Z7iY2h0= +github.com/hashicorp/go-plugin v1.6.2 h1:zdGAEd0V1lCaU0u+MxWQhtSDQmahpkwOun8U8EiRVog= +github.com/hashicorp/go-plugin v1.6.2/go.mod h1:CkgLQ5CZqNmdL9U9JzM532t8ZiYQ35+pj3b1FD37R0Q= github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 h1:W9WN8p6moV1fjKLkeqEgkAMu5rauy9QeYDAmIaPuuiA= github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 h1:FW0YttEnUNDJ2WL9XcrrfteS1xW8u+sh4ggM8pN5isQ= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0= -github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= -github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= -github.com/hashicorp/go-sockaddr v1.0.6 h1:RSG8rKU28VTUTvEKghe5gIhIQpv8evvNpnDEyqO4u9I= -github.com/hashicorp/go-sockaddr v1.0.6/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw= -github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU= -github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4= -github.com/hashicorp/golang-lru/v2 v2.0.5/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= -github.com/hashicorp/hc-install v0.9.2 h1:v80EtNX4fCVHqzL9Lg/2xkp62bbvQMnvPQ0G+OmtO24= -github.com/hashicorp/hc-install v0.9.2/go.mod h1:XUqBQNnuT4RsxoxiM9ZaUk0NX8hi2h+Lb6/c0OZnC/I= +github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hc-install v0.9.0 h1:2dIk8LcvANwtv3QZLckxcjyF5w8KVtiMxu6G6eLhghE= +github.com/hashicorp/hc-install v0.9.0/go.mod h1:+6vOP+mf3tuGgMApVYtmsnDoKWMDcFXeTxCACYZ8SFg= github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos= github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/terraform-exec v0.23.0 h1:MUiBM1s0CNlRFsCLJuM5wXZrzA3MnPYEsiXmzATMW/I= -github.com/hashicorp/terraform-exec v0.23.0/go.mod h1:mA+qnx1R8eePycfwKkCRk3Wy65mwInvlpAeOwmA7vlY= -github.com/hashicorp/terraform-json v0.25.0 h1:rmNqc/CIfcWawGiwXmRuiXJKEiJu1ntGoxseG1hLhoQ= -github.com/hashicorp/terraform-json v0.25.0/go.mod h1:sMKS8fiRDX4rVlR6EJUMudg1WcanxCMoWwTLkgZP/vc= -github.com/hashicorp/terraform-plugin-framework v1.15.0 h1:LQ2rsOfmDLxcn5EeIwdXFtr03FVsNktbbBci8cOKdb4= -github.com/hashicorp/terraform-plugin-framework v1.15.0/go.mod h1:hxrNI/GY32KPISpWqlCoTLM9JZsGH3CyYlir09bD/fI= -github.com/hashicorp/terraform-plugin-framework-validators v0.18.0 h1:OQnlOt98ua//rCw+QhBbSqfW3QbwtVrcdWeQN5gI3Hw= -github.com/hashicorp/terraform-plugin-framework-validators v0.18.0/go.mod h1:lZvZvagw5hsJwuY7mAY6KUz45/U6fiDR0CzQAwWD0CA= -github.com/hashicorp/terraform-plugin-go v0.28.0 h1:zJmu2UDwhVN0J+J20RE5huiF3XXlTYVIleaevHZgKPA= -github.com/hashicorp/terraform-plugin-go v0.28.0/go.mod h1:FDa2Bb3uumkTGSkTFpWSOwWJDwA7bf3vdP3ltLDTH6o= +github.com/hashicorp/terraform-exec v0.21.0 h1:uNkLAe95ey5Uux6KJdua6+cv8asgILFVWkd/RG0D2XQ= +github.com/hashicorp/terraform-exec v0.21.0/go.mod h1:1PPeMYou+KDUSSeRE9szMZ/oHf4fYUmB923Wzbq1ICg= +github.com/hashicorp/terraform-json v0.23.0 h1:sniCkExU4iKtTADReHzACkk8fnpQXrdD2xoR+lppBkI= +github.com/hashicorp/terraform-json v0.23.0/go.mod h1:MHdXbBAbSg0GvzuWazEGKAn/cyNfIB7mN6y7KJN6y2c= +github.com/hashicorp/terraform-plugin-framework v1.13.0 h1:8OTG4+oZUfKgnfTdPTJwZ532Bh2BobF4H+yBiYJ/scw= +github.com/hashicorp/terraform-plugin-framework v1.13.0/go.mod h1:j64rwMGpgM3NYXTKuxrCnyubQb/4VKldEKlcG8cvmjU= +github.com/hashicorp/terraform-plugin-framework-validators v0.15.0 h1:RXMmu7JgpFjnI1a5QjMCBb11usrW2OtAG+iOTIj5c9Y= +github.com/hashicorp/terraform-plugin-framework-validators v0.15.0/go.mod h1:Bh89/hNmqsEWug4/XWKYBwtnw3tbz5BAy1L1OgvbIaY= +github.com/hashicorp/terraform-plugin-go v0.25.0 h1:oi13cx7xXA6QciMcpcFi/rwA974rdTxjqEhXJjbAyks= +github.com/hashicorp/terraform-plugin-go v0.25.0/go.mod h1:+SYagMYadJP86Kvn+TGeV+ofr/R3g4/If0O5sO96MVw= github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0= github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow= -github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0 h1:NFPMacTrY/IdcIcnUB+7hsore1ZaRWU9cnB6jFoBnIM= -github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0/go.mod h1:QYmYnLfsosrxjCnGY1p9c7Zj6n9thnEE+7RObeYs3fA= -github.com/hashicorp/terraform-plugin-testing v1.13.1 h1:0nhSm8lngGTggqXptU4vunFI0S2XjLAhJg3RylC5aLw= -github.com/hashicorp/terraform-plugin-testing v1.13.1/go.mod h1:b/hl6YZLm9fjeud/3goqh/gdqhZXbRfbHMkEiY9dZwc= -github.com/hashicorp/terraform-registry-address v0.2.5 h1:2GTftHqmUhVOeuu9CW3kwDkRe4pcBDq0uuK5VJngU1M= -github.com/hashicorp/terraform-registry-address v0.2.5/go.mod h1:PpzXWINwB5kuVS5CA7m1+eO2f1jKb5ZDIxrOPfpnGkg= +github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0 h1:wyKCCtn6pBBL46c1uIIBNUOWlNfYXfXpVo16iDyLp8Y= +github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0/go.mod h1:B0Al8NyYVr8Mp/KLwssKXG1RqnTk7FySqSn4fRuLNgw= +github.com/hashicorp/terraform-plugin-testing v1.11.0 h1:MeDT5W3YHbONJt2aPQyaBsgQeAIckwPX41EUHXEn29A= +github.com/hashicorp/terraform-plugin-testing v1.11.0/go.mod h1:WNAHQ3DcgV/0J+B15WTE6hDvxcUdkPPpnB1FR3M910U= +github.com/hashicorp/terraform-registry-address v0.2.3 h1:2TAiKJ1A3MAkZlH1YI/aTVcLZRu7JseiXNRHbOAyoTI= +github.com/hashicorp/terraform-registry-address v0.2.3/go.mod h1:lFHA76T8jfQteVfT7caREqguFrW3c4MFSPhZB7HHgUM= github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ= github.com/hashicorp/terraform-svchost v0.1.1/go.mod h1:mNsjQfZyf/Jhz35v6/0LWcv26+X7JPS+buii2c9/ctc= github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= @@ -527,6 +576,8 @@ github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -546,16 +597,21 @@ github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= -github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU= -github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= -github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -580,25 +636,26 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY= github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= -github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= -github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= -github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM= -github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4= github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ= @@ -617,19 +674,21 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= -github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= -github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= -github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= -github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= -github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= -github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= -github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= -github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= -github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= -github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= +github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= +github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g= +github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= +github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= +github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= @@ -638,110 +697,118 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/olareg/olareg v0.1.2 h1:75G8X6E9FUlzL/CSjgFcYfMgNzlc7CxULpUUNsZBIvI= -github.com/olareg/olareg v0.1.2/go.mod h1:TWs+N6pO1S4bdB6eerzUm/ITRQ6kw91mVf9ZYeGtw+Y= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/olareg/olareg v0.1.1 h1:Ui7q93zjcoF+U9U71sgqgZWByDoZOpqHitUXEu2xV+g= +github.com/olareg/olareg v0.1.1/go.mod h1:w8NP4SWrHHtxsFaUiv1lnCnYPm4sN1seCd2h7FK/dc0= +github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= +github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= +github.com/onsi/gomega v1.36.0 h1:Pb12RlruUtj4XUuPUqeEWc6j5DkVVVA49Uf6YLfC95Y= +github.com/onsi/gomega v1.36.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= -github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs= +github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= +github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= +github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= -github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4= -github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/planetscale/vtprotobuf v0.6.1-0.20241121165744-79df5c4772f2 h1:1sLMdKq4gNANTj0dUibycTLzpIEKVnLnbaEkxws78nw= -github.com/planetscale/vtprotobuf v0.6.1-0.20241121165744-79df5c4772f2/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= -github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= -github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io= -github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= -github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U= -github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc= -github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= -github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI= -github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= -github.com/regclient/regclient v0.8.3 h1:AFAPu/vmOYGyY22AIgzdBUKbzH+83lEpRioRYJ/reCs= -github.com/regclient/regclient v0.8.3/go.mod h1:gjQh5uBVZoo/CngchghtQh9Hx81HOMKRRDd5WPcPkbk= +github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= +github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= +github.com/regclient/regclient v0.7.2 h1:vcldDAwBMLtighYVMeb6qNt5+0hKg3AN2IkCc0JIJNM= +github.com/regclient/regclient v0.7.2/go.mod h1:QlA7W9/pvmbblOXM4d49JgfuOTwVXcUMKt3bFuOSVIQ= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= -github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= -github.com/rubenv/sql-migrate v1.8.0 h1:dXnYiJk9k3wetp7GfQbKJcPHjVJL6YK19tKj8t2Ns0o= -github.com/rubenv/sql-migrate v1.8.0/go.mod h1:F2bGFBwCU+pnmbtNYDeKvSuvL6lBVtXDXUUv5t+u1qw= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlXpTI= +github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= -github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/samber/lo v1.49.1 h1:4BIFyVfuQSEpluc7Fua+j1NolZHiEHEpaSEKdsH0tew= -github.com/samber/lo v1.49.1/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o= -github.com/samber/slog-multi v1.4.0 h1:pwlPMIE7PrbTHQyKWDU+RIoxP1+HKTNOujk3/kdkbdg= -github.com/samber/slog-multi v1.4.0/go.mod h1:FsQ4Uv2L+E/8TZt+/BVgYZ1LoDWCbfCU21wVIoMMrO8= +github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc= +github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= +github.com/samber/slog-multi v1.2.4 h1:k9x3JAWKJFPKffx+oXZ8TasaNuorIW4tG+TXxkt6Ry4= +github.com/samber/slog-multi v1.2.4/go.mod h1:ACuZ5B6heK57TfMVkVknN2UZHoFfjCwRxR0Q2OXKHlo= github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= -github.com/schollz/progressbar/v3 v3.18.0 h1:uXdoHABRFmNIjUfte/Ex7WtuyVslrw2wVPQmCN62HpA= -github.com/schollz/progressbar/v3 v3.18.0/go.mod h1:IsO3lpbaGuzh8zIMzgY3+J8l4C8GjO0Y9S69eFvNsec= -github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= -github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= +github.com/schollz/progressbar/v3 v3.17.1 h1:bI1MTaoQO+v5kzklBjYNRQLoVpe0zbyRZNK6DFkVC5U= +github.com/schollz/progressbar/v3 v3.17.1/go.mod h1:RzqpnsPQNjUyIgdglUjRLgD7sVnxN1wpmBMV+UiEbL4= +github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= +github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= -github.com/siderolabs/talos/pkg/machinery v1.10.3 h1:otoAMrxvQBdkdQDPREJH+pa6bebuA7HK3Vb0qgpeIgA= -github.com/siderolabs/talos/pkg/machinery v1.10.3/go.mod h1:gNv/CPK+2tRIhQvmd7h2bgoYGxzoHHWbaejXpNyZvDo= -github.com/sigstore/protobuf-specs v0.4.1 h1:5SsMqZbdkcO/DNHudaxuCUEjj6x29tS2Xby1BxGU7Zc= -github.com/sigstore/protobuf-specs v0.4.1/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/rekor v1.3.10 h1:/mSvRo4MZ/59ECIlARhyykAlQlkmeAQpvBPlmJtZOCU= -github.com/sigstore/rekor v1.3.10/go.mod h1:JvryKJ40O0XA48MdzYUPu0y4fyvqt0C4iSY7ri9iu3A= -github.com/sigstore/sigstore v1.9.4 h1:64+OGed80+A4mRlNzRd055vFcgBeDghjZw24rPLZgDU= -github.com/sigstore/sigstore v1.9.4/go.mod h1:Q7tGTC3gbtK7c3jcxEmGc2MmK4rRpIRzi3bxRFWKvEY= +github.com/siderolabs/talos/pkg/machinery v1.8.3 h1:raK1oLzSMpwpy/AqkeFyBYkJS+QuOnlRMznVl/rZ25k= +github.com/siderolabs/talos/pkg/machinery v1.8.3/go.mod h1:cNR2TELu2T9AzYOHAoNr/7ZS3ZVDLzM/KnuOr4XW4s4= +github.com/sigstore/rekor v1.3.7 h1:Z5UW5TmqbTZnyOFkMRfi32q/CWcxK6VuzIkx+33mbq8= +github.com/sigstore/rekor v1.3.7/go.mod h1:TihqJscZ6L6398x68EHY82t0AOnGYfrQ0siXe3WgbR4= +github.com/sigstore/sigstore v1.8.10 h1:r4t+TYzJlG9JdFxMy+um9GZhZ2N1hBTyTex0AHEZxFs= +github.com/sigstore/sigstore v1.8.10/go.mod h1:BekjqxS5ZtHNJC4u3Q3Stvfx2eyisbW/lUZzmPU2u4A= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= -github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= -github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA= -github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo= +github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A= +github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE= -github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= @@ -749,18 +816,18 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0= -github.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw= +github.com/tink-crypto/tink-go/v2 v2.2.0 h1:L2Da0F2Udh2agtKztdr69mV/KpnY3/lGTkMgLTVIXlA= +github.com/tink-crypto/tink-go/v2 v2.2.0/go.mod h1:JJ6PomeNPF3cJpfWC0lgyTES6zpJILkAX0cJNwlS3xU= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= @@ -794,82 +861,63 @@ github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= +github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= +github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= +github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= +github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= +github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms= github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk= -github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70= -github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +github.com/zclconf/go-cty v1.15.0 h1:tTCRWxsexYUmtt/wVxgDClUe+uQusuI443uL6e+5sXQ= +github.com/zclconf/go-cty v1.15.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= -github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= -github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= -go.etcd.io/etcd/api/v3 v3.6.0 h1:vdbkcUBGLf1vfopoGE/uS3Nv0KPyIpUV/HM6w9yx2kM= -go.etcd.io/etcd/api/v3 v3.6.0/go.mod h1:Wt5yZqEmxgTNJGHob7mTVBJDZNXiHPtXTcPab37iFOw= -go.etcd.io/etcd/client/pkg/v3 v3.6.0 h1:nchnPqpuxvv3UuGGHaz0DQKYi5EIW5wOYsgUNRc365k= -go.etcd.io/etcd/client/pkg/v3 v3.6.0/go.mod h1:Jv5SFWMnGvIBn8o3OaBq/PnT0jjsX8iNokAUessNjoA= -go.etcd.io/etcd/client/v3 v3.6.0 h1:/yjKzD+HW5v/3DVj9tpwFxzNbu8hjcKID183ug9duWk= -go.etcd.io/etcd/client/v3 v3.6.0/go.mod h1:Jzk/Knqe06pkOZPHXsQ0+vNDvMQrgIqJ0W8DwPdMJMg= +go.etcd.io/etcd/api/v3 v3.5.17 h1:cQB8eb8bxwuxOilBpMJAEo8fAONyrdXTHUNcMd8yT1w= +go.etcd.io/etcd/api/v3 v3.5.17/go.mod h1:d1hvkRuXkts6PmaYk2Vrgqbv7H4ADfAKhyJqHNLJCB4= +go.etcd.io/etcd/client/pkg/v3 v3.5.17 h1:XxnDXAWq2pnxqx76ljWwiQ9jylbpC4rvkAeRVOUKKVw= +go.etcd.io/etcd/client/pkg/v3 v3.5.17/go.mod h1:4DqK1TKacp/86nJk4FLQqo6Mn2vvQFBmruW3pP14H/w= +go.etcd.io/etcd/client/v3 v3.5.17 h1:o48sINNeWz5+pjy/Z0+HKpj/xSnBkuVhVvXkjEXbqZY= +go.etcd.io/etcd/client/v3 v3.5.17/go.mod h1:j2d4eXTHWkT2ClBgnnEPm/Wuu7jsqku41v9DZ3OtjQo= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w= -go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk= -go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8FktLnIcy6jJNyOCQw= -go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k= -go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4= -go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ= -go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= -go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= -go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls= -go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs= -go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8= -go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0= -go.opentelemetry.io/otel/exporters/prometheus v0.54.0 h1:rFwzp68QMgtzu9PgP3jm9XaMICI6TsofWWPcBDKwlsU= -go.opentelemetry.io/otel/exporters/prometheus v0.54.0/go.mod h1:QyjcV9qDP6VeK5qPyKETvNjmaaEc7+gqjh4SS0ZYzDU= -go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU= -go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s= -go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk= -go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8= -go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= -go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= -go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= -go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= -go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs= -go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo= -go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= -go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= -go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= -go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= -go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= -go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/detectors/gcp v1.29.0 h1:TiaiXB4DpGD3sdzNlYQxruQngn5Apwzi1X0DRhuGvDQ= +go.opentelemetry.io/contrib/detectors/gcp v1.29.0/go.mod h1:GW2aWZNwR2ZxDLdv8OyC2G8zkRoQBuURgV7RPQgcPoU= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= +go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= +go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= +go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= +go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= +go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= +go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBwe1m8xFXiSY= +go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= +go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= +go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -877,48 +925,65 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= -golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= -golang.org/x/exp v0.0.0-20250531010427-b6e5de432a8b h1:QoALfVG9rhQ/M7vYDScfPdWjGL9dlsVVM5VGh7aKoAA= -golang.org/x/exp v0.0.0-20250531010427-b6e5de432a8b/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= -golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= +golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= -golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -929,21 +994,24 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= @@ -951,42 +1019,66 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= -golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= -golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= -golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg= +golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= -golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/api v0.235.0 h1:C3MkpQSRxS1Jy6AkzTGKKrpSCOd2WOGrezZ+icKSkKo= -google.golang.org/api v0.235.0/go.mod h1:QpeJkemzkFKe5VCE/PMv7GsUfn9ZF+u+q1Q7w6ckxTg= +google.golang.org/api v0.209.0 h1:Ja2OXNlyRlWCWu8o+GgI4yUn/wz9h/5ZfFbKz+dQX+w= +google.golang.org/api v0.209.0/go.mod h1:I53S168Yr/PNDNMi5yPnDc0/LGRZO6o7PoEbl/HY3CM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78= -google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk= -google.golang.org/genproto/googleapis/api v0.0.0-20250512202823-5a2f75b736a9 h1:WvBuA5rjZx9SNIzgcU53OohgZy6lKSus++uY4xLaWKc= -google.golang.org/genproto/googleapis/api v0.0.0-20250512202823-5a2f75b736a9/go.mod h1:W3S/3np0/dPWsWLi1h/UymYctGXaGBM2StwzD0y140U= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 h1:IkAfh6J/yllPtpYFU0zZN1hUPYdT0ogkBT/9hMxHjvg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= -google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= -google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f h1:zDoHYmMzMacIdjNe+P2XiTmPsLawi/pCbSPfxt6lTfw= +google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f/go.mod h1:Q5m6g8b5KaFFzsQFIGdJkSJDGeJiybVenoYFMMa3ohI= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f h1:C1QccEa9kUwvMgEUORqQD9S17QesQijxjZ84sO82mfo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= +google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a h1:UIpYSuWdWHSzjwcAFRLjKcPXFZVVLXGEM23W+NWqipw= +google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a/go.mod h1:9i1T9n4ZinTUZGgzENMi8MDDgbGC5mqTS75JAv6xN3A= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -998,6 +1090,7 @@ gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= @@ -1007,55 +1100,54 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= -helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ= -helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI= -k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY= -k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs= -k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8= -k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8= -k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY= -k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/apiserver v0.33.2 h1:KGTRbxn2wJagJowo29kKBp4TchpO1DRO3g+dB/KOJN4= -k8s.io/apiserver v0.33.2/go.mod h1:9qday04wEAMLPWWo9AwqCZSiIn3OYSZacDyu/AcoM/M= -k8s.io/cli-runtime v0.33.2 h1:koNYQKSDdq5AExa/RDudXMhhtFasEg48KLS2KSAU74Y= -k8s.io/cli-runtime v0.33.2/go.mod h1:gnhsAWpovqf1Zj5YRRBBU7PFsRc6NkEkwYNQE+mXL88= -k8s.io/client-go v0.33.2 h1:z8CIcc0P581x/J1ZYf4CNzRKxRvQAwoAolYPbtQes+E= -k8s.io/client-go v0.33.2/go.mod h1:9mCgT4wROvL948w6f6ArJNb7yQd7QsvqavDeZHvNmHo= -k8s.io/cluster-bootstrap v0.33.1 h1:esGY+qXFJ78myppBzMVqqj37ReGLOJpQNslRiqmQGes= -k8s.io/cluster-bootstrap v0.33.1/go.mod h1:YA4FsgPShsVoP84DkBJEkCKDgsH4PpgTa0NzNBf6y4I= -k8s.io/component-base v0.33.2 h1:sCCsn9s/dG3ZrQTX/Us0/Sx2R0G5kwa0wbZFYoVp/+0= -k8s.io/component-base v0.33.2/go.mod h1:/41uw9wKzuelhN+u+/C59ixxf4tYQKW7p32ddkYNe2k= +helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY= +helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8= +k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE= +k8s.io/apiextensions-apiserver v0.31.3 h1:+GFGj2qFiU7rGCsA5o+p/rul1OQIq6oYpQw4+u+nciE= +k8s.io/apiextensions-apiserver v0.31.3/go.mod h1:2DSpFhUZZJmn/cr/RweH1cEVVbzFw9YBu4T+U3mf1e4= +k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= +k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.3 h1:+1oHTtCB+OheqFEz375D0IlzHZ5VeQKX1KGXnx+TTuY= +k8s.io/apiserver v0.31.3/go.mod h1:PrxVbebxrxQPFhJk4powDISIROkNMKHibTg9lTRQ0Qg= +k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= +k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4= +k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs= +k8s.io/cluster-bootstrap v0.31.3 h1:O1Yxk1bLaxZvmQCXLaJjj5iJD+lVMfJdRUuKgbUHPlA= +k8s.io/cluster-bootstrap v0.31.3/go.mod h1:TI6TCsQQB4FfcryWgNO3SLXSKWBqHjx4DfyqSFwixj8= +k8s.io/component-base v0.31.3 h1:DMCXXVx546Rfvhj+3cOm2EUxhS+EyztH423j+8sOwhQ= +k8s.io/component-base v0.31.3/go.mod h1:xME6BHfUOafRgT0rGVBGl7TuSg8Z9/deT7qq6w7qjIU= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/kubectl v0.33.2 h1:7XKZ6DYCklu5MZQzJe+CkCjoGZwD1wWl7t/FxzhMz7Y= -k8s.io/kubectl v0.33.2/go.mod h1:8rC67FB8tVTYraovAGNi/idWIK90z2CHFNMmGJZJ3KI= -k8s.io/kubelet v0.33.1 h1:x4LCw1/iZVWOKA4RoITnuB8gMHnw31HPB3S0EF0EexE= -k8s.io/kubelet v0.33.1/go.mod h1:8WpdC9M95VmsqIdGSQrajXooTfT5otEj8pGWOm+KKfQ= -k8s.io/kubernetes v1.33.2 h1:Vk3hsCaazyMQ6CXhu029AEPlBoYsEnD8oEIC0bP2pWQ= -k8s.io/kubernetes v1.33.2/go.mod h1:nrt8sldmckKz2fCZhgRX3SKfS2e+CzXATPv6ITNkU00= -k8s.io/mount-utils v0.33.1 h1:hodPhfyoK+gG0SgnYwx1iPrlnpaESZiJ9GFzF5V/imE= -k8s.io/mount-utils v0.33.1/go.mod h1:1JR4rKymg8B8bCPo618hpSAdrpO6XLh0Acqok/xVwPE= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 h1:jgJW5IePPXLGB8e/1wvd0Ich9QE97RvvF3a8J3fP/Lg= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -libvirt.org/go/libvirt v1.11002.0 h1:cb8KJG3D97pc/hxQ2n6P82hRX3rlgdzO7bih6W1AAQ8= -libvirt.org/go/libvirt v1.11002.0/go.mod h1:1WiFE8EjZfq+FCVog+rvr1yatKbKZ9FaFMZgEqxEJqQ= -oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= -oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= -sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= -sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= -sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= -sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= -sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ= -sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o= -sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA= -sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY= -sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= -sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= +k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= +k8s.io/kubelet v0.31.3 h1:DIXRAmvVGp42mV2vpA1GCLU6oO8who0/vp3Oq6kSpbI= +k8s.io/kubelet v0.31.3/go.mod h1:KSdbEfNy5VzqUlAHlytA/fH12s+sE1u8fb/8JY9sL/8= +k8s.io/kubernetes v1.31.3 h1:oqb7HdfnTelrGlZ6ziNugvQ/L/aJWR704114EAhUn9Q= +k8s.io/kubernetes v1.31.3/go.mod h1:9xmT2buyTYj8TRKwRae7FcuY8k5+xlxv7VivvO0KKfs= +k8s.io/mount-utils v0.31.3 h1:CANy3prUYvvDCc2X7ZKgpjpDhAidx4gjGh/WwDrCPq8= +k8s.io/mount-utils v0.31.3/go.mod h1:HV/VYBUGqYUj4vt82YltzpWvgv8FPg0G9ItyInT3NPU= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 h1:jGnCPejIetjiy2gqaJ5V0NLwTpF4wbQ6cZIItJCSHno= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +libvirt.org/go/libvirt v1.10009.0 h1:Lf3jktPJwrOF/lIb6fZN/TNUPhNVyS70wAk8lI2dGj8= +libvirt.org/go/libvirt v1.10009.0/go.mod h1:1WiFE8EjZfq+FCVog+rvr1yatKbKZ9FaFMZgEqxEJqQ= +oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= +oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= +sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= +sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= +sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= +sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= +sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= diff --git a/go.work b/go.work index 0d9909f84..0cf42a018 100644 --- a/go.work +++ b/go.work @@ -1,6 +1,6 @@ -go 1.24.4 +go 1.23.2 -toolchain go1.24.4 +toolchain go1.23.2 use ( . diff --git a/hack/bazel-deps-mirror/bazel-deps-mirror.go b/hack/bazel-deps-mirror/bazel-deps-mirror.go index b99f75e39..5e2d92617 100644 --- a/hack/bazel-deps-mirror/bazel-deps-mirror.go +++ b/hack/bazel-deps-mirror/bazel-deps-mirror.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // bazel-deps-mirror adds external dependencies to edgeless systems' mirror. diff --git a/hack/bazel-deps-mirror/check.go b/hack/bazel-deps-mirror/check.go index 30c65a131..465e46f7f 100644 --- a/hack/bazel-deps-mirror/check.go +++ b/hack/bazel-deps-mirror/check.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/bazel-deps-mirror/fix.go b/hack/bazel-deps-mirror/fix.go index a6018dfe1..dd231cd06 100644 --- a/hack/bazel-deps-mirror/fix.go +++ b/hack/bazel-deps-mirror/fix.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/bazel-deps-mirror/internal/bazelfiles/files.go b/hack/bazel-deps-mirror/internal/bazelfiles/files.go index a891deb49..c736f8533 100644 --- a/hack/bazel-deps-mirror/internal/bazelfiles/files.go +++ b/hack/bazel-deps-mirror/internal/bazelfiles/files.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package bazelfiles is used to find and handle Bazel WORKSPACE and bzl files. diff --git a/hack/bazel-deps-mirror/internal/bazelfiles/files_test.go b/hack/bazel-deps-mirror/internal/bazelfiles/files_test.go index 889a490ec..92cb1a0ae 100644 --- a/hack/bazel-deps-mirror/internal/bazelfiles/files_test.go +++ b/hack/bazel-deps-mirror/internal/bazelfiles/files_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package bazelfiles diff --git a/hack/bazel-deps-mirror/internal/issues/issues.go b/hack/bazel-deps-mirror/internal/issues/issues.go index a1cac0e64..f01495ceb 100644 --- a/hack/bazel-deps-mirror/internal/issues/issues.go +++ b/hack/bazel-deps-mirror/internal/issues/issues.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package issues can store and report issues found during the bazel-deps-mirror process. diff --git a/hack/bazel-deps-mirror/internal/issues/issues_test.go b/hack/bazel-deps-mirror/internal/issues/issues_test.go index 6e402f1bb..2df8baf16 100644 --- a/hack/bazel-deps-mirror/internal/issues/issues_test.go +++ b/hack/bazel-deps-mirror/internal/issues/issues_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package issues diff --git a/hack/bazel-deps-mirror/internal/mirror/mirror.go b/hack/bazel-deps-mirror/internal/mirror/mirror.go index 947f565da..a9919adcc 100644 --- a/hack/bazel-deps-mirror/internal/mirror/mirror.go +++ b/hack/bazel-deps-mirror/internal/mirror/mirror.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package mirror is used upload and download Bazel dependencies to and from a mirror. diff --git a/hack/bazel-deps-mirror/internal/mirror/mirror_test.go b/hack/bazel-deps-mirror/internal/mirror/mirror_test.go index c94a84507..541c1fa52 100644 --- a/hack/bazel-deps-mirror/internal/mirror/mirror_test.go +++ b/hack/bazel-deps-mirror/internal/mirror/mirror_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package mirror @@ -137,7 +137,7 @@ func TestMirror(t *testing.T) { unauthenticated: tc.unauthenticated, log: logger.NewTest(t), } - err := m.Mirror(t.Context(), tc.hash, []string{tc.upstreamURL}) + err := m.Mirror(context.Background(), tc.hash, []string{tc.upstreamURL}) if tc.wantErr { assert.Error(t, err) } else { @@ -180,7 +180,7 @@ func TestLearn(t *testing.T) { }, log: logger.NewTest(t), } - gotHash, err := m.Learn(t.Context(), []string{"https://example.com/foo"}) + gotHash, err := m.Learn(context.Background(), []string{"https://example.com/foo"}) if tc.wantErr { assert.Error(err) return @@ -274,7 +274,7 @@ func TestCheck(t *testing.T) { }, log: logger.NewTest(t), } - err := m.Check(t.Context(), tc.hash) + err := m.Check(context.Background(), tc.hash) if tc.wantErr { assert.Error(t, err) } else { diff --git a/hack/bazel-deps-mirror/internal/rules/rules.go b/hack/bazel-deps-mirror/internal/rules/rules.go index 5cb90ccaa..d8a5269f3 100644 --- a/hack/bazel-deps-mirror/internal/rules/rules.go +++ b/hack/bazel-deps-mirror/internal/rules/rules.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package rules is used find and modify Bazel rules in WORKSPACE and bzl files. diff --git a/hack/bazel-deps-mirror/internal/rules/rules_test.go b/hack/bazel-deps-mirror/internal/rules/rules_test.go index 4e494d0a3..b607b99b8 100644 --- a/hack/bazel-deps-mirror/internal/rules/rules_test.go +++ b/hack/bazel-deps-mirror/internal/rules/rules_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package rules diff --git a/hack/bazel-deps-mirror/upgrade.go b/hack/bazel-deps-mirror/upgrade.go index e4ceca996..8729f0aea 100644 --- a/hack/bazel-deps-mirror/upgrade.go +++ b/hack/bazel-deps-mirror/upgrade.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/cli-k8s-compatibility/main.go b/hack/cli-k8s-compatibility/main.go index e1cb7c611..5361fcdf4 100644 --- a/hack/cli-k8s-compatibility/main.go +++ b/hack/cli-k8s-compatibility/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // cli-k8s-compatibility generates JSON output for a CLI version and its supported Kubernetes versions. @@ -45,7 +45,7 @@ func main() { } cliInfo := versionsapi.CLIInfo{ - Ref: versionsapi.CanonicalizeRef(*refFlag), + Ref: *refFlag, Stream: *streamFlag, Version: *versionFlag, Kubernetes: []string{}, diff --git a/hack/clidocgen/main.go b/hack/clidocgen/main.go index 599e30d22..b63b796cb 100644 --- a/hack/clidocgen/main.go +++ b/hack/clidocgen/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Clidocgen generates a Markdown page describing all CLI commands. diff --git a/hack/gocoverage/main.go b/hack/gocoverage/main.go index c6b755cde..496bd97ce 100644 --- a/hack/gocoverage/main.go +++ b/hack/gocoverage/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/hack/gocoverage/main_test.go b/hack/gocoverage/main_test.go index 267aa1522..613e74dad 100644 --- a/hack/gocoverage/main_test.go +++ b/hack/gocoverage/main_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/image-fetch/main.go b/hack/image-fetch/main.go index 4124a9f54..7a88801a8 100644 --- a/hack/image-fetch/main.go +++ b/hack/image-fetch/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/hack/image-fetch/main_test.go b/hack/image-fetch/main_test.go index 30fe94af4..fa73af23e 100644 --- a/hack/image-fetch/main_test.go +++ b/hack/image-fetch/main_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/logcollector/cmd/root.go b/hack/logcollector/cmd/root.go index a6f8f1501..9af040c49 100644 --- a/hack/logcollector/cmd/root.go +++ b/hack/logcollector/cmd/root.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/hack/logcollector/cmd/template.go b/hack/logcollector/cmd/template.go index 1812981ae..8776a52df 100644 --- a/hack/logcollector/cmd/template.go +++ b/hack/logcollector/cmd/template.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/hack/logcollector/fields/fields.go b/hack/logcollector/fields/fields.go index 4443b3415..d905f2b66 100644 --- a/hack/logcollector/fields/fields.go +++ b/hack/logcollector/fields/fields.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package fields diff --git a/hack/logcollector/internal/filebeat.go b/hack/logcollector/internal/filebeat.go index d46812e37..bb7fd8493 100644 --- a/hack/logcollector/internal/filebeat.go +++ b/hack/logcollector/internal/filebeat.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package internal diff --git a/hack/logcollector/internal/logstash.go b/hack/logcollector/internal/logstash.go index 808ed4d32..ea03365e6 100644 --- a/hack/logcollector/internal/logstash.go +++ b/hack/logcollector/internal/logstash.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package internal diff --git a/hack/logcollector/internal/metricbeat.go b/hack/logcollector/internal/metricbeat.go index 0d71ea125..603f2dcd4 100644 --- a/hack/logcollector/internal/metricbeat.go +++ b/hack/logcollector/internal/metricbeat.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package internal diff --git a/hack/logcollector/internal/prepare.go b/hack/logcollector/internal/prepare.go index acfec0114..8f6408ac4 100644 --- a/hack/logcollector/internal/prepare.go +++ b/hack/logcollector/internal/prepare.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package internal diff --git a/hack/logcollector/main.go b/hack/logcollector/main.go index 3535e59dc..f4f6aaf96 100644 --- a/hack/logcollector/main.go +++ b/hack/logcollector/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/oci-pin/codegen.go b/hack/oci-pin/codegen.go index b733c834b..774b794da 100644 --- a/hack/oci-pin/codegen.go +++ b/hack/oci-pin/codegen.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/oci-pin/internal/extract/extract.go b/hack/oci-pin/internal/extract/extract.go index ae37c9501..5b76e954d 100644 --- a/hack/oci-pin/internal/extract/extract.go +++ b/hack/oci-pin/internal/extract/extract.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package extract diff --git a/hack/oci-pin/internal/extract/extract_test.go b/hack/oci-pin/internal/extract/extract_test.go index 893a0de20..cf3dddd93 100644 --- a/hack/oci-pin/internal/extract/extract_test.go +++ b/hack/oci-pin/internal/extract/extract_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package extract diff --git a/hack/oci-pin/internal/inject/inject.go b/hack/oci-pin/internal/inject/inject.go index 7175d7e9f..f70ef4952 100644 --- a/hack/oci-pin/internal/inject/inject.go +++ b/hack/oci-pin/internal/inject/inject.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // inject renders Go source files with injected pinning values. diff --git a/hack/oci-pin/internal/inject/inject_test.go b/hack/oci-pin/internal/inject/inject_test.go index e33cf1887..9d209be11 100644 --- a/hack/oci-pin/internal/inject/inject_test.go +++ b/hack/oci-pin/internal/inject/inject_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package inject diff --git a/hack/oci-pin/internal/sums/sums.go b/hack/oci-pin/internal/sums/sums.go index b6acdd426..48545e9e3 100644 --- a/hack/oci-pin/internal/sums/sums.go +++ b/hack/oci-pin/internal/sums/sums.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // sums creates and combines sha256sums files. diff --git a/hack/oci-pin/internal/sums/sums_test.go b/hack/oci-pin/internal/sums/sums_test.go index 3bc61fe79..4796bd028 100644 --- a/hack/oci-pin/internal/sums/sums_test.go +++ b/hack/oci-pin/internal/sums/sums_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sums diff --git a/hack/oci-pin/merge.go b/hack/oci-pin/merge.go index d13b84c3c..565d08a35 100644 --- a/hack/oci-pin/merge.go +++ b/hack/oci-pin/merge.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/oci-pin/oci-pin.go b/hack/oci-pin/oci-pin.go index 1c68e42d3..5b3206c15 100644 --- a/hack/oci-pin/oci-pin.go +++ b/hack/oci-pin/oci-pin.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // oci-pin generates Go code and shasum files for OCI images. diff --git a/hack/oci-pin/sum.go b/hack/oci-pin/sum.go index ba77b727b..feacd8ca1 100644 --- a/hack/oci-pin/sum.go +++ b/hack/oci-pin/sum.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/qemu-metadata-api/dhcp/dhcp.go b/hack/qemu-metadata-api/dhcp/dhcp.go index a6e3aa08a..6474b6666 100644 --- a/hack/qemu-metadata-api/dhcp/dhcp.go +++ b/hack/qemu-metadata-api/dhcp/dhcp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package dhcp diff --git a/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq.go b/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq.go index 4374e074b..1e75e2abd 100644 --- a/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq.go +++ b/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package dnsmasq diff --git a/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq_test.go b/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq_test.go index 2f079a471..66a4483cd 100644 --- a/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq_test.go +++ b/hack/qemu-metadata-api/dhcp/dnsmasq/dnsmasq_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package dnsmasq diff --git a/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper.go b/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper.go index 7a31ff337..fa77b81de 100644 --- a/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper.go +++ b/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package virtwrapper diff --git a/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cgo.go b/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cgo.go index b74c65110..bacd3c81f 100644 --- a/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cgo.go +++ b/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cgo.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package virtwrapper diff --git a/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cross.go b/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cross.go index 0467ab907..58e12f0f7 100644 --- a/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cross.go +++ b/hack/qemu-metadata-api/dhcp/virtwrapper/virtwrapper_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package virtwrapper diff --git a/hack/qemu-metadata-api/main.go b/hack/qemu-metadata-api/main.go index 0693b9cd4..5169200b3 100644 --- a/hack/qemu-metadata-api/main.go +++ b/hack/qemu-metadata-api/main.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/qemu-metadata-api/main_cross.go b/hack/qemu-metadata-api/main_cross.go index 3398538fa..18ac575ba 100644 --- a/hack/qemu-metadata-api/main_cross.go +++ b/hack/qemu-metadata-api/main_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/hack/qemu-metadata-api/server/server.go b/hack/qemu-metadata-api/server/server.go index 4394732b2..2b3817247 100644 --- a/hack/qemu-metadata-api/server/server.go +++ b/hack/qemu-metadata-api/server/server.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package server diff --git a/hack/qemu-metadata-api/server/server_test.go b/hack/qemu-metadata-api/server/server_test.go index ada18aaa3..363cb3ed2 100644 --- a/hack/qemu-metadata-api/server/server_test.go +++ b/hack/qemu-metadata-api/server/server_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package server import ( + "context" "encoding/json" "io" "net/http" @@ -126,7 +127,7 @@ func TestListSelf(t *testing.T) { server := New(logger.NewTest(t), "test", "initSecretHash", tc.stubLeaseGetter) - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "http://192.0.0.1/self", nil) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://192.0.0.1/self", nil) require.NoError(err) req.RemoteAddr = tc.remoteAddr @@ -186,7 +187,7 @@ func TestListPeers(t *testing.T) { server := New(logger.NewTest(t), "test", "initSecretHash", tc.stubNetworkGetter) - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "http://192.0.0.1/peers", nil) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://192.0.0.1/peers", nil) require.NoError(err) req.RemoteAddr = tc.remoteAddr @@ -242,7 +243,7 @@ func TestInitSecretHash(t *testing.T) { server := New(logger.NewTest(t), "test", tc.wantHash, defaultConnect) - req, err := http.NewRequestWithContext(t.Context(), tc.method, "http://192.0.0.1/initsecrethash", nil) + req, err := http.NewRequestWithContext(context.Background(), tc.method, "http://192.0.0.1/initsecrethash", nil) require.NoError(err) w := httptest.NewRecorder() diff --git a/hack/tools/go.mod b/hack/tools/go.mod index 211115cdb..5674da6b2 100644 --- a/hack/tools/go.mod +++ b/hack/tools/go.mod @@ -1,13 +1,13 @@ module github.com/edgelesssys/constellation/v2/hack/tools -go 1.24.4 +go 1.23.2 require ( github.com/google/go-licenses v1.6.0 - github.com/google/keep-sorted v0.6.1 - github.com/katexochen/sh/v3 v3.11.0 - golang.org/x/tools v0.33.0 - golang.org/x/vuln v1.1.4 + github.com/google/keep-sorted v0.5.1 + github.com/katexochen/sh/v3 v3.10.0 + golang.org/x/tools v0.27.0 + golang.org/x/vuln v1.1.3 ) require ( @@ -26,7 +26,7 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/otiai10/copy v1.6.0 // indirect - github.com/rogpeppe/go-internal v1.14.1 // indirect + github.com/rogpeppe/go-internal v1.13.1 // indirect github.com/rs/zerolog v1.31.0 // indirect github.com/sergi/go-diff v1.3.1 // indirect github.com/spf13/cobra v1.8.0 // indirect @@ -35,14 +35,14 @@ require ( github.com/stretchr/testify v1.8.4 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.38.0 // indirect - golang.org/x/mod v0.24.0 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/sync v0.14.0 // indirect - golang.org/x/sys v0.33.0 // indirect + golang.org/x/crypto v0.29.0 // indirect + golang.org/x/mod v0.22.0 // indirect + golang.org/x/net v0.31.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/sys v0.27.0 // indirect golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.25.0 // indirect + golang.org/x/term v0.26.0 // indirect + golang.org/x/text v0.20.0 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect gopkg.in/src-d/go-git.v4 v4.13.1 // indirect diff --git a/hack/tools/go.sum b/hack/tools/go.sum index c76480175..ca41d9dc5 100644 --- a/hack/tools/go.sum +++ b/hack/tools/go.sum @@ -174,14 +174,14 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= -github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-licenses v1.6.0 h1:MM+VCXf0slYkpWO0mECvdYDVCxZXIQNal5wqUIXEZ/A= github.com/google/go-licenses v1.6.0/go.mod h1:Z8jgz2isEhdenOqd/00pq7I4y4k1xVVQJv415otjclo= github.com/google/go-replayers/httpreplay v1.1.1 h1:H91sIMlt1NZzN7R+/ASswyouLJfW0WLW7fhyUFvDEkY= github.com/google/go-replayers/httpreplay v1.1.1/go.mod h1:gN9GeLIs7l6NUoVaSSnv2RiqK1NiwAmD0MrKeC9IIks= -github.com/google/keep-sorted v0.6.1 h1:LNEdDKYxoXOrn4ZXC+FdUfJCVbUjhb2QPIBs5XISXCI= -github.com/google/keep-sorted v0.6.1/go.mod h1:JYy9vljs7P8b3QdPOQkywA+4u36FUHwsNITZIpJyPkE= +github.com/google/keep-sorted v0.5.1 h1:rmIIsosfRa/5cG5nddWRC2Bc3mzZpOEozc9I8Zlnq4I= +github.com/google/keep-sorted v0.5.1/go.mod h1:JYy9vljs7P8b3QdPOQkywA+4u36FUHwsNITZIpJyPkE= github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148 h1:TJsAqW6zLRMDTyGmc9TPosfn9OyVlHs8Hrn3pY6ONSY= github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148/go.mod h1:rq9F0RSpNKlrefnf6ZYMHKUnEJBCNzf6AcCXMYBeYvE= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= @@ -235,8 +235,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/katexochen/sh/v3 v3.11.0 h1:L71eTHDOVv7CKiCJVDm28EmIdIT/s8dXzKgddW9Uxok= -github.com/katexochen/sh/v3 v3.11.0/go.mod h1:Z6jje5FhaLunbZtZlnYi6qcaqMO+rdh8m0IJ2jWTbew= +github.com/katexochen/sh/v3 v3.10.0 h1:Ego1a6oSmdt9WypgalMnbZNmL9CVSxwiX12CFZM981I= +github.com/katexochen/sh/v3 v3.10.0/go.mod h1:edcqgocfPrMX4vdCLGZQgc4T+2Cr6zNN+Adg/w8PLxw= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= @@ -276,8 +276,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= -github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A= github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= @@ -341,8 +341,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -380,8 +380,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -428,8 +428,8 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -466,8 +466,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -538,16 +538,16 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0= golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -559,8 +559,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -619,10 +619,10 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= -golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= -golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= -golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I= -golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= +golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw= +golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/hack/tools/tools.go b/hack/tools/tools.go index a7e28843b..da96d9ed6 100644 --- a/hack/tools/tools.go +++ b/hack/tools/tools.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // The tools module is used to keep tool dependencies separate from the main dependencies of the repo diff --git a/hack/versioninfogen/main.go b/hack/versioninfogen/main.go index c43e0488b..21183c131 100644 --- a/hack/versioninfogen/main.go +++ b/hack/versioninfogen/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/image/BUILD.bazel b/image/BUILD.bazel index 772801b0c..681c6f385 100644 --- a/image/BUILD.bazel +++ b/image/BUILD.bazel @@ -1,12 +1,16 @@ load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file") load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix") +load("@rules_pkg//pkg:mappings.bzl", "pkg_files", "strip_prefix") + +filegroup( + name = "sysroot_tree", + srcs = glob(["sysroot-tree/**"]), +) pkg_files( name = "sysroot", - srcs = glob(["sysroot-tree/**"]), - attributes = pkg_attributes(mode = "0555"), - strip_prefix = strip_prefix.from_pkg("sysroot-tree"), + srcs = [":sysroot_tree"], + strip_prefix = strip_prefix.from_pkg() + "sysroot-tree", visibility = ["//visibility:public"], ) diff --git a/image/README.md b/image/README.md index c0d8c1975..4316f6cfc 100644 --- a/image/README.md +++ b/image/README.md @@ -60,15 +60,3 @@ After building a Kernel rpm, we upload it to our CDN and use it in our image bui - `bazel build //image/system:IMAGE_NAME_HERE` (replace with an actual image name) - Let CI build new images and run e2e tests - Upgrade kernel spec under [edgelesssys/constellation-kernel](https://github.com/edgelesssys/constellation-kernel) to use new releasever - -## Adding new packages to the image - -- Find the package (i.e. it's _package name_) on [Koji](https://koji.fedoraproject.org/koji/) -- Add the package to the corresponding section in `./base/mkosi.conf` - - If the package is required to be present in the initrd, add it to `./initrd/mkosi.conf` -- Add the package to `./mirror/packages.txt` -- Update the package mirror: - ```sh - bazel run //image/mirror:update_packages - ``` -- Build new images (e.g. via CI) and run e2e tests diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel index 9e613d4fd..2928787f1 100644 --- a/image/base/BUILD.bazel +++ b/image/base/BUILD.bazel @@ -1,6 +1,5 @@ load("@aspect_bazel_lib//lib:copy_to_directory.bzl", "copy_to_directory") load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix") load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image") copy_to_directory( @@ -34,7 +33,9 @@ copy_to_directory( "mkosi.finalize", "mkosi.postinst", "mkosi.prepare", - ], + ] + glob([ + "mkosi.skeleton/**", + ]), outs = [ kernel_variant, kernel_variant + ".tar", @@ -45,7 +46,6 @@ copy_to_directory( kernel_variant + "-rpmdb.sqlite-wal", ], extra_trees = [ - ":skeleton", "//image:sysroot_tar", "//image:cryptsetup_closure", ], @@ -86,15 +86,3 @@ pkg_tar( tags = ["manual"], visibility = ["//visibility:public"], ) - -pkg_files( - name = "skeleton_files", - srcs = glob(["mkosi.skeleton/**"]), - attributes = pkg_attributes(mode = "0555"), - strip_prefix = strip_prefix.from_pkg("mkosi.skeleton"), -) - -pkg_tar( - name = "skeleton", - srcs = [":skeleton_files"], -) diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf index 9201a05ff..5deab82c8 100644 --- a/image/base/mkosi.conf +++ b/image/base/mkosi.conf @@ -41,7 +41,6 @@ Packages=containerd # Network Packages=iproute dbus - openssh-server systemd-networkd systemd-resolved diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service index 30ca0acfe..cf93df780 100644 --- a/image/base/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service +++ b/image/base/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service @@ -1,8 +1,7 @@ [Unit] Description=Constellation Bootstrapper Wants=network-online.target -Requires=sshd-keygen.target -After=network-online.target configure-constel-csp.service sshd-keygen.target +After=network-online.target configure-constel-csp.service After=export_constellation_debug.service [Service] diff --git a/image/initrd/BUILD.bazel b/image/initrd/BUILD.bazel index a959018ec..6301d6cb5 100644 --- a/image/initrd/BUILD.bazel +++ b/image/initrd/BUILD.bazel @@ -1,18 +1,17 @@ -load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix") load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image") mkosi_image( name = "initrd", srcs = [ "mkosi.postinst", - ], + ] + glob([ + "mkosi.skeleton/**", + ]), outs = [ "image", "image.cpio.zst", ], extra_trees = [ - ":skeleton", "//image:sysroot_tar", "//image:cryptsetup_closure", "//disk-mapper/cmd:disk-mapper-package.tar", @@ -25,15 +24,3 @@ mkosi_image( ], visibility = ["//visibility:public"], ) - -pkg_files( - name = "skeleton_files", - srcs = glob(["mkosi.skeleton/**"]), - attributes = pkg_attributes(mode = "0555"), - strip_prefix = strip_prefix.from_pkg("mkosi.skeleton"), -) - -pkg_tar( - name = "skeleton", - srcs = [":skeleton_files"], -) diff --git a/image/measured-boot/cmd/main.go b/image/measured-boot/cmd/main.go index 1cf708ba3..01a544aae 100644 --- a/image/measured-boot/cmd/main.go +++ b/image/measured-boot/cmd/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/image/measured-boot/extract/extract.go b/image/measured-boot/extract/extract.go index cd544a7ae..ed29f942d 100644 --- a/image/measured-boot/extract/extract.go +++ b/image/measured-boot/extract/extract.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package extract diff --git a/image/measured-boot/extract/extract_test.go b/image/measured-boot/extract/extract_test.go index ec1b161aa..81d453ed3 100644 --- a/image/measured-boot/extract/extract_test.go +++ b/image/measured-boot/extract/extract_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package extract diff --git a/image/measured-boot/fixtures/fixtures.go b/image/measured-boot/fixtures/fixtures.go index 6e4662037..0e9372594 100644 --- a/image/measured-boot/fixtures/fixtures.go +++ b/image/measured-boot/fixtures/fixtures.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package fixtures diff --git a/image/measured-boot/measure/authentihash.go b/image/measured-boot/measure/authentihash.go index a6facd887..e7e28f65f 100644 --- a/image/measured-boot/measure/authentihash.go +++ b/image/measured-boot/measure/authentihash.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/authentihash_test.go b/image/measured-boot/measure/authentihash_test.go index 9032e6cbf..81cd27652 100644 --- a/image/measured-boot/measure/authentihash_test.go +++ b/image/measured-boot/measure/authentihash_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/measure_test.go b/image/measured-boot/measure/measure_test.go index 7c37fc864..a787d8846 100644 --- a/image/measured-boot/measure/measure_test.go +++ b/image/measured-boot/measure/measure_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr.go b/image/measured-boot/measure/pcr.go index d44ea3271..f90ddeef2 100644 --- a/image/measured-boot/measure/pcr.go +++ b/image/measured-boot/measure/pcr.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr04.go b/image/measured-boot/measure/pcr04.go index 5117860ee..6a343bee9 100644 --- a/image/measured-boot/measure/pcr04.go +++ b/image/measured-boot/measure/pcr04.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr04_test.go b/image/measured-boot/measure/pcr04_test.go index 5b9e7f568..215fb5d8e 100644 --- a/image/measured-boot/measure/pcr04_test.go +++ b/image/measured-boot/measure/pcr04_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr09.go b/image/measured-boot/measure/pcr09.go index 5a6f279e1..8013f3c39 100644 --- a/image/measured-boot/measure/pcr09.go +++ b/image/measured-boot/measure/pcr09.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr09_test.go b/image/measured-boot/measure/pcr09_test.go index 759ad9e33..2462605e9 100644 --- a/image/measured-boot/measure/pcr09_test.go +++ b/image/measured-boot/measure/pcr09_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr11.go b/image/measured-boot/measure/pcr11.go index 6f5d8d789..1fbc37887 100644 --- a/image/measured-boot/measure/pcr11.go +++ b/image/measured-boot/measure/pcr11.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr11_test.go b/image/measured-boot/measure/pcr11_test.go index 5b73aec2e..ca94c16de 100644 --- a/image/measured-boot/measure/pcr11_test.go +++ b/image/measured-boot/measure/pcr11_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/measure/pcr_test.go b/image/measured-boot/measure/pcr_test.go index 37487219f..d05f47b69 100644 --- a/image/measured-boot/measure/pcr_test.go +++ b/image/measured-boot/measure/pcr_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measure diff --git a/image/measured-boot/pesection/pesection.go b/image/measured-boot/pesection/pesection.go index 557851cf8..59b849e39 100644 --- a/image/measured-boot/pesection/pesection.go +++ b/image/measured-boot/pesection/pesection.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package pesection diff --git a/image/mirror/BUILD.bazel b/image/mirror/BUILD.bazel index 014001e9d..56b425add 100644 --- a/image/mirror/BUILD.bazel +++ b/image/mirror/BUILD.bazel @@ -1,5 +1,3 @@ -load("@rules_shell//shell:sh_binary.bzl", "sh_binary") - sh_binary( name = "update_packages", srcs = ["update_packages.sh"], diff --git a/image/mirror/SHA256SUMS b/image/mirror/SHA256SUMS index 796826902..ac3f22b4b 100644 --- a/image/mirror/SHA256SUMS +++ b/image/mirror/SHA256SUMS @@ -1,8 +1,8 @@ 37abef83e8927b4b48f69fcbdcc249d349c6029cc669401676d01f0ea326999e WALinuxAgent-udev-2.10.0.8-2.fc40.noarch.rpm -03b5889fecc19101fe5c5eb6105bded5705e16a7af957f92b6cc6a7a96e829a8 aardvark-dns-1.14.0-1.fc40.x86_64.rpm +eeca1e4f380330d602278b8069c03e0a712f9d7c1c9533c5869c66e5f5fce4a0 aardvark-dns-1.12.2-2.fc40.x86_64.rpm ac860c52abbc65af5835d1bd97400c531a5635d39bc1d68e36a1fe54863385ea alternatives-1.27-1.fc40.x86_64.rpm -b28e7d90ed3aeb6ca10ecb235b70534665011af35bd3677fb836b1e3cfa602a7 audit-libs-4.0.3-1.fc40.i686.rpm -accc1c623cc5345f983990416ad0f8d6028d63bc9f00bcb808688b2a3bb7caf9 audit-libs-4.0.3-1.fc40.x86_64.rpm +6d0cfcd0e97421b42af58a824c7e99a6cbcdd0e81980b4ea9e0d4051ef723db3 audit-libs-4.0.2-1.fc40.i686.rpm +f4ed40457780c13bebf84c1cf8981550da7e0e728e80250aed179eda8915bc7f audit-libs-4.0.2-1.fc40.x86_64.rpm e9fd8dd4c9068501c169edb684de7f6e38657548e9d4d1b838a4d6316e9f17cc authselect-1.5.0-6.fc40.x86_64.rpm db18a583ebde21d8b0b67f0306e25908b273bef9c532469ac0b7ab92578438f4 authselect-libs-1.5.0-6.fc40.x86_64.rpm 6404b1028262aeaf3e083f08959969abea1301f7f5e8610492cf900b3d13d5db basesystem-11-20.fc40.noarch.rpm @@ -10,24 +10,24 @@ db18a583ebde21d8b0b67f0306e25908b273bef9c532469ac0b7ab92578438f4 authselect-lib 208ddebcd5edbff3dca54020a8a180f5410ea9b2d82c733e106992a729b4b84e bzip2-libs-1.0.8-18.fc40.i686.rpm 68a43532d10187888788625d0b6c2224ba95804280eddf2636e5ef700607e7d0 bzip2-libs-1.0.8-18.fc40.x86_64.rpm 1afcf80d5e7b22ee512ec9f24b4f2b148888ef95af3486cf48f2204c3406b12d ca-certificates-2024.2.69_v8.0.401-1.0.fc40.noarch.rpm -a9af8b72483b4ad6489e6d2492161120809453373edaf24722cffb394bd1cd15 catatonit-0.2.1-1.fc40.x86_64.rpm +99d4976979c8b9d18c9d2d686de77882dc6a4e72ebfe358fb9a37a83f0ecdc90 catatonit-0.1.7-22.fc40.x86_64.rpm 588a2ab4dd93d58ca8b8d2c2d0b5e2c52007548c3fdd06f5ca1ab415ee236d86 composefs-1.0.6-1.fc40.x86_64.rpm 5935816e8d377d0385e5287ca12e4d3b43e3c3cdc9cc4deafa653a6dba78611a composefs-libs-1.0.6-1.fc40.x86_64.rpm db246f6445469b5a71e965a081685471768393cf04181e7250ce0ddcb8a9c3d4 conmon-2.1.12-2.fc40.x86_64.rpm adf4b75cdd9fae9d2d37fb71d9f0bf625a6705c0f0a7784569ab21463fe22152 conntrack-tools-1.4.7-7.fc40.x86_64.rpm -b84841f98b3c14d68da5a4021f10973eb5fa6566e63f4933e40a0c91aa134ce4 container-selinux-2.236.0-1.fc40.noarch.rpm +621302b0ea9cdd73d5eea4d30935cb415143df1649cd8e92424e967ea98fc34d container-selinux-2.234.2-1.fc40.noarch.rpm bbe29e0c7b4ca076d50b4ac3954eb383459230d96b13f353ee71ebd5de33b6d1 containerd-1.6.23-5.fc40.x86_64.rpm -46f035201c84f65f6b9fd549adbe1c4aeb5f5972e69bf6537c05e7cc20587a4a containernetworking-plugins-1.5.1-2.fc40.x86_64.rpm -8c6676fd3d9cb966e68da46dc8bc3a81ea6f2ccb697f75a284a9c9b868489789 containers-common-0.62.2-1.fc40.noarch.rpm -70956b80c95cd582f6d5410c555a1f7468b13c1f022bb25856a6a1a59f4279e3 containers-common-extra-0.62.2-1.fc40.noarch.rpm +0705251ea64b1558098016b2120f202c5aba77470093cb8f89ce6adb2a0b46b6 containernetworking-plugins-1.5.1-1.fc40.x86_64.rpm +3e35525e9224d3427f10343c98036b251fac34bf67c9007335561d846736d0d5 containers-common-0.61.0-1.fc40.noarch.rpm +b0740195d12d356e5637b83ece8650fc3f764f37e734678a07cb637fb14faf7d containers-common-extra-0.61.0-1.fc40.noarch.rpm 299d3e7e1cbc110d9ae8a47f6ca95142c3e3783cb1464bfbd6bc550c414b97ec coreutils-single-9.4-9.fc40.x86_64.rpm d941a78ffb6e2e0b4c24d0097d0351ced8796edde90208b4bddee459bce0a949 cpio-2.15-1.fc40.x86_64.rpm faa23cb6a7a612c0a6e874c788c5add967c5e193bd38c2e6093b82b38a162f81 cracklib-2.9.11-5.fc40.i686.rpm ea1f43ef9a4b02a9c66726ee386f090145696fb93dff80d593ac82126f8037ec cracklib-2.9.11-5.fc40.x86_64.rpm fe24641e69545c428890a4b094f015c03f65a6c30c3db7bb0de7672bab66bfd6 cracklib-dicts-2.9.11-5.fc40.x86_64.rpm -cb6318cb928c70696f1fc3a79469c0343905b4b69c5d9789e9932b10b4584357 criu-4.1-2.fc40.x86_64.rpm -05a1dbc9f2e3585df8f9930327a7e6f7f59b396359db92787086e1fdb73634b2 criu-libs-4.1-2.fc40.x86_64.rpm -0a8ee60884b6739bc0fffed6c47a94eae524e73cbd9c942420f6ffdfcd39086b crun-1.20-2.fc40.x86_64.rpm +f3f3e5f6a1c1bee67c0c6598a48143c36827f90a095897d649580a174468cdbc criu-4.0-1.fc40.x86_64.rpm +bbdb6014e2bd87db1bb2d4795a57cbb08bfdb03777c2b9730a3f45f7977fc4c9 criu-libs-4.0-1.fc40.x86_64.rpm +d388aa1a184a3ed04c68a39f81a9dcc39088b1f279d49d3631db608da6611937 crun-1.18.2-1.fc40.x86_64.rpm d7a62ff0193375607d28d8fe7eedf3ff5b6ddac154e1474d79787b9f32ae298d crypto-policies-20241011-1.git5930b9a.fc40.noarch.rpm 0f1d436f879fa30f18adca576a1f91bb1a8d1ac42cff5f35c1d15e6dffc506fa crypto-policies-scripts-20241011-1.git5930b9a.fc40.noarch.rpm 26aadc06a9f98c58ca6250d811e749ee5fa76059b37445ec28b50ee73d548174 cryptsetup-2.7.5-1.fc40.x86_64.rpm @@ -50,15 +50,15 @@ ac4f1b2eaf5d452512e7b6172c93880c2b501946b71a228adc02d50bb3fb56e0 e2fsprogs-1.47 2e2bf662f060ddd75195e9d3d5f08cdd5d9cc857df3a9bcc45608337ba314a25 ec2-utils-1.2-48.amzn2.noarch.rpm e6231ec4268b3efa928250eb4106311e0f33396422245b938bfed4ba2d79c573 efitools-1.9.2-9.fc38.x86_64.rpm 6ac676d78c2df896f9794a8dffb75ea69c58d202c68f4bcf084f0d264154a666 efivar-libs-39-2.fc40.x86_64.rpm -75a77fa962df4aabee266a1a48aeb4bf3a164dba31a597af23ab33c693a1c068 elfutils-debuginfod-client-0.192-9.fc40.i686.rpm -4b4b9b5c7e4ceaf65cb473089f87eef07cbdb7254425f60219c5b6412ea7da94 elfutils-debuginfod-client-0.192-9.fc40.x86_64.rpm -633b68d0b697c585727d07f4a3c5e4ba536841a8717eaadc552fc10e61d3b86a elfutils-default-yama-scope-0.192-9.fc40.noarch.rpm -fde3769dc677f0a76ce96058c3032f6553809f4809509842b9523a13e90913e2 elfutils-libelf-0.192-9.fc40.i686.rpm -f7778242b3242fab35a5e0c4f0919ca9823a47c7b296f274ff312cc2c49ba6e7 elfutils-libelf-0.192-9.fc40.x86_64.rpm -a322c6f44f82bc21558f3bb7afc694dbdc28a41340280d3a2c5da2656a339d2f elfutils-libs-0.192-9.fc40.i686.rpm -184235133a6873a42b72d2d88657f12dd4b4b603fd5058fbd02daa0a7308f69c elfutils-libs-0.192-9.fc40.x86_64.rpm -a09546cd7e26c630765f4acb93942a2c70524107a50e20761eb0898b8a80b6cb ethtool-6.14-2.fc40.x86_64.rpm -136ed00bff4d44ab7bd6d0926c4b80c2f5ee9160dc4f698be988ca3d37303b4d expat-2.7.1-1.fc40.x86_64.rpm +d4b391ee444de66794804962e441ccdba74e75630a2abbcc9a14b7fd2f7cb535 elfutils-debuginfod-client-0.192-6.fc40.i686.rpm +60befd76c16ce28b1f065fac31e88cdb74d5219421587fcdde2b46abace803c0 elfutils-debuginfod-client-0.192-6.fc40.x86_64.rpm +467cc1d14f1e6ca0a3b893c087ba5ecee2ec44c33b7455b6ad9cc9b2aa1f2f54 elfutils-default-yama-scope-0.192-6.fc40.noarch.rpm +5c4abd06417a9bed0a93adf00ef7a9195101069445fe7f2873408b3d4010a760 elfutils-libelf-0.192-6.fc40.i686.rpm +98d770d563c5898abd6847e728dd793f6ee985904020084c62c7568463614428 elfutils-libelf-0.192-6.fc40.x86_64.rpm +61f3912d147750749d3b4b5031d0f2ca95fa21615a36bd55ea4b4b9be0493e02 elfutils-libs-0.192-6.fc40.i686.rpm +f215ebf2e586330f93c52b228c98912a0b42db9ceeff830b611817401a84252a elfutils-libs-0.192-6.fc40.x86_64.rpm +95cf8ee199b2e1b3471f920ebad57d3d8178f5e68d37ee35a8a94727473ec8d3 ethtool-6.11-1.fc40.x86_64.rpm +3a5ba168021a01107d6dd4dc7cffe8bb5553c64f236c436979b9fddfdc4cb59d expat-2.6.3-1.fc40.x86_64.rpm 849feb04544096f9bbe16bc78c2198708fe658bdafa08575c911e538a7d31c18 fedora-gpg-keys-40-2.noarch.rpm 8f0a56982aa10b607bd3b8009e91bac1a7d9b7ba40eb4435ff9bd9efe7e5e76e fedora-release-40-40.noarch.rpm dde6f4b5d4415ce20df40cf1cb9ff3015aa5b1896c5b5625e49aa686cdce1d1d fedora-release-common-40-40.noarch.rpm @@ -80,25 +80,25 @@ c4cc69bf3a2655b9ee9ac23492d377bac57811c5b4f81fbf43537520ee33c7af gawk-all-langp 40337d9167737abe23af9c6b586b883f33cc82028d69b29c1d68b524201d9248 gettext-envsubst-0.22.5-4.fc40.x86_64.rpm 554a68e692ccdd0cf71ea67a4c550bac910685465f17eee503732d48ccda9c90 gettext-libs-0.22.5-4.fc40.x86_64.rpm 046971e9f5f0c88737854e1c9e02cce8f5854633575984b235cf3f8b11ec7b91 gettext-runtime-0.22.5-4.fc40.x86_64.rpm -6afaddcff936e900b9d3ab379ddac5c8dd0aa323924b973bf2fa9fc819dc3638 glib2-2.80.5-1.fc40.x86_64.rpm -ee01787bf89f4f3b1ee7dc269844bae2fc672b1af4ac5e241e570391fbeeab3b glibc-2.39-38.fc40.i686.rpm -b64c709529bedb9d3e62c892fe79b67f186c499d54d1e7985713ddb5fded7a59 glibc-2.39-38.fc40.x86_64.rpm -5cdec5bdfe58752fca36279d5cd25e08a6b37a086020f2573937304a5b770dc6 glibc-common-2.39-38.fc40.x86_64.rpm -e8ab57f139980b93c17a9598a40cac5a81be37216526be8115235a57ce5a9df7 glibc-gconv-extra-2.39-38.fc40.i686.rpm -4deff99dffc791e504d9e1d9b5c19f3a053a14291d2168ffd33fdcd24180323b glibc-gconv-extra-2.39-38.fc40.x86_64.rpm -8556a19ce4e3a9977f2d1cdb2f1885eef6401140609264e2c50a8161874d22ac glibc-minimal-langpack-2.39-38.fc40.x86_64.rpm +0a32c6874ce180375c2c0b1e2f0c8fed38131a598e5c4ba3866cf3aee1f3f5fc glib2-2.80.3-1.fc40.x86_64.rpm +a2d94eb4028fad9789f0d5561b4c4a7a03020013af2a79be7aea3fb0390b8caf glibc-2.39-22.fc40.i686.rpm +726a1d707dfcf20d1f4c94f76bdba38d166eb574ecc2d83ec438bdc161f3ec27 glibc-2.39-22.fc40.x86_64.rpm +0b502c1140a1f6461dbd63d3daefedded6c705769476cec5e69466aab7693ea6 glibc-common-2.39-22.fc40.x86_64.rpm +c09983bc2c7fbc23e7e622739532b554357103d99161d458c4f0c5eabce5d8c5 glibc-gconv-extra-2.39-22.fc40.i686.rpm +c185634bd4f161c35292daa028823a607c78f1e71727b6c506d640771ddd88aa glibc-gconv-extra-2.39-22.fc40.x86_64.rpm +e99290c1fa76536f0bb0024dbe14527a6d5efcf00436493f705a75c6f76d3df3 glibc-minimal-langpack-2.39-22.fc40.x86_64.rpm b054d6a9ee3477e935686b327aa47379bd1909eac4ce06c4c45dff1a201ecb49 gmp-6.2.1-8.fc40.x86_64.rpm 0a8b1b3fb625e4d1864ad6726f583e2db5db7f10d9f3564b5916ca7fed1b71cb gnupg2-2.4.4-1.fc40.x86_64.rpm 4425dbd35ab65f25b092d12ac56c4b565371a1c52ac882c8896dbeae7d52bbb1 gnupg2-smime-2.4.4-1.fc40.x86_64.rpm -74f185a772b22db0d41b69d63d1fa4a78840bc32359ce47729dbd54d297ffa77 gnutls-3.8.9-1.fc40.x86_64.rpm -9a463e49371c05bce6713fd4956ff3784db265485260e6151d3eba444ad41f42 gnutls-dane-3.8.9-1.fc40.x86_64.rpm +4289ccbb44e4a764ef6f58593a56f2598c6821feebac52be6fa04c771eebf029 gnutls-3.8.6-1.fc40.x86_64.rpm +0e5c3c13d4c34d83453667a8011eab1859d0db5ff7409fba0dce3fbd68604226 gnutls-dane-3.8.6-1.fc40.x86_64.rpm f8510eeec17b9258de9a68ce15af21f3ea135b5e767f3bc9047f851d81dbac6e google-compute-engine-guest-configs-udev-20240830.00-1.fc40.noarch.rpm 94e443590221fb17e0330f076ebac32baab17b8d9c22566db372899ae750ca64 gpgme-1.23.2-3.fc40.x86_64.rpm 6d54af0fc5ae216eb97720415acda4245ebc6c021420a2892b58620b5b25ca38 gpm-libs-1.20.7-46.fc40.x86_64.rpm 8e2310f6cde324576e537749cf1d4fee8028edfc0c8df3070f147ee162b423ce grep-3.11-7.fc40.x86_64.rpm -46bc4d8d62eeb1fa3275898d44a30643260f4dda2d3d2a3992f879e4c7df26c7 grub2-common-2.12-16.fc40.noarch.rpm -c508cb9605baa6a0751feda2d23e9a65a4d11538d6d108c295562eac65c63ab1 grub2-tools-2.12-16.fc40.x86_64.rpm -0c6bb04c6e81d368793c03bab2ec736c3ea63aaea9dbb64d4a94b12b35320bdb grub2-tools-minimal-2.12-16.fc40.x86_64.rpm +cfdba55bf65221d4cb6574e18586340f813ee948fb90f94088ab730a8cbd4400 grub2-common-2.06-123.fc40.noarch.rpm +a265c8c4acac4c2a3c5f63f98df89e689b87f6f6bcceac1c83882d9cdab90eab grub2-tools-2.06-123.fc40.x86_64.rpm +3ff26313487d9656195f2e121eb57ea6411deab71b0ec3ae57f11785ba86f330 grub2-tools-minimal-2.06-123.fc40.x86_64.rpm 6a146fa9b154e67eb67eeb258df37814a863997c87171fdc2bd771e5a46b1cc4 grubby-8.40-75.fc40.x86_64.rpm 6dcc2f8885135fc873c8ab94a6c7df05883060c5b25287956bebb3aa15a84e71 gzip-1.13-1.fc40.x86_64.rpm 7ea61bdaada7c1ab5b8567e054a73e2cb3ca6019e3db887049998fed7eea8514 iproute-6.7.0-2.fc40.x86_64.rpm @@ -119,8 +119,8 @@ c8e382e9de90e6946dd9bc2f706d6c307ea4ebba3eca91a283f1bb72b5b3ac9c kbd-2.6.4-3.fc 42994ac67877595861b55adafd75ab3ce02d397e2ccddac8fb40ec0fecb4436b kmod-libs-31-5.fc40.i686.rpm 53dd95341767a2ea40b68e4621a231883bd5b69426f0920ce1f1ca94e18765cb kmod-libs-31-5.fc40.x86_64.rpm 9a03b21936528f6d08700757cb460c48e9557a71efaaa5e93b01b3f7614320f3 kpartx-0.9.7-7.fc40.x86_64.rpm -cd3402d654af18c421c0ae866ef668094cff5c032bb3f769606261eca8dcf8fa krb5-libs-1.21.3-3.fc40.i686.rpm -878a5a48835ecfec5fa04c7c7a1f24bdae7bd8e9aeca7b3f9dd97f6a23b9b41e krb5-libs-1.21.3-3.fc40.x86_64.rpm +821a2a47fa5ff1f9450f82118c812bc105f8afd5eb6a8e00523665c2a14a651d krb5-libs-1.21.3-2.fc40.i686.rpm +2db3a289d5a710b5f8ebbd603228d67ee59281622f086e3530efe8f2545057d6 krb5-libs-1.21.3-2.fc40.x86_64.rpm 6f2f0a522f2f10f273a77a60fdb7e066c14059d0a3676c9f723162daa7110b42 libacl-2.3.2-1.fc40.i686.rpm b753174804f57c3c6bae7afeb6145005498f18ae5d1aa0d340f9df5b8d71312f libacl-2.3.2-1.fc40.x86_64.rpm 74d72760c1982830358d676794ee3972ab05550fe7235ae9756a40de8266091f libarchive-3.7.2-7.fc40.x86_64.rpm @@ -147,7 +147,7 @@ c890a19d2c4a3da836bae1db40b778fe0339cd0d26bddfbe584aaccb1a0f1485 libcom_err-1.4 e3dc770fc4c48bec2da9ac948bcd43e053608d0397ad0a57056409a7d427289d libcurl-minimal-8.6.0-10.fc40.x86_64.rpm 700d56839e1bc16c08f71c505a7e62f655e4c18f4bf71bf2f36f3854f829e6f5 libeconf-0.6.2-2.fc40.i686.rpm 2ef764049e121ee2a9fa5d0296e6e2dd0abc7541040b8e49d67960bd9bde74e4 libeconf-0.6.2-2.fc40.x86_64.rpm -7a91572e9639617937c13cd103ac5571075f37fa533d796be108aa8a4937432d libedit-3.1-54.20250104cvs.fc40.x86_64.rpm +b003de79beac86385d212fce137417439e8ec7cb863115d560e02834c84efd1e libedit-3.1-53.20240808cvs.fc40.x86_64.rpm c4adcee5dd9e22ea50d6c318ac4936a8df708121741958ce5aa8f038c46c61a9 libevent-2.1.12-12.fc40.x86_64.rpm a1ba3045c99ef1b266383f0801731a68f9e0cb069a6c808267ad33b759381907 libfdisk-2.40-0.9.rc1.fc40.i686.rpm 17f02ca51b90580887d739f52b995034e0929fc6bcd92be308554a2f5337bbe4 libfdisk-2.40-0.9.rc1.fc40.x86_64.rpm @@ -160,8 +160,8 @@ cd073c42cb4dfcd224e9b4619883f2c7923ab0b083d7c90b01e3052c89f6b814 libgcc-14.2.1- 10c4c12c6539ffea68974cd9b57013d471ac35fe3bef4833c0a22f6b29fbf489 libgcrypt-1.10.3-3.fc40.x86_64.rpm 03d5f4d139dec2e7c94714b1b9f59d37236dbda9f09271bdda99c71251f15f0e libgomp-14.2.1-3.fc40.x86_64.rpm 8d0a9840e06e72ccf756fa5a79c49f572dc827b0c75ea5a1f923235150d27ae2 libgpg-error-1.49-1.fc40.x86_64.rpm -4fdafe5a28dc18a892713cc2071a46cbcb6561c9c62e10f20f04b0e562187228 libidn2-2.3.8-1.fc40.i686.rpm -63a08c0cf18474582a3e62367b5b4275d079e883e40f4cf32cab7afc316ec2dc libidn2-2.3.8-1.fc40.x86_64.rpm +677a67726c759c94faa94475185e46d028f171c9215390ac601ccd914188afb2 libidn2-2.3.7-1.fc40.i686.rpm +2fd2038b4a94eeede34e46ed0e035e619f77d0e412c70cf4e9bb836957e8f31b libidn2-2.3.7-1.fc40.x86_64.rpm 98b0d9d25bd93c7061ce50480e214944a02d7de725e1d31f4461604380ffb74a libkcapi-1.5.0-4.fc40.x86_64.rpm 84977f5f157172dc7642a3f6602692bb6323b4b106c69f7081882e6c6a81a346 libkcapi-hasher-1.5.0-4.fc40.x86_64.rpm 906bb224af7b2e1ea64c258c6978a610b899b0af5be572ce1c09e36ec58b8a79 libkcapi-hmaccalc-1.5.0-4.fc40.x86_64.rpm @@ -189,7 +189,7 @@ bb9ceaba0d3283777777524e8c99b8eaa2155e9000d8e3ef5d0ece336f8c1392 libpsl-0.21.5- 210e797a265da7111c1a59eca95f9e301ad05c5c8772aed54af9363e5684950b libpwquality-1.4.5-9.fc40.x86_64.rpm 571fad7baa286ca36a2b2cdb171d22142ba82b99663ec0408b5db99514773956 libseccomp-2.5.5-1.fc40.i686.rpm 91668f5d08a663948c7d888d7cdef3248285c5d9fbe369ae031d7ca31c6e398c libseccomp-2.5.5-1.fc40.x86_64.rpm -e4d4e12303eeee24bd19b7c1010abf5a275577f5c6aa59ccbd15887e0f5f09ee libsecret-0.21.7-2.fc40.x86_64.rpm +280edce0c5cda3a725edaca0db10a16d1c4b24b849a8ddfeac066ddb84057e6e libsecret-0.21.4-2.fc40.x86_64.rpm 69161fabb22dd4c5c8aeab0b6465dafe06117ce5173aaf4dce425a10cb11c434 libselinux-3.7-5.fc40.i686.rpm 2070bdf786c926400739254f08568ccf564ce613ddacacb36b6a9a499345aa5e libselinux-3.7-5.fc40.x86_64.rpm aca271d814ee3be14c09963985011c201315a186d3e3b634af8d59cd5eb01208 libselinux-utils-3.7-5.fc40.x86_64.rpm @@ -202,13 +202,13 @@ e9c3e9e3458af7a2f9b5cd6bc45020bb7f2c6cfbd0429b0b1853928bd3e02004 libsmartcols-2 45d032fb4d59ee0f6a921dd1f0addfcdd38fc46917243fdd6248194ffddb9067 libsodium-1.0.20-1.fc40.x86_64.rpm c8bbfa2762cc601f8a97d8d5a39a658f0e91ba477ebebd798b30f7fc8ffdd457 libss-1.47.0-5.fc40.x86_64.rpm 89e7282e0a94d641871dfed423ba2ce6f8b088eaf9aabdea1805708bcafa6a01 libstdc++-14.2.1-3.fc40.x86_64.rpm -3d6ff1e90b4b19de401ab45df9c5bb6e171c34a5b415a7e10e3282332a4cda95 libtasn1-4.20.0-1.fc40.x86_64.rpm +d92173d6fbfb7e2af3b35a8554229e247666e15dc5b36cba43b7bbfc4144b781 libtasn1-4.19.0-6.fc40.x86_64.rpm 9ca680998686ee852fa8e1667cd6e7c436bfd5fe7da898bd314d808303d447f8 libtextstyle-0.22.5-4.fc40.x86_64.rpm -189e8f25a80a67db1722cb42f2800235df3eadd9cb93d3bcd13853bf09122d5f libtirpc-1.3.6-1.rc3.fc40.x86_64.rpm +a660c40fc2af9578a7cf283bd18df6ae00d68f25b7d102f4e4f49a3805f6c575 libtirpc-1.3.6-1.fc40.x86_64.rpm e5d150d23f95e4a23288b84145af442607a88bf457c0e04b325b1d1e8e708c2b libtool-ltdl-2.4.7-10.fc40.x86_64.rpm e541a1c8397dccf159b3602eb6bbb381ba21c544db337a3b3bfc49ccc2ef5c21 libunistring-1.1-7.fc40.i686.rpm 58719c2f205b23598e31b72144ab55215947ad8fca96af46a641288692c159d2 libunistring-1.1-7.fc40.x86_64.rpm -0fa1b7d1f6f5bcd1c2f2785e6571a7c3e63662efd50ba32fd1996dac9dbb4de9 libusb1-1.0.28-2.fc40.x86_64.rpm +bc60959e98e5f690bc3df03bfa8afee2d0cf28e794c4e3c52f19769885771321 libusb1-1.0.27-4.fc40.x86_64.rpm 896d671852ed3f28e8c778dca361c5b5c57a89855df11755e6be1d088f64d43a libutempter-1.2.1-13.fc40.i686.rpm 0093a8d3f490fbbbc71b01e0c8f9b083040dbf7513be31a91a0769d846198c1b libutempter-1.2.1-13.fc40.x86_64.rpm 5aaa12bba361ae29b2a6b35c4b21da935423bc2ad763eaa8267008c7a533cb3c libuuid-2.40-0.9.rc1.fc40.i686.rpm @@ -217,14 +217,14 @@ e541a1c8397dccf159b3602eb6bbb381ba21c544db337a3b3bfc49ccc2ef5c21 libunistring-1 b6db3e72ae6575127216145c1f65414ea94acd9db26d08c5081cb5d786101c1f libuuid-2.40.2-1.fc40.x86_64.rpm bea578631618692ba5e302beadfdf6d5894e23e5bddaea4b4fca2f377dd1aaac libverto-0.3.2-8.fc40.i686.rpm fadf7dd93c5eee57ba78e0628bf041dbd2ea037ace52f0a5cbac55b363234d27 libverto-0.3.2-8.fc40.x86_64.rpm -c87a32fd07fd5be227320177ddf61b89c9f14f06d0895e9ecb9a9977b8f6495b libxcrypt-4.4.38-7.fc40.i686.rpm -27f89188ec9f4b1e1e96275f7d2760c342b4cf0a28e7cbccd893d98418d1d060 libxcrypt-4.4.38-7.fc40.x86_64.rpm +a0036606133ba74df47cba7f5349a024bcb6367150a5450ac414508c67d852a9 libxcrypt-4.4.36-10.fc40.i686.rpm +0d93dd9ea48dcfe8f9ecdfc3ec8ac736635334e23fc1cf8ba04e562e0637de17 libxcrypt-4.4.36-10.fc40.x86_64.rpm a17f9a8894a00ee97a42219b3b21d64bfb850d74059d89ae299210bc477e8967 libxkbcommon-1.6.0-2.fc40.i686.rpm 1f1d0c1e1132016735acc6fc3390102b35f9eb257244547c7b61c32a9c2314cc libxkbcommon-1.6.0-2.fc40.x86_64.rpm -12fa7bdef4a5d95b78a38152a0c90b42c0cfc1a1b7c80fa25f4ccdb7c13cf849 libxml2-2.12.10-1.fc40.i686.rpm -a8ee5e5e972ac86d383bf2798db45f41a22b23d76a0fdef698ddd92076589ff5 libxml2-2.12.10-1.fc40.x86_64.rpm -9007aa6bc776262992172e3f24ea2528cd4f65fb82f2c2d01e27f53f79c5c6f7 libzstd-1.5.7-1.fc40.i686.rpm -ec5650e3822d102bfe6bbebc7468a711128ef695f4bd06748ce242b8378d8b7b libzstd-1.5.7-1.fc40.x86_64.rpm +302104acbc7b094958be4f764c14f738462fdb381fc38aac63e0e7eaedaa82a7 libxml2-2.12.8-1.fc40.i686.rpm +ed8d18570524445954dae5aff6239d9cc987cf8b3313fcd48c42f1b79b8eb247 libxml2-2.12.8-1.fc40.x86_64.rpm +cd866911efd52e3a70655df3da9d71ad2f4a326463aeaa381493a7547e14871d libzstd-1.5.6-1.fc40.i686.rpm +bed3075b9ff919eded25cb45e9e03b8a7c63bcc8e893ec28c999aecaa68c51d3 libzstd-1.5.6-1.fc40.x86_64.rpm 81409455da42a5ffdcf5b8cc711632ce037fec25d5ae00cbfda5010c9db04157 lua-libs-5.4.6-5.fc40.x86_64.rpm 2d1da8faf26c647a7299f840cfa199f20415ceb99a4f694ac3cd07f645f02cf5 lz4-libs-1.9.4-6.fc40.i686.rpm f5f022440c4340b5e7fb1c1dbc382e6b0fd57030b3ff056940f2bb3d254408ec lz4-libs-1.9.4-6.fc40.x86_64.rpm @@ -233,31 +233,29 @@ f5f022440c4340b5e7fb1c1dbc382e6b0fd57030b3ff056940f2bb3d254408ec lz4-libs-1.9.4 03fbefea8c8d8465cf1caf66870fb935292ee18b4ca341853b5576ca9c7801eb mokutil-0.7.1-1.fc40.x86_64.rpm 0a3a3fc2471d2d64cbc85f4b23c93620df6eeee814851a2b69fc5ddf75406b56 mpdecimal-2.5.1-9.fc40.x86_64.rpm bc873693a8b8423d7f82e329abe207c9160a4c746fea9a32ef2a6ae8c912f227 mpfr-4.2.1-4.fc40.x86_64.rpm -8a7312e49b3ddec619dee7d1067b72f9105f34d9ff988be0e8b8a76091a8b8fa mtools-4.0.48-1.fc40.x86_64.rpm +9dda076af2bb08f06df9f73ce682b8e417deb7bfb900581d519eeda247a442e9 mtools-4.0.46-1.fc40.x86_64.rpm 7dfae7d898dfc40f3fe1fc66104cf31e434e866fec4d4944b55952d7f2f16657 nano-7.2-7.fc40.x86_64.rpm b404c27af03bb1e43fb0dc472d5a1fa152e0563fa2e4eefa29199c47578a829b nano-default-editor-7.2-7.fc40.noarch.rpm 8a93376ce7423bd1a649a13f4b5105f270b4603f5cf3b3e230bdbda7f25dd788 ncurses-base-6.4-12.20240127.fc40.noarch.rpm 39bba59320e6276a3b7b07bc94d319511bdd7d32ba098fd49723f4d542794d41 ncurses-libs-6.4-12.20240127.fc40.i686.rpm a18edf32e89aefd453998d5d0ec3aa1ea193dac43f80b99db195abd7e8cf1a04 ncurses-libs-6.4-12.20240127.fc40.x86_64.rpm -60d1e0058d38ab2ea6b08f59341e7db34c8bec37a387ad5c0565bbc38d5170fd netavark-1.14.1-1.fc40.x86_64.rpm +f1e77a65e098b105ce6a47e386de84937217ed72a0c47f2568ae11da0ea7d75d netavark-1.12.2-1.fc40.x86_64.rpm 16172412cfd45453292e18f84fc57e42a3ce92aca72b47ef7e15b44554049cfe nettle-3.9.1-6.fc40.x86_64.rpm 188ce5004e6ed764b4a619b64a4a0f36f1cc4fa919fe0a300599ff1171844144 nftables-1.0.9-3.fc40.x86_64.rpm 784e0fbc9ccb7087c10f4c41edbed13904f94244ff658f308614abe48cdf0d42 npth-1.7-1.fc40.x86_64.rpm f814bc09b50daaab468715088ec056373dbc209a5075306e4ce76f5c55eb2b42 nvme-cli-2.8-1.fc40.x86_64.rpm -a0eecb082db491d57bfab6047b2611a10150d47a8f50fd05f98ad2f01b0dee54 openldap-2.6.9-1.fc40.x86_64.rpm -49e3e1c7d82ab28b1ab79bb2655a95cadeae2295f5543db8a07d74e090bcb90d openssh-9.6p1-2.fc40.x86_64.rpm -369b4d6e159a53afe9d2803d927f0523ceeae0822353aa8f0d81d0e3211b0788 openssh-server-9.6p1-2.fc40.x86_64.rpm -bffa85f8feadf0bf5f7a8cea9ff9f5e49266959df6ae4d61cf929054c09ec2f8 openssl-libs-3.2.4-1.fc40.i686.rpm -a1b67803e7afb5e16d977e49b8e63c50537bbaa6b261ab10348d55a54b1562dd openssl-libs-3.2.4-1.fc40.x86_64.rpm +b09089231ec94ee1b2dc26e34d8d7f19586d411bc40df7d0e495e559ac2d871a openldap-2.6.7-1.fc40.x86_64.rpm +5df04d37e492e5f107cc21e547240f9f98b0b7613320467bc0b08f6aa1b0fb88 openssl-libs-3.2.2-3.fc40.i686.rpm +e9fca52d76eb6277b9fec3238226faafc0938806318fad1143a527fdd28a16cf openssl-libs-3.2.2-3.fc40.x86_64.rpm 9f0336deb6f1b1524ec48d837622e7e2291995369b0356d7ad1e1d427f3b659a os-prober-1.81-6.fc40.x86_64.rpm 70fba929aab38a9d69a457cef1b01962161a1df2b78dc5a4e86ff4b994b51079 p11-kit-0.25.5-1.fc40.x86_64.rpm c728dbd90872b7597a8ace70a70555bff576231bb6dbde14b75626d601706af8 p11-kit-trust-0.25.5-1.fc40.x86_64.rpm -b3b261e448a25c6550f050ca1813509dd6edbb10f22c02a535548332435b6bc4 pam-1.6.1-5.fc40.x86_64.rpm -753d7b5a6531eec7689414dc1a4ce76ba4d327b8ad0363a9298ee67b565c1d95 pam-libs-1.6.1-5.fc40.i686.rpm -6ca8efd0b2a26cc51917c1c81260d919ef7760f0e0770dc872a78b1b829299cd pam-libs-1.6.1-5.fc40.x86_64.rpm +374bd91b0fb10dd09d543a1aab6328d3801bd9a0bdfbfbf0b594ce79ab3423ce pam-1.6.1-4.fc40.x86_64.rpm +b6251990de342b9f4de8ab7360de435751c0b3e524ea6e1ad78a294d7d541483 pam-libs-1.6.1-4.fc40.i686.rpm +227f1d93b7125b5a71def58146ddaa0853bd489da6707f0564482e290e77930c pam-libs-1.6.1-4.fc40.x86_64.rpm 9bbce784622e02af0371ced8e9a7d26adba7eabd66ecfcb8bbe2d24cf616e3c1 parted-3.6-4.fc40.x86_64.rpm -fa10fa559403d57df8c8dabd9cfd765f020216ca03d2116c861aa7cf7a97b27a passt-0^20250415.g2340bbf-1.fc40.x86_64.rpm -b8892365092573b21fc84ebd084b20f6f62e848ac19720ea8a9e0c2fd64176c4 passt-selinux-0^20250415.g2340bbf-1.fc40.noarch.rpm +02c01edaee6fe2af5174562387d530b73ee40e39dbe108ab4553de82228f6621 passt-0^20241030.gee7d0b6-1.fc40.x86_64.rpm +7909af3b8d248c344693b4f7893172d465fde6d1fb8d719f1179f8c971cb786b passt-selinux-0^20241030.gee7d0b6-1.fc40.noarch.rpm a0fb808d6b7ff8cd9cfdc1a60f213851cecdcace334d6e5aa1e0e54b81d79a25 pcre2-10.44-1.fc40.i686.rpm 73e50df09266fcffda9c24a3738f579dd365c2c187c294da054ef9915edc3851 pcre2-10.44-1.fc40.x86_64.rpm dbec699e88d42fc6fb1df0a8c0b9023941ed1b1b7625694253a612eaf9f2691d pcre2-syntax-10.44-1.fc40.noarch.rpm @@ -267,8 +265,8 @@ f796a31cad58f4ebea8787020868581d9a721297ee0ef6a7c63a7f8444f60c17 pcsc-lite-libs 5443db8875acc0c1c436dbe1ed62b776543e049b8d9c7e33198379d367814093 pigz-2.8-4.fc40.x86_64.rpm cb7c5036f1d25c696de23a6670cb64caec9945116fb0c9a93555414746ecf253 pinentry-1.3.0-2.fc40.x86_64.rpm bbb4abafa9f7664e21350b56d49af2c928288e6d4dd68c304c4ab5d45b2c8ad7 pkcs11-provider-0.3-2.fc40.x86_64.rpm -ecdf5f33e98a3c94426efc2176d382899d08d632e05dafc2e7fd18549337ef75 podman-5.4.2-1.fc40.x86_64.rpm -f6291fc1fd3ececcd23c9e693ae0d309d66d57cc2de5d3d389235604804c1c2a policycoreutils-3.7-7.fc40.x86_64.rpm +f2401414fa396e3b86471c311008383bcf51755aa30697c72147892a50de8894 podman-5.3.1-1.fc40.x86_64.rpm +8a0ee0be826338862ecd65d04032b43122cda333ba6bb6891b2ae6aed5208832 policycoreutils-3.7-3.fc40.x86_64.rpm 30a4f9d3631aaa1280c93ce4305847a9773973aa312e1802d1cd676cb2421689 polkit-124-2.fc40.x86_64.rpm f47bc65177a8b160916c00df9c84442afa1dd353880b3c0503d5a0b052d4956c polkit-libs-124-2.fc40.x86_64.rpm b7decdd8a6fcb175fea2bb39bb1dbecad1ba820c365bab5a273a7b3982e55157 polkit-pkla-compat-0.1-28.fc40.x86_64.rpm @@ -276,31 +274,31 @@ c03ba1c46e0e2dda36e654941f307aaa0d6574ee5143d6fec6e9af2bdf3252a2 popt-1.19-6.fc 8a414572157d7e450eddcdc909521e09373289cc7a48ebc15f7b0c9922c17262 procps-ng-4.0.4-3.fc40.x86_64.rpm af85755cda79959a19161ebc26a45e507003298bd97b472b9ab0d512afa5e46a protobuf-c-1.5.0-3.fc40.x86_64.rpm 45ff2e9814aa059f323b23710c73309d41d36306667a3004f5fbb86b0cab4484 psmisc-23.6-6.fc40.x86_64.rpm -c000cbb0a7df2c0c61559ab3f3732eacd163b171673298f4ec043cb6d223f364 publicsuffix-list-dafsa-20250116-1.fc40.noarch.rpm +cca50802d4f75306bc37126feb92db79fed44dcdabf76c1556853334995b9d3b publicsuffix-list-dafsa-20240107-3.fc40.noarch.rpm 7c703b431508f44c5184b5c1df052ed0f49b7439d68aa3597a9a57a5b26bd648 python-pip-wheel-23.3.2-2.fc40.noarch.rpm -bc9b15b36777510ccc9ddc3da363a3100990a235e998f3a50743cdfa50e92f5e python-unversioned-command-3.12.10-2.fc40.noarch.rpm -b0eced6eca5856ed3ddd031e8010e91975149cecf4b337fd3a8c82759a2344c9 python3-3.12.10-2.fc40.x86_64.rpm -c59ab2ff672f5e2d1be59dd22ebbe3fc86c88aca95247b1f84c9bf3d5b6c7026 python3-libs-3.12.10-2.fc40.x86_64.rpm -b593f10e736995a0a898d37a1e595ad04bf162e7f0e7c9994e3032a9d9bc8799 qemu-user-static-8.2.9-1.fc40.x86_64.rpm -72b6185e59a7b359df273e9fe27dc014c0856341abcd1c907c7810a77cc6980e qemu-user-static-aarch64-8.2.9-1.fc40.x86_64.rpm -7eace5bc3e601266452b8356207604012542a8cd019b576e6d2ab9306c6a8e4c qemu-user-static-alpha-8.2.9-1.fc40.x86_64.rpm -6baadf76d6111fabe0c40d9ef8956396ffd23175dadceff940356e1d447c9f0b qemu-user-static-arm-8.2.9-1.fc40.x86_64.rpm -284850c3af8faa4b7ae51b5d2c1c597e783945a20b950b7bc0a925d02538ced3 qemu-user-static-cris-8.2.9-1.fc40.x86_64.rpm -8b5d75d2839682691d130409ebf7142f3fafdb970348f3b5336876d38d4ab0b7 qemu-user-static-hexagon-8.2.9-1.fc40.x86_64.rpm -fef5e7fef2df6f85092383de73373e5d9c9eb241232281bb94c068564c7306de qemu-user-static-hppa-8.2.9-1.fc40.x86_64.rpm -742c694b0e8cbe8bafe2b0602bb38f17c31b80c04f7eb6ee7f104e97d60a1e48 qemu-user-static-loongarch64-8.2.9-1.fc40.x86_64.rpm -872255f64d77ccc3a5388ace420e1434c504e79e31442f58a1516ff752697641 qemu-user-static-m68k-8.2.9-1.fc40.x86_64.rpm -314453265e4fe55fd7b02e01d17c14c4f68ff23bf652ca251915d65ff9006cc4 qemu-user-static-microblaze-8.2.9-1.fc40.x86_64.rpm -decbbd27625256fe9930c908eaf18e6c852f15e47913b7ca071bea091737d5c8 qemu-user-static-mips-8.2.9-1.fc40.x86_64.rpm -f7d088b6b21089c66c24317de994bc65c5ed0f7be484518e72aefe0f74aaf959 qemu-user-static-nios2-8.2.9-1.fc40.x86_64.rpm -58129a9a88a231446ec2fba60c378438d0020e3c7d72186f40d65d06be12eb93 qemu-user-static-or1k-8.2.9-1.fc40.x86_64.rpm -e1c1dc5e5b1d39b52b57c2ebfbbbaa4ece91d986ee8065547bcfb2f6b4707b92 qemu-user-static-ppc-8.2.9-1.fc40.x86_64.rpm -8863c1d75d185ed71bcba9496d353467d064669a3825ab5fda7b4f964bd1a76f qemu-user-static-riscv-8.2.9-1.fc40.x86_64.rpm -d8e5cbc0354aef6bca8600aeeb5f64b4833bb3f90466e64c37695fd7822c5f4b qemu-user-static-s390x-8.2.9-1.fc40.x86_64.rpm -71663f59440aae47599d857f89fb2149952ec4f1bb1afbd83f7d6ea00ccc393f qemu-user-static-sh4-8.2.9-1.fc40.x86_64.rpm -bfef80139dc556e1834b424a346a69fbdc2c706e0158402d8ea6c42e04123bb3 qemu-user-static-sparc-8.2.9-1.fc40.x86_64.rpm -9a0f90c77539963e1657148b3fda7b91285abfbfba52893735b36971df338b6c qemu-user-static-x86-8.2.9-1.fc40.x86_64.rpm -ccf7dd55fc0101233b3384077b544b8fcf658b3febd0e062a687a7537dd9618c qemu-user-static-xtensa-8.2.9-1.fc40.x86_64.rpm +bcac955e69958e064669ed6e0a394bd9dd2c76e63f558a205ced18a9755012ab python-unversioned-command-3.12.7-1.fc40.noarch.rpm +6d8342314daafde5c5ec4ec2935e74edb9bea107dc8cd72642e322444f264c7d python3-3.12.7-1.fc40.x86_64.rpm +839d6dd1d8ac9b55f14b504eca5ac5e66b8330341608f7c9132cb29816116ecb python3-libs-3.12.7-1.fc40.x86_64.rpm +b406d07cf1eeac69446b2ac98da03a007d7becded2d27fc0dafb83a81de5f708 qemu-user-static-8.2.8-1.fc40.x86_64.rpm +3626a5964fd4640046d86d6a1519c63fec6108a766130745393b7132744c640a qemu-user-static-aarch64-8.2.8-1.fc40.x86_64.rpm +40cb646b14309ec33db43e68436b40b790a22740bd15c3837c5dbe6fe9ae218f qemu-user-static-alpha-8.2.8-1.fc40.x86_64.rpm +023e34e9d3b7d78a9c689a0c2d181be00437a3baeff9a0d2bc675f580093306b qemu-user-static-arm-8.2.8-1.fc40.x86_64.rpm +6d11781749da9f75554137063fa26a349887f8eca7a8cbe00c0723ea181a3feb qemu-user-static-cris-8.2.8-1.fc40.x86_64.rpm +850606227a7a7ecd6d507d2ebeef8bf1e26d324385e4dfe7abe7bd490249caa9 qemu-user-static-hexagon-8.2.8-1.fc40.x86_64.rpm +ceefcc4775d9af7c09c5f287615cee466bf826b77d601201a31ef2554b44d4e4 qemu-user-static-hppa-8.2.8-1.fc40.x86_64.rpm +588471c327509035b27d30949513feaa4ada0d1e1a32ee7f7abff598b8aa2821 qemu-user-static-loongarch64-8.2.8-1.fc40.x86_64.rpm +59b567426e86b0e09a21a5030e6e6dd94cea8cf241c61fade47bc18f5faa1eaf qemu-user-static-m68k-8.2.8-1.fc40.x86_64.rpm +59f1087535ef91ad95e76107fe4239d59542832b8e22c6e43ba9f3fe47d138d1 qemu-user-static-microblaze-8.2.8-1.fc40.x86_64.rpm +03a8264b957d3f37f976f1196dbd97f8adbe891f958090475a615cf871107ac9 qemu-user-static-mips-8.2.8-1.fc40.x86_64.rpm +52d96f0f549e0a0f8928cb3e4d774b3827a8008658eafbea38729f9da3f07f4f qemu-user-static-nios2-8.2.8-1.fc40.x86_64.rpm +7bf21f0df8c3f33b7b2c07692cb29d438549b3d508cd826f6d188e720796a656 qemu-user-static-or1k-8.2.8-1.fc40.x86_64.rpm +33c4b842c85431f142152208047f16c6146f9c4e2eff9888ab0b03133e2051cb qemu-user-static-ppc-8.2.8-1.fc40.x86_64.rpm +3825550e5282568d8faa59cae6d0952460b1c3092ed2b840adb0b4b21e32ae9f qemu-user-static-riscv-8.2.8-1.fc40.x86_64.rpm +b7eab37c189f8cbd42319a5400d81bc90ddb2af8e7d3872e2022918df52f59ae qemu-user-static-s390x-8.2.8-1.fc40.x86_64.rpm +be6e3bca2adc321a1c5c8cb82a05e78a49efc682e83fc564ddb8f8153ed35a48 qemu-user-static-sh4-8.2.8-1.fc40.x86_64.rpm +b46f72d356969cb61dc4f896bf8994bb1c757ec07de34df2929a541c5a46f421 qemu-user-static-sparc-8.2.8-1.fc40.x86_64.rpm +df2448a3cb41a5942f634ae04a8ff830f5250f5ed88a406d48d872bd10a8e0f1 qemu-user-static-x86-8.2.8-1.fc40.x86_64.rpm +c24272c85d0708d2828f763c8e699c1ea8585cbb19398938552267737c33b9ed qemu-user-static-xtensa-8.2.8-1.fc40.x86_64.rpm 8d50fba416f81e4091b144748fff22665ee88699fdc4a372b905d999d05fd3e8 qrencode-libs-4.1.1-7.fc40.i686.rpm 93781052576cc40a2c203bbc1bf865189a11b2c82436e614da9811baedc082fc qrencode-libs-4.1.1-7.fc40.x86_64.rpm 3527582fddcb54892228658b3929ffbb89766941a9794e726216e0800ac05721 readline-8.2-8.fc40.i686.rpm @@ -309,52 +307,52 @@ dacd59edbe4744fd9f6823d672e01eff89f871e88537554f16c0a275a17d04e9 readline-8.2-8 c48c149f4aebfe44d649eea6f7a8eaa229dc8db71ff70b66c7403aa9bd072820 rpm-libs-4.19.1.1-1.fc40.x86_64.rpm 7bebda41ea91faf8cf8911a403c051eb59d444e60f8091d14d10987b713f39ff rpm-plugin-audit-4.19.1.1-1.fc40.x86_64.rpm d400a4e4440bea56566fb1e9582d86d1ac2e07745d37fa6e71f43a8fea05217c rpm-plugin-selinux-4.19.1.1-1.fc40.x86_64.rpm -ce3b3148bb617e132c2ae9a28cc9f1990f806bc45722489f4c09f4d90821b6cd rpm-sequoia-1.7.0-5.fc40.x86_64.rpm -216aedc28a4144469041eade68f57149e2a7ab91c5f4f46eba18b6fc6effcb73 runc-1.3.0-1.fc40.x86_64.rpm +9015e31297a54b708071d347b7877d885a2a97c3b18a89fa31f1481b6406eb06 rpm-sequoia-1.7.0-1.fc40.x86_64.rpm +d87be787717e442016af16c2e58d10f6cadf533cfb2a6e817e7cecf7bedfc1d8 runc-1.2.2-1.fc40.x86_64.rpm 5dbd069183076ed8048c839c31f713c0f6080fb9ebfdda92ac550030688e811b sbsigntools-0.9.5-6.fc40.x86_64.rpm 6a21b2c132a54fd6d9acb846d0a96289ab739b745cdc4c2b31bdbf6b2434a1a7 sed-4.9-1.fc40.x86_64.rpm -4ea87bc61621f2465a6db2bf14144acd37230132fc84a2d3af485067646e37e1 selinux-policy-40.30-1.fc40.noarch.rpm -428f1d37fc81965af5962d65b7232b6425db2ff3b3778475756e690acb04a51d selinux-policy-targeted-40.30-1.fc40.noarch.rpm +b4e188db51c7ec2d5f0cba79783eb2df7c14a92c2c6e55a9eb490d28d17d123d selinux-policy-40.29-2.fc40.noarch.rpm +05fb13cf2c4d20425e8aa8d2035a8e10e33ca1a28db2ce209db44d755d380eaf selinux-policy-targeted-40.29-2.fc40.noarch.rpm 89862f646cd64e81497f01a8b69ab30ac8968c47afef92a2c333608fdb90ccc1 setup-2.14.5-2.fc40.noarch.rpm cfde0d25ecac7e689ee083b330b78df51d346c2b7557c83a189d5df95c4e2c8d shadow-utils-4.15.1-4.fc40.x86_64.rpm 6e9b6b6196f1782419e447ac806c762d002c6930fe39b18999d9b32c24a0ecfc shadow-utils-subid-4.15.1-4.fc40.x86_64.rpm 67eede27af5b4773eb2f7ac794df694be030310d40bce462864c05b8f65c87c3 socat-1.8.0.0-2.fc40.x86_64.rpm -9fe46c08d942a5eaa66d997368f372557a81383fe9831ddeb801bccdde64f28b sqlite-libs-3.45.1-3.fc40.x86_64.rpm -08c40fb895e75add08d2c239d7bd24a0633ffaafed430f7ad5b464d1eea2a8b6 systemd-255.18-1.fc40.i686.rpm -51cd1eaa48613b981940d81ae76ea610c28265104e289a434a845ebf9e8f85a4 systemd-255.18-1.fc40.x86_64.rpm -d3c0e2fcfce8b412667f58d63f927076b01f51e0f36f5a7d4b4038efbebc95a0 systemd-boot-unsigned-255.18-1.fc40.x86_64.rpm -1fa7a7e4fcfa4f78c9bb0b5f95e100d3c9f36841368189339449612e7edb2a3c systemd-libs-255.18-1.fc40.i686.rpm -aceabc4c1848f8154afba961b3dfac1c95ec6c72cdf9238ceca384b699af3cef systemd-libs-255.18-1.fc40.x86_64.rpm -c8f5b5c50202965f86dc9139de3082a972e2a0222a1a426ce76a30d47cba5f32 systemd-networkd-255.18-1.fc40.x86_64.rpm -746e0db539b7c9a8bba425957304ca311878b198a2f6d63e60c42c266688c1dc systemd-pam-255.18-1.fc40.i686.rpm -71e42c637702d75b5a66058cb087c4ef7d0475da635ccfd0f40f71372d0e7de7 systemd-pam-255.18-1.fc40.x86_64.rpm -07082ff756a9db4851f996eb03e75f2d499a26bd42211a984788af5a1eeed300 systemd-resolved-255.18-1.fc40.x86_64.rpm -5dc7bdcbb590edf79d8ae90bf99a94d535b055816864ffdb2546acafc97d2736 systemd-udev-255.18-1.fc40.x86_64.rpm +a1e23ae521e93ab19d3df77889a6a418c3432025e4880cfd893e40f7165876a7 sqlite-libs-3.45.1-2.fc40.x86_64.rpm +cf80eb17778b4be0c8d31d2ed6478aaf1135da4e283c034573b4e79c3c5c350f systemd-255.14-1.fc40.i686.rpm +bb602e98503df8b961e7ae391805eed444baf44162b8408f6b86b9447e936e3c systemd-255.14-1.fc40.x86_64.rpm +5e5055ac6c18707f58c07dc25033dfc16a3bc0dfb50820165d169a93a6d89e15 systemd-boot-unsigned-255.14-1.fc40.x86_64.rpm +c5e5f2e6789aeb6945e56a31c010e62242dda7a0e8394ac8b4c20c8e5cbdba9f systemd-libs-255.14-1.fc40.i686.rpm +38aca012b5b875240bda5b67e60d698cdd826c4afa0e2fc584452d2c2b68a951 systemd-libs-255.14-1.fc40.x86_64.rpm +191f7622473d6899998c024c7630ff55daa3a04b0b12a0ce82204d8279095fce systemd-networkd-255.14-1.fc40.x86_64.rpm +c651dfc9bc27fc10814bb8d6f06f08df67641fe9a979e10635f968f3e7c07b5d systemd-pam-255.14-1.fc40.i686.rpm +225af60cab0699bac889f02b26e4be38b080266e79f7c9ac89ce4dc93a8545d2 systemd-pam-255.14-1.fc40.x86_64.rpm +59c9c90d52653cab601677b6e867bc73804a5121bd22dc5b8a0c350f23a097e5 systemd-resolved-255.14-1.fc40.x86_64.rpm +62f74c06c1a2fb04dcfa6722b5b91e4eeb31f12da5e529eedaeae881a77c8ce2 systemd-udev-255.14-1.fc40.x86_64.rpm 65819c502727dc293a71a74b9a5f6b0ba781f12a99c5d5535085f168e5eac56e tar-1.35-3.fc40.x86_64.rpm 0478e12152cc3432a31dfca5ddbc80966800af437c6d7c0b26be307d5e1272e7 tpm2-tools-5.7-1.fc40.x86_64.rpm c3be8a6d0ea23b1d0bf466b19857b97f7ffde811ad7adec0599161059d84cc74 tpm2-tss-4.1.3-1.fc40.x86_64.rpm 5df98756883badf7743cdd75f5689b62606bff0b74494b20241cb9d78335c251 tpm2-tss-fapi-4.1.3-1.fc40.x86_64.rpm -d35ca6852dfea66d10046dd8b38a77e89443ce2006bc31782abfead826dba029 tzdata-2025b-1.fc40.noarch.rpm -e1d443f7dcaec55eedc34bb66dd798ba9901dba69a169cff46f6c45671a3b3fa unbound-anchor-1.21.1-11.fc40.x86_64.rpm -8eb278cecd9f28fa4131dc402a31c74c427626aae53b2231bb452e745a9e9346 unbound-libs-1.21.1-11.fc40.x86_64.rpm +0bd358e7dfb2bd730b62c7375c8d8f8d9e2470f085ca8dc4ec626dc0332d5687 tzdata-2024a-5.fc40.noarch.rpm +9fc3b3f602c81bdb5e1daa4a7f9a254d35481bd1186ac0b01fbb0c3243440ca8 unbound-anchor-1.21.1-3.fc40.x86_64.rpm +1432f6a67a9400d10b09b5eee96c6fbf89b8bef99cc7e1abc6d885cf69a61fb2 unbound-libs-1.21.1-3.fc40.x86_64.rpm 36ffa617a0dfe523424a28290241a81cd51f7d82e776e58131f16d092d49797b util-linux-2.40-0.9.rc1.fc40.i686.rpm 945aa536bc30050abc1870cef167cb944cf78d6628923476db43201a0054574b util-linux-2.40.2-1.fc40.x86_64.rpm 7ec1b5df780c5a30f8e901179480125a6ea87f1f7bad3b69da7f4b351b88c3dd util-linux-core-2.40-0.9.rc1.fc40.x86_64.rpm b1aa4e816c01c08c18924865640f214f717cdfc66837e53a24b8edfb80a86f9d util-linux-core-2.40.2-1.fc40.x86_64.rpm -673532a506dff0ca46cd4bb5fbf772d2039e4c11e648eafa221f207139ebb798 vim-common-9.1.1275-1.fc40.x86_64.rpm -d32e2c404e54d75fb7c7c4cd3dece12123418f1798a964047fe5ca70221db002 vim-data-9.1.1275-1.fc40.noarch.rpm -968283f6290df2cbf2dd699411b1cca450769b30f28b8b8a9a9f4a4916d5ae4f vim-enhanced-9.1.1275-1.fc40.x86_64.rpm -80194d554770c211bd7c3fa368b3fbb94f7021504d4c87ddae4544a6eb183342 vim-filesystem-9.1.1275-1.fc40.noarch.rpm -69fd53fe41a8811e904b5429b1934a413d88978ec54d5c9e64370be32cbfc2ef wget2-2.2.0-2.fc40.x86_64.rpm -a00cc0a87c60ffbf5495a9796ac7074e6a47e0bebbb8c137d902014cd7ff5a30 wget2-libs-2.2.0-2.fc40.x86_64.rpm -09822d8d386dc81619639415a211b34592b0c5d43f7be288691cc4d933a0542c wget2-wget-2.2.0-2.fc40.x86_64.rpm +50879411e244c6531e09376ef87c9f081d1988a88e462404a24835d515211a9a vim-common-9.1.866-1.fc40.x86_64.rpm +3f39232a1cd7fffbdfbb1cd0b64f5107f33c83f3ed335180655f30763c292988 vim-data-9.1.866-1.fc40.noarch.rpm +c99d7857daa246ccd36db2ddedd6a723097d9e3d090464d6fcd3476f572ffee7 vim-enhanced-9.1.866-1.fc40.x86_64.rpm +ec8ea126510e9ba2950bd1f72d78dee97dbbc440d15bf1e5542a9029443d53d6 vim-filesystem-9.1.866-1.fc40.noarch.rpm +c5682a1b02bb02578e9997ae221a7f6c6db711084129824e207fe1febdc55b9d wget2-2.1.0-11.fc40.x86_64.rpm +38aaee4829df7e1a4719991c4fc6d65a1265b6a556b182ecac3145c287c320f4 wget2-libs-2.1.0-11.fc40.x86_64.rpm +a12b44ee7cc5a0e916bcf72e80c4d618abb7406254578e947f3ba9dd0d445d25 wget2-wget-2.1.0-11.fc40.x86_64.rpm cf0306ceed1c6b3be39060d85f16b1953b464d3a625488b170d3b7aadf600645 which-2.21-41.fc40.x86_64.rpm 4ede95a2fa3bc0ae617c8bf3a375b800163d58733b4829b15d9f038505d79fee whois-nls-5.5.20-3.fc40.noarch.rpm e2195010e857f56b19246f8b821f9391922880b7691b3728a413f540edc890a6 xkeyboard-config-2.41-1.fc40.noarch.rpm -69b64249d3c26a5efbd0ffa5802aa08033822c2d4378a4f44261618de6d38e4d xxd-9.1.1275-1.fc40.x86_64.rpm -9a0f6eb8d2784d7e3ee062c5deb3b9af41e7e6c6d115b6da8420bde453e41744 xz-5.8.1-2.fc40.x86_64.rpm -c6d64a788bfbbedc6eeab2347274864cade272c4ad69d77cb30d8b602e25e7f0 xz-libs-5.8.1-2.fc40.i686.rpm -cbad4c25b1acbf152273c2fae29e42ddffa03414938a7c755b5afa5f2ba45a26 xz-libs-5.8.1-2.fc40.x86_64.rpm +627c89d516a12ab0686eabecfab5f8e952f431a1aedc445aa43a2721c3740f8b xxd-9.1.866-1.fc40.x86_64.rpm +ee599a1c4d7ee635e54ec137af4dded83f433b9c8a5976f75ecdcd000b5246e3 xz-5.4.6-3.fc40.x86_64.rpm +b92ef78d8ab424c22130e457d0ef691d8197bff61c3b8852205d1b02baba3819 xz-libs-5.4.6-3.fc40.i686.rpm +b6ee44b3d7e494b0364f26b7d0b169a8092180af787423cd5e8a47dc0f738a66 xz-libs-5.4.6-3.fc40.x86_64.rpm 9e263e0a9b656178519de20733f3e0950fef494aa056daaa2004b522ba50b952 yajl-2.1.0-23.fc40.x86_64.rpm ffab1c8720480b498f65d0d480825ccd890e4f797c3850712879eb04a4739690 zlib-ng-compat-2.1.7-2.fc40.i686.rpm e50b69054de16d757f5667e3acf2e7439302c91a9c418243467f288dfb79f6ea zlib-ng-compat-2.1.7-2.fc40.x86_64.rpm diff --git a/image/mirror/packages.txt b/image/mirror/packages.txt index 9d6240a2e..fd79a427a 100644 --- a/image/mirror/packages.txt +++ b/image/mirror/packages.txt @@ -19,7 +19,6 @@ mokutil nano nano-default-editor nvme-cli -openssh-server passt-selinux passwd podman diff --git a/image/sysroot-tree/etc/ssh/sshd_config b/image/sysroot-tree/etc/ssh/sshd_config deleted file mode 100644 index 39016f323..000000000 --- a/image/sysroot-tree/etc/ssh/sshd_config +++ /dev/null @@ -1,5 +0,0 @@ -HostKey /var/run/state/ssh/ssh_host_ed25519_key -HostCertificate /var/run/state/ssh/ssh_host_cert.pub -TrustedUserCAKeys /var/run/state/ssh/ssh_ca.pub -PasswordAuthentication no -ChallengeResponseAuthentication no diff --git a/image/sysroot-tree/etc/systemd/system/sshd-keygen@.service.d/override.conf b/image/sysroot-tree/etc/systemd/system/sshd-keygen@.service.d/override.conf deleted file mode 100644 index 1e956c08b..000000000 --- a/image/sysroot-tree/etc/systemd/system/sshd-keygen@.service.d/override.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Unit] -ConditionFileNotEmpty=|!/var/run/state/ssh/ssh_host_%i_key -Before=constellation-bootstrapper.service diff --git a/image/sysroot-tree/usr/lib/systemd/system/sshd-keygen.target b/image/sysroot-tree/usr/lib/systemd/system/sshd-keygen.target deleted file mode 100644 index 3c4dd2b1c..000000000 --- a/image/sysroot-tree/usr/lib/systemd/system/sshd-keygen.target +++ /dev/null @@ -1,3 +0,0 @@ -[Unit] -Wants=sshd-keygen@ed25519.service -PartOf=sshd.service diff --git a/image/sysroot-tree/usr/libexec/openssh/sshd-keygen b/image/sysroot-tree/usr/libexec/openssh/sshd-keygen deleted file mode 100644 index c366b0d0a..000000000 --- a/image/sysroot-tree/usr/libexec/openssh/sshd-keygen +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/bash -# Taken from the original openssh-server package and slightly modified - -set -x - -# Create the host keys for the OpenSSH server. -KEYTYPE=$1 -case $KEYTYPE in -"dsa") ;& # disabled in FIPS -"ed25519") - FIPS=/proc/sys/crypto/fips_enabled - if [[ -r $FIPS && $(cat $FIPS) == "1" ]]; then - exit 0 - fi - ;; -"rsa") ;; # always ok -"ecdsa") ;; -*) # wrong argument - exit 12 ;; -esac -mkdir -p /var/run/state/ssh -KEY=/var/run/state/ssh/ssh_host_${KEYTYPE}_key - -KEYGEN=/usr/bin/ssh-keygen -if [[ ! -x $KEYGEN ]]; then - exit 13 -fi - -# remove old keys -rm -f "$KEY"{,.pub} - -# create new keys -if ! $KEYGEN -q -t "$KEYTYPE" -f "$KEY" -C '' -N '' >&/dev/null; then - exit 1 -fi - -# sanitize permissions -/usr/bin/chmod 600 "$KEY" -/usr/bin/chmod 644 "$KEY".pub -if [[ -x /usr/sbin/restorecon ]]; then - /usr/sbin/restorecon "$KEY"{,.pub} -fi - -exit 0 diff --git a/image/upload/internal/cmd/api.go b/image/upload/internal/cmd/api.go index 5cf4e0b95..5f6865998 100644 --- a/image/upload/internal/cmd/api.go +++ b/image/upload/internal/cmd/api.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/flags.go b/image/upload/internal/cmd/flags.go index de38c2701..26b159b44 100644 --- a/image/upload/internal/cmd/flags.go +++ b/image/upload/internal/cmd/flags.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/info.go b/image/upload/internal/cmd/info.go index d104d1dc2..b68db4929 100644 --- a/image/upload/internal/cmd/info.go +++ b/image/upload/internal/cmd/info.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/measurements.go b/image/upload/internal/cmd/measurements.go index a61c14c0d..e117b88d9 100644 --- a/image/upload/internal/cmd/measurements.go +++ b/image/upload/internal/cmd/measurements.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/measurementsenvelope.go b/image/upload/internal/cmd/measurementsenvelope.go index 082e82ea7..70c16a24e 100644 --- a/image/upload/internal/cmd/measurementsenvelope.go +++ b/image/upload/internal/cmd/measurementsenvelope.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/measurementsmerge.go b/image/upload/internal/cmd/measurementsmerge.go index 4a74e20b2..78b283850 100644 --- a/image/upload/internal/cmd/measurementsmerge.go +++ b/image/upload/internal/cmd/measurementsmerge.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/measurementsupload.go b/image/upload/internal/cmd/measurementsupload.go index bca15e121..c16137d05 100644 --- a/image/upload/internal/cmd/measurementsupload.go +++ b/image/upload/internal/cmd/measurementsupload.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/must.go b/image/upload/internal/cmd/must.go index 2f3d8d896..fb26f2df0 100644 --- a/image/upload/internal/cmd/must.go +++ b/image/upload/internal/cmd/must.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/upload.go b/image/upload/internal/cmd/upload.go index 680b26586..22c8fa98e 100644 --- a/image/upload/internal/cmd/upload.go +++ b/image/upload/internal/cmd/upload.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/internal/cmd/uplosi.go b/image/upload/internal/cmd/uplosi.go index 7e6214837..ddfec8d70 100644 --- a/image/upload/internal/cmd/uplosi.go +++ b/image/upload/internal/cmd/uplosi.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cmd diff --git a/image/upload/upload.go b/image/upload/upload.go index 2a2ab1423..7f4886a2d 100644 --- a/image/upload/upload.go +++ b/image/upload/upload.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // upload uploads os images. diff --git a/internal/api/attestationconfigapi/attestationconfigapi.go b/internal/api/attestationconfigapi/attestationconfigapi.go index d0ff50872..a0d84d786 100644 --- a/internal/api/attestationconfigapi/attestationconfigapi.go +++ b/internal/api/attestationconfigapi/attestationconfigapi.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/api/attestationconfigapi/cli/client/client.go b/internal/api/attestationconfigapi/cli/client/client.go index ea867dd1c..53c79285e 100644 --- a/internal/api/attestationconfigapi/cli/client/client.go +++ b/internal/api/attestationconfigapi/cli/client/client.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/api/attestationconfigapi/cli/client/client_test.go b/internal/api/attestationconfigapi/cli/client/client_test.go index f46c872d8..008414f59 100644 --- a/internal/api/attestationconfigapi/cli/client/client_test.go +++ b/internal/api/attestationconfigapi/cli/client/client_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/internal/api/attestationconfigapi/cli/client/reporter.go b/internal/api/attestationconfigapi/cli/client/reporter.go index ff215ca55..295c7b2b7 100644 --- a/internal/api/attestationconfigapi/cli/client/reporter.go +++ b/internal/api/attestationconfigapi/cli/client/reporter.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/internal/api/attestationconfigapi/cli/client/reporter_test.go b/internal/api/attestationconfigapi/cli/client/reporter_test.go index ded25b020..9d786f33d 100644 --- a/internal/api/attestationconfigapi/cli/client/reporter_test.go +++ b/internal/api/attestationconfigapi/cli/client/reporter_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/internal/api/attestationconfigapi/cli/compare.go b/internal/api/attestationconfigapi/cli/compare.go index 36113c689..9921ab76e 100644 --- a/internal/api/attestationconfigapi/cli/compare.go +++ b/internal/api/attestationconfigapi/cli/compare.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/api/attestationconfigapi/cli/delete.go b/internal/api/attestationconfigapi/cli/delete.go index 6c4b6ca81..a800f7e80 100644 --- a/internal/api/attestationconfigapi/cli/delete.go +++ b/internal/api/attestationconfigapi/cli/delete.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/api/attestationconfigapi/cli/main.go b/internal/api/attestationconfigapi/cli/main.go index 76a0e6aef..ee1b0c354 100644 --- a/internal/api/attestationconfigapi/cli/main.go +++ b/internal/api/attestationconfigapi/cli/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/api/attestationconfigapi/cli/upload.go b/internal/api/attestationconfigapi/cli/upload.go index dbfba690c..4032f4626 100644 --- a/internal/api/attestationconfigapi/cli/upload.go +++ b/internal/api/attestationconfigapi/cli/upload.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/api/attestationconfigapi/cli/validargs.go b/internal/api/attestationconfigapi/cli/validargs.go index 85a7f72dd..b5366b0f9 100644 --- a/internal/api/attestationconfigapi/cli/validargs.go +++ b/internal/api/attestationconfigapi/cli/validargs.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/api/attestationconfigapi/fetcher.go b/internal/api/attestationconfigapi/fetcher.go index e7476f1e5..ca30bb554 100644 --- a/internal/api/attestationconfigapi/fetcher.go +++ b/internal/api/attestationconfigapi/fetcher.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package attestationconfigapi diff --git a/internal/api/attestationconfigapi/fetcher_test.go b/internal/api/attestationconfigapi/fetcher_test.go index 18c3a203e..b3d737f54 100644 --- a/internal/api/attestationconfigapi/fetcher_test.go +++ b/internal/api/attestationconfigapi/fetcher_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package attestationconfigapi import ( "bytes" + "context" "encoding/json" "errors" "fmt" @@ -102,7 +103,7 @@ func TestFetchLatestSEVSNPVersion(t *testing.T) { }, } fetcher := newFetcherWithClientAndVerifier(client, stubVerifier{}, constants.CDNRepositoryURL) - res, err := fetcher.FetchLatestVersion(t.Context(), tc.attestation) + res, err := fetcher.FetchLatestVersion(context.Background(), tc.attestation) assert := assert.New(t) if tc.wantErr { assert.Error(err) diff --git a/internal/api/attestationconfigapi/version.go b/internal/api/attestationconfigapi/version.go index 82d218872..8fad7f2ab 100644 --- a/internal/api/attestationconfigapi/version.go +++ b/internal/api/attestationconfigapi/version.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package attestationconfigapi diff --git a/internal/api/attestationconfigapi/version_test.go b/internal/api/attestationconfigapi/version_test.go index 57d80b5fa..1e5c51441 100644 --- a/internal/api/attestationconfigapi/version_test.go +++ b/internal/api/attestationconfigapi/version_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package attestationconfigapi diff --git a/internal/api/client/client.go b/internal/api/client/client.go index 71a05794c..d3c0a6b75 100644 --- a/internal/api/client/client.go +++ b/internal/api/client/client.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/api/fetcher/fetcher.go b/internal/api/fetcher/fetcher.go index d5b407467..52135aa1f 100644 --- a/internal/api/fetcher/fetcher.go +++ b/internal/api/fetcher/fetcher.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/api/versionsapi/apiconstants.go b/internal/api/versionsapi/apiconstants.go index 832d48ec4..bca2b2b4c 100644 --- a/internal/api/versionsapi/apiconstants.go +++ b/internal/api/versionsapi/apiconstants.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/cli/add.go b/internal/api/versionsapi/cli/add.go index 8d7782e3d..f1a6fc4fd 100644 --- a/internal/api/versionsapi/cli/add.go +++ b/internal/api/versionsapi/cli/add.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main @@ -16,6 +16,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/api/versionsapi" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/spf13/cobra" + "golang.org/x/mod/semver" ) func newAddCmd() *cobra.Command { @@ -52,8 +53,19 @@ func runAdd(cmd *cobra.Command, _ []string) (retErr error) { return err } log := logger.NewTextLogger(flags.logLevel) - log.Debug("Using flags", "dryRun", flags.dryRun, "kind", flags.version.Kind(), "latest", flags.latest, "ref", flags.version.Ref(), - "stream", flags.version.Stream(), "version", flags.version.Version()) + log.Debug("Using flags", "dryRun", flags.dryRun, "kind", flags.kind, "latest", flags.latest, "ref", flags.ref, + "release", flags.release, "stream", flags.stream, "version", flags.version) + + log.Debug("Validating flags") + if err := flags.validate(log); err != nil { + return err + } + + log.Debug("Creating version struct") + ver, err := versionsapi.NewVersion(flags.ref, flags.stream, flags.version, flags.kind) + if err != nil { + return fmt.Errorf("creating version: %w", err) + } log.Debug("Creating versions API client") client, clientClose, err := versionsapi.NewClient(cmd.Context(), flags.region, flags.bucket, flags.distributionID, flags.dryRun, log) @@ -68,27 +80,27 @@ func runAdd(cmd *cobra.Command, _ []string) (retErr error) { }() log.Info("Adding version") - if err := ensureVersion(cmd.Context(), client, flags.version, versionsapi.GranularityMajor, log); err != nil { + if err := ensureVersion(cmd.Context(), client, flags.kind, ver, versionsapi.GranularityMajor, log); err != nil { return err } - if err := ensureVersion(cmd.Context(), client, flags.version, versionsapi.GranularityMinor, log); err != nil { + if err := ensureVersion(cmd.Context(), client, flags.kind, ver, versionsapi.GranularityMinor, log); err != nil { return err } if flags.latest { - if err := updateLatest(cmd.Context(), client, flags.version, log); err != nil { + if err := updateLatest(cmd.Context(), client, flags.kind, ver, log); err != nil { return fmt.Errorf("setting latest version: %w", err) } } - log.Info(fmt.Sprintf("List major->minor URL: %s", flags.version.ListURL(versionsapi.GranularityMajor))) - log.Info(fmt.Sprintf("List minor->patch URL: %s", flags.version.ListURL(versionsapi.GranularityMinor))) + log.Info(fmt.Sprintf("List major->minor URL: %s", ver.ListURL(versionsapi.GranularityMajor))) + log.Info(fmt.Sprintf("List minor->patch URL: %s", ver.ListURL(versionsapi.GranularityMinor))) return nil } -func ensureVersion(ctx context.Context, client *versionsapi.Client, ver versionsapi.Version, gran versionsapi.Granularity, +func ensureVersion(ctx context.Context, client *versionsapi.Client, kind versionsapi.VersionKind, ver versionsapi.Version, gran versionsapi.Granularity, log *slog.Logger, ) error { verListReq := versionsapi.List{ @@ -96,7 +108,7 @@ func ensureVersion(ctx context.Context, client *versionsapi.Client, ver versions Stream: ver.Stream(), Granularity: gran, Base: ver.WithGranularity(gran), - Kind: ver.Kind(), + Kind: kind, } verList, err := client.FetchVersionList(ctx, verListReq) var notFoundErr *apiclient.NotFoundError @@ -128,11 +140,11 @@ func ensureVersion(ctx context.Context, client *versionsapi.Client, ver versions return nil } -func updateLatest(ctx context.Context, client *versionsapi.Client, ver versionsapi.Version, log *slog.Logger) error { +func updateLatest(ctx context.Context, client *versionsapi.Client, kind versionsapi.VersionKind, ver versionsapi.Version, log *slog.Logger) error { latest := versionsapi.Latest{ Ref: ver.Ref(), Stream: ver.Stream(), - Kind: ver.Kind(), + Kind: kind, } latest, err := client.FetchVersionLatest(ctx, latest) var notFoundErr *apiclient.NotFoundError @@ -152,7 +164,7 @@ func updateLatest(ctx context.Context, client *versionsapi.Client, ver versionsa Ref: ver.Ref(), Stream: ver.Stream(), Version: ver.Version(), - Kind: ver.Kind(), + Kind: kind, } if err := client.UpdateVersionLatest(ctx, latest); err != nil { return fmt.Errorf("updating latest version: %w", err) @@ -162,20 +174,60 @@ func updateLatest(ctx context.Context, client *versionsapi.Client, ver versionsa } type addFlags struct { - version versionsapi.Version + version string + stream string + ref string + release bool latest bool dryRun bool region string bucket string distributionID string + kind versionsapi.VersionKind logLevel slog.Level } +func (f *addFlags) validate(log *slog.Logger) error { + if !semver.IsValid(f.version) { + return fmt.Errorf("version %q is not a valid semantic version", f.version) + } + if semver.Canonical(f.version) != f.version { + return fmt.Errorf("version %q is not a canonical semantic version", f.version) + } + + if f.ref == "" && !f.release { + return fmt.Errorf("either --ref or --release must be set") + } + + if f.kind == versionsapi.VersionKindUnknown { + return fmt.Errorf("unknown version kind %q", f.kind) + } + + if f.release { + log.Debug(fmt.Sprintf("Setting ref to %q, as release flag is set", versionsapi.ReleaseRef)) + f.ref = versionsapi.ReleaseRef + } else { + log.Debug("Setting latest to true, as release flag is not set") + f.latest = true // always set latest for non-release versions + } + + if err := versionsapi.ValidateRef(f.ref); err != nil { + return fmt.Errorf("invalid ref %w", err) + } + + if err := versionsapi.ValidateStream(f.ref, f.stream); err != nil { + return fmt.Errorf("invalid stream %w", err) + } + + return nil +} + func parseAddFlags(cmd *cobra.Command) (addFlags, error) { ref, err := cmd.Flags().GetString("ref") if err != nil { return addFlags{}, err } + ref = versionsapi.CanonicalizeRef(ref) stream, err := cmd.Flags().GetString("stream") if err != nil { return addFlags{}, err @@ -222,24 +274,17 @@ func parseAddFlags(cmd *cobra.Command) (addFlags, error) { return addFlags{}, err } - if release { - ref = versionsapi.ReleaseRef - } else { - latest = true // always set latest for non-release versions - } - - ver, err := versionsapi.NewVersion(ref, stream, version, kind) - if err != nil { - return addFlags{}, fmt.Errorf("creating version: %w", err) - } - return addFlags{ - version: ver, + version: version, + stream: stream, + ref: versionsapi.CanonicalizeRef(ref), + release: release, latest: latest, dryRun: dryRun, region: region, bucket: bucket, distributionID: distributionID, logLevel: logLevel, + kind: kind, }, nil } diff --git a/internal/api/versionsapi/cli/latest.go b/internal/api/versionsapi/cli/latest.go index ca379c43f..6b3c3983f 100644 --- a/internal/api/versionsapi/cli/latest.go +++ b/internal/api/versionsapi/cli/latest.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/api/versionsapi/cli/list.go b/internal/api/versionsapi/cli/list.go index 52cfc873b..1aa6d88c6 100644 --- a/internal/api/versionsapi/cli/list.go +++ b/internal/api/versionsapi/cli/list.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/api/versionsapi/cli/main.go b/internal/api/versionsapi/cli/main.go index 2c173da1b..0410f8064 100644 --- a/internal/api/versionsapi/cli/main.go +++ b/internal/api/versionsapi/cli/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/api/versionsapi/cli/rm.go b/internal/api/versionsapi/cli/rm.go index 06757f441..d25ff59a1 100644 --- a/internal/api/versionsapi/cli/rm.go +++ b/internal/api/versionsapi/cli/rm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/api/versionsapi/client.go b/internal/api/versionsapi/client.go index 295223d26..496557102 100644 --- a/internal/api/versionsapi/client.go +++ b/internal/api/versionsapi/client.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/cliinfo.go b/internal/api/versionsapi/cliinfo.go index 1ec6ac3d0..ac7c18337 100644 --- a/internal/api/versionsapi/cliinfo.go +++ b/internal/api/versionsapi/cliinfo.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/cliinfo_test.go b/internal/api/versionsapi/cliinfo_test.go index 2b85852b0..f1f759f1b 100644 --- a/internal/api/versionsapi/cliinfo_test.go +++ b/internal/api/versionsapi/cliinfo_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/fetcher.go b/internal/api/versionsapi/fetcher.go index 407fe1a70..e17d7a376 100644 --- a/internal/api/versionsapi/fetcher.go +++ b/internal/api/versionsapi/fetcher.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/fetcher_test.go b/internal/api/versionsapi/fetcher_test.go index 87245a9f8..ff00ebdb6 100644 --- a/internal/api/versionsapi/fetcher_test.go +++ b/internal/api/versionsapi/fetcher_test.go @@ -1,13 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi import ( "bytes" + "context" "encoding/json" "io" "net/http" @@ -191,7 +192,7 @@ func TestFetchVersionList(t *testing.T) { fetcher := Fetcher{client, constants.CDNRepositoryURL} - list, err := fetcher.FetchVersionList(t.Context(), tc.list) + list, err := fetcher.FetchVersionList(context.Background(), tc.list) if tc.wantErr { assert.Error(err) diff --git a/internal/api/versionsapi/imageinfo.go b/internal/api/versionsapi/imageinfo.go index 77a14f666..59d01c1f2 100644 --- a/internal/api/versionsapi/imageinfo.go +++ b/internal/api/versionsapi/imageinfo.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/imageinfo_test.go b/internal/api/versionsapi/imageinfo_test.go index 04a72e941..f239b42a2 100644 --- a/internal/api/versionsapi/imageinfo_test.go +++ b/internal/api/versionsapi/imageinfo_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/latest.go b/internal/api/versionsapi/latest.go index e360822fb..2c9f2a20b 100644 --- a/internal/api/versionsapi/latest.go +++ b/internal/api/versionsapi/latest.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/latest_test.go b/internal/api/versionsapi/latest_test.go index 562b5b4a3..a1b868d7b 100644 --- a/internal/api/versionsapi/latest_test.go +++ b/internal/api/versionsapi/latest_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/list.go b/internal/api/versionsapi/list.go index 262007371..9cef3ebaa 100644 --- a/internal/api/versionsapi/list.go +++ b/internal/api/versionsapi/list.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/list_test.go b/internal/api/versionsapi/list_test.go index b936de898..20aac9ab0 100644 --- a/internal/api/versionsapi/list_test.go +++ b/internal/api/versionsapi/list_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi diff --git a/internal/api/versionsapi/version.go b/internal/api/versionsapi/version.go index 0c969e0f6..12d1e8100 100644 --- a/internal/api/versionsapi/version.go +++ b/internal/api/versionsapi/version.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi @@ -41,7 +41,7 @@ type Version struct { // NewVersion creates a new Version object and validates it. func NewVersion(ref, stream, version string, kind VersionKind) (Version, error) { ver := Version{ - ref: CanonicalizeRef(ref), + ref: ref, stream: stream, version: version, kind: kind, @@ -62,7 +62,7 @@ func NewVersionFromShortPath(shortPath string, kind VersionKind) (Version, error } ver := Version{ - ref: ref, // Canonicalized by parseShortPath. + ref: ref, stream: stream, version: version, kind: kind, @@ -331,7 +331,7 @@ func CanonicalizeRef(ref string) string { canRef := notAZ09Regexp.ReplaceAllString(ref, "-") if canRef == ReleaseRef { - return "" // No ref should be canonicalized to the release ref. + return "" // No ref should be cannonicalized to the release ref. } return canRef @@ -401,7 +401,7 @@ func MeasurementURL(version Version) (measurementURL, signatureURL *url.URL, err } var ( - shortPathRegex = regexp.MustCompile(`^ref/([^/]+)/stream/([a-zA-Z0-9-]+)/([a-zA-Z0-9.-]+)$`) + shortPathRegex = regexp.MustCompile(`^ref/([a-zA-Z0-9-]+)/stream/([a-zA-Z0-9-]+)/([a-zA-Z0-9.-]+)$`) shortPathReleaseRegex = regexp.MustCompile(`^stream/([a-zA-Z0-9-]+)/([a-zA-Z0-9.-]+)$`) ) @@ -422,7 +422,6 @@ func parseShortPath(shortPath string) (ref, stream, version string, err error) { if shortPathRegex.MatchString(shortPath) { matches := shortPathRegex.FindStringSubmatch(shortPath) ref := matches[1] - ref = CanonicalizeRef(ref) if err := ValidateRef(ref); err != nil { return "", "", "", err } diff --git a/internal/api/versionsapi/version_test.go b/internal/api/versionsapi/version_test.go index c3631c90c..25f0f8ce0 100644 --- a/internal/api/versionsapi/version_test.go +++ b/internal/api/versionsapi/version_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versionsapi @@ -16,111 +16,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/constants" ) -func TestNewVersion(t *testing.T) { - testCases := map[string]struct { - ref string - stream string - version string - kind VersionKind - wantVer Version - wantErr bool - }{ - "stable release image": { - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "release debug image": { - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "stable release cli": { - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindCLI, - wantVer: Version{ - ref: ReleaseRef, - stream: "stable", - version: "v9.9.9", - kind: VersionKindCLI, - }, - }, - "release debug cli": { - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindCLI, - wantVer: Version{ - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindCLI, - }, - }, - "unknown kind": { - ref: ReleaseRef, - stream: "debug", - version: "v9.9.9", - kind: VersionKindUnknown, - wantErr: true, - }, - "non-release ref as input": { - ref: "working-branch", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "working-branch", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "non-canonical ref as input": { - ref: "testing-1.23", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "testing-1-23", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - - ver, err := NewVersion(tc.ref, tc.stream, tc.version, tc.kind) - if tc.wantErr { - assert.Error(err) - return - } - assert.NoError(err) - assert.Equal(tc.wantVer, ver) - }) - } -} - func TestNewVersionFromShortPath(t *testing.T) { testCases := map[string]struct { path string @@ -183,26 +78,6 @@ func TestNewVersionFromShortPath(t *testing.T) { kind: VersionKindCLI, wantErr: true, }, - "non-release ref as input": { - path: "ref/working-branch/stream/debug/v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "working-branch", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, - "non-canonical ref as input": { - path: "ref/testing-1.23/stream/debug/v9.9.9", - kind: VersionKindImage, - wantVer: Version{ - ref: "testing-1-23", - stream: "debug", - version: "v9.9.9", - kind: VersionKindImage, - }, - }, } for name, tc := range testCases { diff --git a/internal/api/versionsapi/versionsapi.go b/internal/api/versionsapi/versionsapi.go index b89cd7577..54fa65123 100644 --- a/internal/api/versionsapi/versionsapi.go +++ b/internal/api/versionsapi/versionsapi.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/atls/atls.go b/internal/atls/atls.go index 9f42fb9c9..34a80bbff 100644 --- a/internal/atls/atls.go +++ b/internal/atls/atls.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // aTLS provides config generation functions to bootstrap attested TLS connections. diff --git a/internal/atls/atls_test.go b/internal/atls/atls_test.go index 03f1660c6..db315b3a1 100644 --- a/internal/atls/atls_test.go +++ b/internal/atls/atls_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package atls import ( + "context" "encoding/asn1" "errors" "io" @@ -161,7 +162,7 @@ func TestTLSConfig(t *testing.T) { server.StartTLS() defer server.Close() - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, server.URL, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, http.NoBody) require.NoError(err) resp, err := client.Do(req) if tc.wantErr { @@ -220,7 +221,7 @@ func TestClientConnectionConcurrency(t *testing.T) { var reqs []*http.Request for _, url := range urls { - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) reqs = append(reqs, req) } @@ -294,7 +295,7 @@ func TestServerConnectionConcurrency(t *testing.T) { var reqs []*http.Request for _, url := range urls { - req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) reqs = append(reqs, req) } diff --git a/internal/attestation/attestation.go b/internal/attestation/attestation.go index 21b918925..d5e458012 100644 --- a/internal/attestation/attestation.go +++ b/internal/attestation/attestation.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/attestation_test.go b/internal/attestation/attestation_test.go index 482089dee..3615859c0 100644 --- a/internal/attestation/attestation_test.go +++ b/internal/attestation/attestation_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package attestation diff --git a/internal/attestation/aws/aws.go b/internal/attestation/aws/aws.go index 5edaaea50..80806eccd 100644 --- a/internal/attestation/aws/aws.go +++ b/internal/attestation/aws/aws.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/aws/nitrotpm/issuer.go b/internal/attestation/aws/nitrotpm/issuer.go index 5365eed82..e95b72d06 100644 --- a/internal/attestation/aws/nitrotpm/issuer.go +++ b/internal/attestation/aws/nitrotpm/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package nitrotpm diff --git a/internal/attestation/aws/nitrotpm/issuer_test.go b/internal/attestation/aws/nitrotpm/issuer_test.go index eb2733775..59b5b7e47 100644 --- a/internal/attestation/aws/nitrotpm/issuer_test.go +++ b/internal/attestation/aws/nitrotpm/issuer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package nitrotpm @@ -100,7 +100,7 @@ func TestGetInstanceInfo(t *testing.T) { instanceInfoFunc := getInstanceInfo(&tc.client) assert.NotNil(instanceInfoFunc) - info, err := instanceInfoFunc(t.Context(), tpm, nil) + info, err := instanceInfoFunc(context.Background(), tpm, nil) if tc.wantErr { assert.Error(err) assert.Nil(info) diff --git a/internal/attestation/aws/nitrotpm/nitrotpm.go b/internal/attestation/aws/nitrotpm/nitrotpm.go index a86c417fe..47c59db9b 100644 --- a/internal/attestation/aws/nitrotpm/nitrotpm.go +++ b/internal/attestation/aws/nitrotpm/nitrotpm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/aws/nitrotpm/validator.go b/internal/attestation/aws/nitrotpm/validator.go index ea60e1685..54d853c5d 100644 --- a/internal/attestation/aws/nitrotpm/validator.go +++ b/internal/attestation/aws/nitrotpm/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package nitrotpm diff --git a/internal/attestation/aws/nitrotpm/validator_test.go b/internal/attestation/aws/nitrotpm/validator_test.go index a782894fa..0e6d086cd 100644 --- a/internal/attestation/aws/nitrotpm/validator_test.go +++ b/internal/attestation/aws/nitrotpm/validator_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package nitrotpm @@ -42,7 +42,7 @@ func TestGeTrustedKey(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) out, err := getTrustedKey( - t.Context(), + context.Background(), vtpm.AttestationDocument{ Attestation: &attest.Attestation{ AkPub: tc.akPub, diff --git a/internal/attestation/aws/snp/errors.go b/internal/attestation/aws/snp/errors.go index b20291b5e..2b07870b7 100644 --- a/internal/attestation/aws/snp/errors.go +++ b/internal/attestation/aws/snp/errors.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/aws/snp/issuer.go b/internal/attestation/aws/snp/issuer.go index 040a19a94..d585cba9f 100644 --- a/internal/attestation/aws/snp/issuer.go +++ b/internal/attestation/aws/snp/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/aws/snp/issuer_test.go b/internal/attestation/aws/snp/issuer_test.go index d92cad9c9..3f2f24699 100644 --- a/internal/attestation/aws/snp/issuer_test.go +++ b/internal/attestation/aws/snp/issuer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/aws/snp/snp.go b/internal/attestation/aws/snp/snp.go index 4b5f31d6a..4085f50bb 100644 --- a/internal/attestation/aws/snp/snp.go +++ b/internal/attestation/aws/snp/snp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/aws/snp/testdata/report.txt b/internal/attestation/aws/snp/testdata/report.txt index e413ca309..a5ed00a9b 100644 --- a/internal/attestation/aws/snp/testdata/report.txt +++ b/internal/attestation/aws/snp/testdata/report.txt @@ -1 +1 @@ -AwAAAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAAAAAAAY3CcAAAAAAAAABAAAAAAAAACHq3yvUQ4bNSDcPM62TuRBKOEJdvsNP8XidGmdiq9QYVSvTB3goCa0n9+GHprHVVFVGzU00cYTaaOwj1uu0NsvWlzbrY9UDOSrygEg+uyG9i73EopKxxGt001Gi1lXyCqi8k6PER2tw2ibeHuI7QcVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARowRHpiQyfxJKbRS+DVfQGWxQvKf1S21qaW2zACl7rf//////////////////////////////////////////BAAAAAAAGNkZAQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAGNsdNwEAHTcBAAQAAAAAABjbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATEij8MQ3cc95xvjozFQCY/3yYhrUJa6qN5kOaH0eHbuMzQ0iOgY3m6riTBYsQlksAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt0MH84001UcDpwNKn6LJSVfidlQxQ2nAM6WGsDjMvA4Z8WcYJeQhgpcDL7YJ+dbpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= +AgAAAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAADAAAAAAAW1QMAAAAAAAAABAAAAAAAAAADJjVhPI4zH6KeCWNxkQ/mofaTg92gLJRhQApwtm2Ho9pd2GMAJSK+Q6/DTywjOYm9bkAeNR0Q18yADW9d/PAZ8amfwHRwvrA7EzD0SJUgr48CiBh/+2YccfNcqwm+oZzZYtTy0J9aFsPDi32mvtJEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKGpDGe5jVOEMlqVJrJXkLPExDcn4NNEkTnWyr1bpRyf//////////////////////////////////////////AwAAAAAAFdEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAFdMUNwEAEjcBAAMAAAAAABXTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdtzdhdRVgTlqcv/jK6JowumHvC2VvXiZ9Zpf150hAG4Y4Zc/ypAlPoORo0uIcxPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMdpGsLZn99jRGCI3eaEGkcNMvDnJVcVSviZtDTMpNjydn/F1cE2AKOFqCZQ4HnZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= diff --git a/internal/attestation/aws/snp/testdata/testdata.go b/internal/attestation/aws/snp/testdata/testdata.go index 504693be7..61d14f154 100644 --- a/internal/attestation/aws/snp/testdata/testdata.go +++ b/internal/attestation/aws/snp/testdata/testdata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package testdata contains testing data for an attestation process. @@ -15,7 +15,7 @@ import _ "embed" var SNPReport string // AKDigest holds the AK digest embedded in SNPReport.REPORT_DATA. -const AKDigest = "87ab7caf510e1b3520dc3cceb64ee44128e10976fb0d3fc5e274699d8aaf506154af4c1de0a026b49fdf861e9ac75551551b3534d1c61369a3b08f5baed0db2f" +const AKDigest = "032635613c8e331fa29e096371910fe6a1f69383dda02c9461400a70b66d87a3da5dd863002522be43afc34f2c233989bd6e401e351d10d7cc800d6f5dfcf019" // VLEK for SNPReport. // diff --git a/internal/attestation/aws/snp/testdata/vlek.pem b/internal/attestation/aws/snp/testdata/vlek.pem index 3f8be0331..96a1db26d 100644 --- a/internal/attestation/aws/snp/testdata/vlek.pem +++ b/internal/attestation/aws/snp/testdata/vlek.pem @@ -1,30 +1,30 @@ -----BEGIN CERTIFICATE----- -MIIFIzCCAtegAwIBAgIBADBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAgUA -oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATAwgYAxFDASBgNVBAsM -C0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEgQ2xhcmEx -CzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZpY2VzMRcw -FQYDVQQDDA5TRVYtVkxFSy1NaWxhbjAeFw0yNDEyMTAyMjMwMTZaFw0yNTEyMTAy -MjMwMTZaMHoxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIG -A1UEBwwLU2FudGEgQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNl -ZCBNaWNybyBEZXZpY2VzMREwDwYDVQQDDAhTRVYtVkxFSzB2MBAGByqGSM49AgEG -BSuBBAAiA2IABJRw6hwLZt7KX95uPePz/3Gt/z9mm/32f0JpE2twW8w6DQ1xOPnW -YRLJeMSZNpaYW/NRpNf0vfy5IDQt44didvu+37x2aqyaneFiBh5jTxSg/2dCZ+bi -4eZw/p0Us7bubqOB8jCB7zAQBgkrBgEEAZx4AQEEAwIBADAUBgkrBgEEAZx4AQIE -BxYFTWlsYW4wEQYKKwYBBAGceAEDAQQDAgEEMBEGCisGAQQBnHgBAwIEAwIBADAR -BgorBgEEAZx4AQMEBAMCAQAwEQYKKwYBBAGceAEDBQQDAgEAMBEGCisGAQQBnHgB -AwYEAwIBADARBgorBgEEAZx4AQMHBAMCAQAwEQYKKwYBBAGceAEDAwQDAgEYMBIG -CisGAQQBnHgBAwgEBAICANkwLAYJKwYBBAGceAEFBB8WHUNOPWNjLWV1LXdlc3Qt -MS5hbWF6b25hd3MuY29tMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAICBQCh -HDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMAOCAgEAar1tA7vYelxK -uj+r7APOEPcAAoF7RWZs6ixDlXHuFVj2rfxqmxt8nqjedEKBfUGPCEsbAV+Z/bj9 -GqN+q5Bn1yk6RL/VqxTxTVhpa0G33R87UjE+S+42k6ENgddbl4hxws5g83Sn9All -/XjNPHmciWjmix4PJs5tZv+YaJ15BSBkJfrTRo+rX3UDKeqUHNoX+Cx6D7ECF/6k -ToFlHBEBqHKa2EzhNMK2UXm/vm0ATSaNHuDEGBvzbXflPmHZi1RZqQ7q9VMenFDx -JwAgnUrltcuLjKMID7c2yj+Emk/CBEEFoAJRfSoSvMdhqrNaRlbEqEnQ95C/XNPn -Mqtk5Ao/UVV5fRXYSt5oGKTBGhqTwv+Xqyei+/IgpcJyGPFbHVX9UPteP4RnSLiq -uJ3oRIvyEw+u6bkMNBBAjh4C+Jp2BVrLs1aC0h9fjfVEofWTb/NioJRigKTNfbao -sTy6tX8qoUSxtp/bIqK1jg1Y7eIDIMCgqnm0N+hJT7CnkwyCBUkOHmsExzQcthmg -y0J1J7bTA507rY5ZglNSRLCXqAfORVxIBwTaOXrJV2lMLScTUdnhFrVPFUAl7uCj -rKta1iGye+fieoYncdHLIVyIJGsTC+AbhPIAR2Zh847Sxw1SVOobTPc0wUIoKrOU -xR32EkufsNGLb8TiEsgpa2ulbw8xi6U= +MIIFLTCCAtygAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATCBgDEUMBIG +A1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYDVQQHDAtTYW50YSBD +bGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2VkIE1pY3JvIERldmlj +ZXMxFzAVBgNVBAMMDlNFVi1WTEVLLU1pbGFuMB4XDTI0MDUwNTIxNDUyNloXDTI1 +MDUwNTIxNDUyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVT +MRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFk +dmFuY2VkIE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WTEVLMHYwEAYHKoZI +zj0CAQYFK4EEACIDYgAEHCsA6v0QwdgijkHV1KnV+1wMqjVaITbdleQV40cnL6ZT +Pq3IsXeFGI9tq2a2EoDksTTqeo5a1ZDq2BiNA2cue0PlZhHkv2MK1cNPMDGAOddc +k7VNaqrRLUo84kn6tRXpo4HyMIHvMBAGCSsGAQQBnHgBAQQDAgEAMBQGCSsGAQQB +nHgBAgQHFgVNaWxhbjARBgorBgEEAZx4AQMBBAMCAQMwEQYKKwYBBAGceAEDAgQD +AgEAMBEGCisGAQQBnHgBAwQEAwIBADARBgorBgEEAZx4AQMFBAMCAQAwEQYKKwYB +BAGceAEDBgQDAgEAMBEGCisGAQQBnHgBAwcEAwIBADARBgorBgEEAZx4AQMDBAMC +ARUwEgYKKwYBBAGceAEDCAQEAgIA0TAsBgkrBgEEAZx4AQUEHxYdQ049Y2MtZXUt +d2VzdC0xLmFtYXpvbmF3cy5jb20wRgYJKoZIhvcNAQEKMDmgDzANBglghkgBZQME +AgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIDAgEwowMCAQEDggIB +ACeJ78s9Nrdz+WtvsNAecT7+ztE8jpxLZdgacsPtf3xU/JfcQHhVUuy/Lp5rIQ7B +h1HalTrmuY7goRO1kTp/lobXyntWkit0d5nR6iNjzp/uHr8+qEym2WbYX1Jesang +BQX06XxXTmEphrHElTrp8BovYIsPejdY2nNUYV6fhrdTXEh+qLDGQmwjK12FG+hu +4AS+rev2V7H9uE1XKXsM4TTqvI1hT3E2ocN4KjfUBi7yL/BF97kXfdqZH48pPD4y +i7TbZ7S89UikrAv0ZtgGyXY8yR094YVjfbnUvyYTyh4fgV8a8Mxsb4yhPoOOxkUI +8tNBhM4LkTPkR/4+Y2Dg6maglZJ5Hb2WWWNkd0CZchZC80T7HIgHztINMnHULiYi +sNRtKeUAqUNtwy0d2YehX+v9HzueTfKtvxIy2oBfT1LCykvTQTibE3aCvFMkEiw8 +4CunpWfPAoZEzzJUTxLQ6PkdE4MVRTTuuOAVHTrtkIUOB6tlkgMzijqAdwzTDdIj +NGQxTm0Vd2h+zvZl2HnSCi6PMoZml5RwZHiZXKRC90bPn0Vk1XlYW1wMEFHTWQqo +tFH44eWyGIoTwSqcqATR/HklCoUP0wMe2sSsMemJMPwAXWW4fZxmee72OR4p6c+w +TGzR0J5WFdJ0g2Ix+NobBydNaJnQz4H5Y+/gZFUCRrWh -----END CERTIFICATE----- diff --git a/internal/attestation/aws/snp/validator.go b/internal/attestation/aws/snp/validator.go index 92431929f..c05c35cc6 100644 --- a/internal/attestation/aws/snp/validator.go +++ b/internal/attestation/aws/snp/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/aws/snp/validator_test.go b/internal/attestation/aws/snp/validator_test.go index 567791daf..84804a886 100644 --- a/internal/attestation/aws/snp/validator_test.go +++ b/internal/attestation/aws/snp/validator_test.go @@ -1,13 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp import ( "bytes" + "context" "crypto" "crypto/x509" "encoding/base64" @@ -66,7 +67,7 @@ func TestGetTrustedKey(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) out, err := validator().getTrustedKey( - t.Context(), + context.Background(), vtpm.AttestationDocument{ Attestation: &attest.Attestation{ AkPub: tc.akPub, diff --git a/internal/attestation/azure/azure.go b/internal/attestation/azure/azure.go index 655be1b2c..2fbe30567 100644 --- a/internal/attestation/azure/azure.go +++ b/internal/attestation/azure/azure.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/azure/azure_test.go b/internal/attestation/azure/azure_test.go index d73db409e..0e23f1fce 100644 --- a/internal/attestation/azure/azure_test.go +++ b/internal/attestation/azure/azure_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azure diff --git a/internal/attestation/azure/snp/imds.go b/internal/attestation/azure/snp/imds.go index 8a5547637..9b1c24cef 100644 --- a/internal/attestation/azure/snp/imds.go +++ b/internal/attestation/azure/snp/imds.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/azure/snp/issuer.go b/internal/attestation/azure/snp/issuer.go index b3ab8bdf7..f0e8bb6f0 100644 --- a/internal/attestation/azure/snp/issuer.go +++ b/internal/attestation/azure/snp/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/azure/snp/issuer_test.go b/internal/attestation/azure/snp/issuer_test.go index 45116303c..224937be2 100644 --- a/internal/attestation/azure/snp/issuer_test.go +++ b/internal/attestation/azure/snp/issuer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp @@ -82,7 +82,7 @@ func TestGetSNPAttestation(t *testing.T) { data := []byte("data") - attestationJSON, err := issuer.getInstanceInfo(t.Context(), nil, data) + attestationJSON, err := issuer.getInstanceInfo(context.Background(), nil, data) if tc.wantErr { assert.Error(err) return diff --git a/internal/attestation/azure/snp/maa.go b/internal/attestation/azure/snp/maa.go index a51348925..2cf82766a 100644 --- a/internal/attestation/azure/snp/maa.go +++ b/internal/attestation/azure/snp/maa.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/azure/snp/snp.go b/internal/attestation/azure/snp/snp.go index 84895748b..8c109d25a 100644 --- a/internal/attestation/azure/snp/snp.go +++ b/internal/attestation/azure/snp/snp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/azure/snp/validator.go b/internal/attestation/azure/snp/validator.go index 701f526ff..d3563d06a 100644 --- a/internal/attestation/azure/snp/validator.go +++ b/internal/attestation/azure/snp/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/azure/snp/validator_test.go b/internal/attestation/azure/snp/validator_test.go index 9b382fb08..95f9678b5 100644 --- a/internal/attestation/azure/snp/validator_test.go +++ b/internal/attestation/azure/snp/validator_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp @@ -182,7 +182,7 @@ func TestCheckIDKeyDigest(t *testing.T) { report := reportWithIDKeyDigest(tc.idKeyDigest) validator := newTestValidator(cfg, tc.validateMaaTokenErr) - err := validator.checkIDKeyDigest(t.Context(), report, "", nil) + err := validator.checkIDKeyDigest(context.Background(), report, "", nil) if tc.wantErr { require.Error(err) } else { @@ -650,7 +650,7 @@ func TestTrustedKeyFromSNP(t *testing.T) { attestationValidator: tc.validator, } - key, err := validator.getTrustedKey(t.Context(), attDoc, nil) + key, err := validator.getTrustedKey(context.Background(), attDoc, nil) if tc.wantErr { assert.Error(err) if tc.assertion != nil { diff --git a/internal/attestation/azure/tdx/issuer.go b/internal/attestation/azure/tdx/issuer.go index 1cb051694..082616635 100644 --- a/internal/attestation/azure/tdx/issuer.go +++ b/internal/attestation/azure/tdx/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package tdx diff --git a/internal/attestation/azure/tdx/issuer_test.go b/internal/attestation/azure/tdx/issuer_test.go index dcb248aac..e57e63aa0 100644 --- a/internal/attestation/azure/tdx/issuer_test.go +++ b/internal/attestation/azure/tdx/issuer_test.go @@ -1,13 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package tdx import ( "bytes" + "context" "encoding/binary" "encoding/json" "io" @@ -134,7 +135,7 @@ func TestIMDSGetQuote(t *testing.T) { client: tc.client, } - _, err := quoteGetter.getQuote(t.Context(), []byte("test")) + _, err := quoteGetter.getQuote(context.Background(), []byte("test")) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/attestation/azure/tdx/tdx.go b/internal/attestation/azure/tdx/tdx.go index cbf34b4a4..eaee6161a 100644 --- a/internal/attestation/azure/tdx/tdx.go +++ b/internal/attestation/azure/tdx/tdx.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/azure/tdx/testdata/testdata.go b/internal/attestation/azure/tdx/testdata/testdata.go index 08902b9eb..eaccd11a2 100644 --- a/internal/attestation/azure/tdx/testdata/testdata.go +++ b/internal/attestation/azure/tdx/testdata/testdata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package testdata contains testing data for an attestation process. diff --git a/internal/attestation/azure/tdx/validator.go b/internal/attestation/azure/tdx/validator.go index 2dedf2390..6a496f2bb 100644 --- a/internal/attestation/azure/tdx/validator.go +++ b/internal/attestation/azure/tdx/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package tdx diff --git a/internal/attestation/azure/trustedlaunch/issuer.go b/internal/attestation/azure/trustedlaunch/issuer.go index eaccfc06d..f62a88104 100644 --- a/internal/attestation/azure/trustedlaunch/issuer.go +++ b/internal/attestation/azure/trustedlaunch/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package trustedlaunch diff --git a/internal/attestation/azure/trustedlaunch/trustedlaunch.go b/internal/attestation/azure/trustedlaunch/trustedlaunch.go index 822ee86e9..8959bc32f 100644 --- a/internal/attestation/azure/trustedlaunch/trustedlaunch.go +++ b/internal/attestation/azure/trustedlaunch/trustedlaunch.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go b/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go index 1fe9a3989..a3bef9ed9 100644 --- a/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go +++ b/internal/attestation/azure/trustedlaunch/trustedlaunch_test.go @@ -1,13 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package trustedlaunch import ( "bytes" + "context" "crypto/rand" "crypto/rsa" "crypto/x509" @@ -191,7 +192,7 @@ func TestGetAttestationCert(t *testing.T) { issuer := NewIssuer(logger.NewTest(t)) issuer.hClient = newTestClient(tc.crlServer) - certs, err := issuer.getAttestationCert(t.Context(), tpm, nil) + certs, err := issuer.getAttestationCert(context.Background(), tpm, nil) if tc.wantIssueErr { assert.Error(err) return @@ -212,7 +213,7 @@ func TestGetAttestationCert(t *testing.T) { roots.AddCert(cert) validator.roots = roots - key, err := validator.verifyAttestationKey(t.Context(), attDoc, nil) + key, err := validator.verifyAttestationKey(context.Background(), attDoc, nil) if tc.wantValidateErr { assert.Error(err) return diff --git a/internal/attestation/azure/trustedlaunch/validator.go b/internal/attestation/azure/trustedlaunch/validator.go index 4cdefb580..368db8368 100644 --- a/internal/attestation/azure/trustedlaunch/validator.go +++ b/internal/attestation/azure/trustedlaunch/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package trustedlaunch diff --git a/internal/attestation/choose/choose.go b/internal/attestation/choose/choose.go index 6918210b2..7d0e48010 100644 --- a/internal/attestation/choose/choose.go +++ b/internal/attestation/choose/choose.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package choose diff --git a/internal/attestation/choose/choose_test.go b/internal/attestation/choose/choose_test.go index 6cc20cdb8..31454d2c9 100644 --- a/internal/attestation/choose/choose_test.go +++ b/internal/attestation/choose/choose_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package choose diff --git a/internal/attestation/gcp/es/es.go b/internal/attestation/gcp/es/es.go index b3c9f2645..7a6dfe446 100644 --- a/internal/attestation/gcp/es/es.go +++ b/internal/attestation/gcp/es/es.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/gcp/es/issuer.go b/internal/attestation/gcp/es/issuer.go index 935bc99eb..bbee2f5c3 100644 --- a/internal/attestation/gcp/es/issuer.go +++ b/internal/attestation/gcp/es/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package es diff --git a/internal/attestation/gcp/es/issuer_test.go b/internal/attestation/gcp/es/issuer_test.go index 203466f65..d8d0075de 100644 --- a/internal/attestation/gcp/es/issuer_test.go +++ b/internal/attestation/gcp/es/issuer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package es @@ -67,7 +67,7 @@ func TestGetGCEInstanceInfo(t *testing.T) { require := require.New(t) var tpm io.ReadWriteCloser - out, err := gcp.GCEInstanceInfo(tc.client)(t.Context(), tpm, nil) + out, err := gcp.GCEInstanceInfo(tc.client)(context.Background(), tpm, nil) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/attestation/gcp/es/validator.go b/internal/attestation/gcp/es/validator.go index c846dfdf4..4177b6f0a 100644 --- a/internal/attestation/gcp/es/validator.go +++ b/internal/attestation/gcp/es/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package es diff --git a/internal/attestation/gcp/es/validator_test.go b/internal/attestation/gcp/es/validator_test.go index fc3783594..3fa35da7e 100644 --- a/internal/attestation/gcp/es/validator_test.go +++ b/internal/attestation/gcp/es/validator_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package es @@ -153,7 +153,7 @@ Y+t5OxL3kL15VzY1Ob0d5cMCAwEAAQ== getTrustedKey, err := gcp.TrustedKeyGetter(variant.GCPSEVES{}, tc.getClient) require.NoError(t, err) - out, err := getTrustedKey(t.Context(), attDoc, nil) + out, err := getTrustedKey(context.Background(), attDoc, nil) if tc.wantErr { assert.Error(err) diff --git a/internal/attestation/gcp/gcp.go b/internal/attestation/gcp/gcp.go index ce84a7222..113222dda 100644 --- a/internal/attestation/gcp/gcp.go +++ b/internal/attestation/gcp/gcp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/gcp/metadata.go b/internal/attestation/gcp/metadata.go index f158933db..471eceb99 100644 --- a/internal/attestation/gcp/metadata.go +++ b/internal/attestation/gcp/metadata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcp diff --git a/internal/attestation/gcp/restclient.go b/internal/attestation/gcp/restclient.go index dd75b8569..1a9c277f3 100644 --- a/internal/attestation/gcp/restclient.go +++ b/internal/attestation/gcp/restclient.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcp diff --git a/internal/attestation/gcp/snp/issuer.go b/internal/attestation/gcp/snp/issuer.go index a5b26a569..215b21c8d 100644 --- a/internal/attestation/gcp/snp/issuer.go +++ b/internal/attestation/gcp/snp/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/gcp/snp/snp.go b/internal/attestation/gcp/snp/snp.go index d1e42728f..ede60f205 100644 --- a/internal/attestation/gcp/snp/snp.go +++ b/internal/attestation/gcp/snp/snp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/gcp/snp/validator.go b/internal/attestation/gcp/snp/validator.go index 2dffff7b6..c178c14ea 100644 --- a/internal/attestation/gcp/snp/validator.go +++ b/internal/attestation/gcp/snp/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/idkeydigest/idkeydigest.go b/internal/attestation/idkeydigest/idkeydigest.go index 4e97c6ef0..45b5a54c0 100644 --- a/internal/attestation/idkeydigest/idkeydigest.go +++ b/internal/attestation/idkeydigest/idkeydigest.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package idkeydigest provides type definitions for the `idkeydigest` value of SEV-SNP attestation. diff --git a/internal/attestation/idkeydigest/idkeydigest_test.go b/internal/attestation/idkeydigest/idkeydigest_test.go index 85ea0bf73..9f83b20e7 100644 --- a/internal/attestation/idkeydigest/idkeydigest_test.go +++ b/internal/attestation/idkeydigest/idkeydigest_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package idkeydigest diff --git a/internal/attestation/initialize/initialize.go b/internal/attestation/initialize/initialize.go index 5916e6a87..65bfe349c 100644 --- a/internal/attestation/initialize/initialize.go +++ b/internal/attestation/initialize/initialize.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package initialize implements functions to mark a node as initialized in the context of cluster attestation. diff --git a/internal/attestation/initialize/initialize_test.go b/internal/attestation/initialize/initialize_test.go index a3e386fd4..bd31e60f0 100644 --- a/internal/attestation/initialize/initialize_test.go +++ b/internal/attestation/initialize/initialize_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package initialize diff --git a/internal/attestation/measurements/fetchmeasurements.go b/internal/attestation/measurements/fetchmeasurements.go index 4c7d1026a..7720d1a59 100644 --- a/internal/attestation/measurements/fetchmeasurements.go +++ b/internal/attestation/measurements/fetchmeasurements.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measurements diff --git a/internal/attestation/measurements/fetchmeasurements_test.go b/internal/attestation/measurements/fetchmeasurements_test.go index e9af9edb2..d79a77a41 100644 --- a/internal/attestation/measurements/fetchmeasurements_test.go +++ b/internal/attestation/measurements/fetchmeasurements_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measurements @@ -141,7 +141,7 @@ func TestFetchMeasurements(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) sut := NewVerifyFetcher(tc.cosign, tc.rekor, client) - m, err := sut.FetchAndVerifyMeasurements(t.Context(), "v999.999.999", cloudprovider.GCP, variant.GCPSEVES{}, tc.noVerify) + m, err := sut.FetchAndVerifyMeasurements(context.Background(), "v999.999.999", cloudprovider.GCP, variant.GCPSEVES{}, tc.noVerify) if tc.wantErr { assert.Error(err) if tc.asRekorErr { diff --git a/internal/attestation/measurements/measurement-generator/generate.go b/internal/attestation/measurements/measurement-generator/generate.go index f5c71a8e4..bdb8e943f 100644 --- a/internal/attestation/measurements/measurement-generator/generate.go +++ b/internal/attestation/measurements/measurement-generator/generate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/attestation/measurements/measurement-generator/generate_test.go b/internal/attestation/measurements/measurement-generator/generate_test.go index c7ea5df5c..e55c3c1ef 100644 --- a/internal/attestation/measurements/measurement-generator/generate_test.go +++ b/internal/attestation/measurements/measurement-generator/generate_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/attestation/measurements/measurements.go b/internal/attestation/measurements/measurements.go index 13a881996..f332626cc 100644 --- a/internal/attestation/measurements/measurements.go +++ b/internal/attestation/measurements/measurements.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/measurements/measurements_enterprise.go b/internal/attestation/measurements/measurements_enterprise.go index c75aac10c..c5cd8575b 100644 --- a/internal/attestation/measurements/measurements_enterprise.go +++ b/internal/attestation/measurements/measurements_enterprise.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measurements @@ -19,14 +19,14 @@ package measurements // revive:disable:var-naming var ( - aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x83, 0xf4, 0x0d, 0x68, 0x07, 0x78, 0x2e, 0xbc, 0x58, 0xba, 0x0a, 0x38, 0xe5, 0xd2, 0x40, 0xca, 0x08, 0x38, 0x32, 0x7b, 0x71, 0x60, 0xdb, 0xa3, 0xcb, 0x73, 0xe4, 0x89, 0xb1, 0xb6, 0x20, 0x14}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb8, 0xc3, 0xc9, 0x07, 0xca, 0xba, 0x64, 0xf1, 0x8d, 0x62, 0x8e, 0xb6, 0xce, 0xa5, 0xeb, 0xb0, 0xc9, 0xb7, 0x84, 0x62, 0x36, 0x87, 0x48, 0x64, 0xe0, 0xd2, 0x40, 0x20, 0x49, 0x0a, 0xe3, 0xaf}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x86, 0xaa, 0x0b, 0x4d, 0x17, 0xa5, 0x3a, 0xac, 0xd2, 0x48, 0xf4, 0x7b, 0xd3, 0x4a, 0x71, 0x26, 0x31, 0x9a, 0x2b, 0xd3, 0x6a, 0x55, 0x1e, 0x40, 0x2d, 0x09, 0x54, 0x7f, 0x1b, 0xb0, 0xb3, 0x9d}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - aws_AWSSEVSNP = M{0: {Expected: []byte{0xd6, 0xdf, 0x85, 0x53, 0x58, 0xf5, 0xb1, 0x0f, 0x06, 0xf0, 0xfa, 0xb3, 0xf4, 0x08, 0xad, 0x26, 0xcd, 0x16, 0x5a, 0x29, 0x49, 0xba, 0xd6, 0x9e, 0x2c, 0xc7, 0x56, 0x92, 0x52, 0x9e, 0x66, 0x2a}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x80, 0x32, 0xb3, 0x6e, 0x97, 0xc8, 0xdb, 0x00, 0x31, 0x64, 0x43, 0x0b, 0x5c, 0x38, 0x71, 0xfc, 0x23, 0x2b, 0xd3, 0x4a, 0x46, 0xf9, 0x2d, 0xb0, 0x5d, 0xce, 0xcd, 0x9f, 0xc0, 0xb1, 0x1c, 0x14}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x75, 0x35, 0xea, 0x3a, 0xf3, 0x04, 0xf0, 0x0b, 0x52, 0x6f, 0x71, 0x23, 0x67, 0xc9, 0x21, 0x45, 0xc6, 0x20, 0x09, 0x35, 0x26, 0x50, 0x2b, 0x23, 0x3c, 0x24, 0xf3, 0x98, 0x8b, 0xcd, 0xc6, 0x08}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xd6, 0xc1, 0x6f, 0x1b, 0xdb, 0x10, 0x7e, 0xf9, 0xb9, 0xd1, 0xa3, 0x15, 0x34, 0x12, 0xc6, 0x4e, 0x0e, 0xb1, 0x9f, 0x80, 0xfe, 0x11, 0x3e, 0x77, 0xa2, 0x50, 0x69, 0xf8, 0x6d, 0x10, 0x64, 0x7a}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xce, 0xba, 0xca, 0x6b, 0x62, 0xf8, 0x8c, 0xdd, 0x60, 0x5d, 0x1c, 0x83, 0xf5, 0x7a, 0x90, 0x63, 0x13, 0xc5, 0x6e, 0xf0, 0x4e, 0xbb, 0xe8, 0x27, 0x1a, 0x2c, 0x80, 0xb1, 0x37, 0x80, 0x4a, 0xe7}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x36, 0x98, 0x45, 0x6f, 0x38, 0x75, 0x94, 0x51, 0xa3, 0x18, 0x29, 0xfe, 0x0e, 0xe8, 0xd1, 0x0e, 0xea, 0x71, 0x6f, 0x1c, 0x7c, 0x17, 0xb3, 0xef, 0xfb, 0x7f, 0x7f, 0xa7, 0x8b, 0x3f, 0x6f, 0xa5}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x40, 0xca, 0x82, 0xca, 0xb3, 0x6d, 0xaf, 0xee, 0x1a, 0x0a, 0xb4, 0xc1, 0x27, 0x6c, 0x09, 0x32, 0x50, 0x25, 0xdd, 0x2d, 0x60, 0x53, 0xc7, 0x22, 0x3c, 0x6f, 0x86, 0x82, 0xb1, 0xfe, 0x3d, 0xb6}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xfa, 0xb8, 0x2f, 0xd2, 0xb8, 0x5a, 0x9c, 0x1b, 0x99, 0x60, 0xc9, 0xa4, 0x39, 0xb2, 0x9a, 0x98, 0x97, 0x7a, 0x96, 0xe8, 0x70, 0xcd, 0xb7, 0x10, 0xcf, 0x5e, 0xa3, 0xd1, 0x65, 0x3f, 0x4a, 0xa3}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x52, 0x09, 0x57, 0xf9, 0xd3, 0x96, 0x52, 0xe5, 0xb4, 0xaf, 0xe6, 0x83, 0x9a, 0x57, 0xa8, 0xaf, 0x48, 0x00, 0x43, 0x61, 0x37, 0x5f, 0x1e, 0x8c, 0xfa, 0xee, 0xc3, 0x93, 0x95, 0x8f, 0x23, 0x6e}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xef, 0x93, 0x5f, 0xb3, 0xb4, 0x39, 0x49, 0xe5, 0x91, 0x12, 0xfe, 0x1e, 0x82, 0x7c, 0xd1, 0xca, 0xaf, 0x4f, 0xe1, 0x49, 0xe6, 0x28, 0x77, 0xb5, 0xea, 0x62, 0x77, 0xd6, 0x35, 0xac, 0x82, 0x0c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x43, 0xb6, 0xdb, 0x79, 0x3d, 0xb5, 0x57, 0x9e, 0x94, 0xe7, 0xc6, 0x87, 0x64, 0x7f, 0x65, 0xf6, 0x75, 0x04, 0x21, 0x2c, 0x49, 0x12, 0x9d, 0x1f, 0xb2, 0x17, 0x81, 0x9d, 0x00, 0x14, 0x41, 0x2f}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb2, 0x5e, 0x20, 0xb7, 0x03, 0xdf, 0x40, 0x70, 0x5a, 0xcb, 0x96, 0x80, 0x90, 0x42, 0x2d, 0x5a, 0xb7, 0x2c, 0x21, 0x67, 0x16, 0x63, 0xa6, 0x0a, 0x99, 0x56, 0xb0, 0x7f, 0x62, 0x37, 0x00, 0x96}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x6f, 0x38, 0x6d, 0xcd, 0xb9, 0x26, 0x82, 0x82, 0xbe, 0x59, 0x8a, 0x09, 0x7b, 0xb2, 0xeb, 0x64, 0xfc, 0xf6, 0x9b, 0xcd, 0x6c, 0x3e, 0x1d, 0x42, 0x52, 0xd2, 0xb8, 0xaa, 0x17, 0x77, 0x65, 0x16}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSSEVSNP = M{0: {Expected: []byte{0xd6, 0xdf, 0x85, 0x53, 0x58, 0xf5, 0xb1, 0x0f, 0x06, 0xf0, 0xfa, 0xb3, 0xf4, 0x08, 0xad, 0x26, 0xcd, 0x16, 0x5a, 0x29, 0x49, 0xba, 0xd6, 0x9e, 0x2c, 0xc7, 0x56, 0x92, 0x52, 0x9e, 0x66, 0x2a}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x0e, 0xe6, 0x59, 0x44, 0xc6, 0x86, 0x71, 0xc1, 0x51, 0x19, 0xf6, 0x54, 0xc2, 0x1a, 0xfa, 0xd2, 0xd0, 0x71, 0xcd, 0xde, 0x5a, 0x3c, 0x39, 0x5c, 0xce, 0xa7, 0x24, 0xf3, 0x6c, 0xc4, 0x68, 0x4a}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x8a, 0xb8, 0x86, 0xf4, 0x16, 0x80, 0xc1, 0x34, 0x96, 0x5b, 0x25, 0xbc, 0x48, 0xb3, 0x0c, 0x58, 0x64, 0x1a, 0x96, 0xab, 0x29, 0xf1, 0x00, 0xef, 0x89, 0x2a, 0x1a, 0x13, 0xca, 0x4c, 0xda, 0x24}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x28, 0x3d, 0x92, 0xa3, 0x77, 0x42, 0xf8, 0x3c, 0x4b, 0xa2, 0xda, 0xad, 0xdf, 0x5e, 0xf9, 0x1f, 0x9c, 0x9e, 0x29, 0x3b, 0xd4, 0x4b, 0x14, 0x1f, 0xab, 0x68, 0x83, 0xe3, 0x05, 0x65, 0x3a, 0x57}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xb0, 0x68, 0xed, 0x70, 0x71, 0x65, 0xb3, 0x8f, 0x99, 0x8e, 0xdb, 0xec, 0x60, 0xc9, 0x6b, 0x94, 0x47, 0x94, 0x04, 0x19, 0x4d, 0xf5, 0x03, 0xee, 0xcf, 0x8d, 0x80, 0x69, 0xe5, 0x81, 0x80, 0xee}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x30, 0xe5, 0x78, 0x5f, 0xd9, 0x93, 0xd0, 0x57, 0x9c, 0x05, 0x57, 0x14, 0xf4, 0xa1, 0xf9, 0xed, 0x36, 0x56, 0xfb, 0xbb, 0x21, 0x2e, 0x47, 0x40, 0x70, 0xed, 0x2f, 0xd9, 0x61, 0xb6, 0x02, 0x36}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xe2, 0x58, 0xa4, 0xa5, 0x71, 0x07, 0xee, 0x35, 0x40, 0x6b, 0x4b, 0x01, 0x51, 0xb0, 0xdc, 0x63, 0x9f, 0x73, 0x1e, 0x52, 0x37, 0xb8, 0x93, 0x8b, 0x83, 0x25, 0x63, 0x58, 0xe7, 0xd4, 0xd5, 0x4b}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xc5, 0xd9, 0xad, 0x81, 0x3f, 0x92, 0xd3, 0xc6, 0x49, 0x12, 0x47, 0x13, 0x88, 0x40, 0xf1, 0x5f, 0x28, 0xd8, 0x12, 0x34, 0xc9, 0xc2, 0x12, 0x7c, 0xd0, 0x95, 0x32, 0x10, 0xf3, 0x8d, 0x16, 0x95}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xf1, 0x22, 0xd0, 0x9a, 0xe9, 0xd9, 0x54, 0x60, 0x15, 0x40, 0xb7, 0x38, 0xda, 0xc2, 0xdc, 0x6e, 0x53, 0xc5, 0xa7, 0x4a, 0xdc, 0x13, 0x87, 0xe4, 0x95, 0x96, 0x58, 0x10, 0x6a, 0x27, 0xe7, 0x4c}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x16, 0x06, 0xaa, 0xdb, 0xfd, 0x18, 0x7c, 0xa8, 0xb5, 0xcd, 0xd7, 0x2a, 0x17, 0x66, 0xea, 0x55, 0x1f, 0xfd, 0x1c, 0x80, 0x49, 0xd9, 0x32, 0xc9, 0x94, 0x78, 0xa4, 0x76, 0x13, 0x8c, 0x32, 0xf1}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} azure_AzureTrustedLaunch M - gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x9b, 0xe6, 0x20, 0xb1, 0x7b, 0xf8, 0x27, 0x0a, 0xfa, 0x5f, 0x78, 0x9b, 0x4d, 0xf1, 0xd7, 0x46, 0x73, 0xea, 0xed, 0x9d, 0x1c, 0xcd, 0x28, 0xe4, 0x2e, 0xf7, 0xde, 0x25, 0x3c, 0xd0, 0x20, 0x42}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x5b, 0x0f, 0x9d, 0xb9, 0x9f, 0x9f, 0x34, 0x26, 0x5f, 0x55, 0xb1, 0x77, 0x7e, 0x5a, 0x53, 0x7a, 0x64, 0xd0, 0x6d, 0x5e, 0x2a, 0x2a, 0xd2, 0x13, 0x56, 0x45, 0x5f, 0x91, 0x56, 0x3a, 0x59, 0x87}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x43, 0x78, 0x87, 0x75, 0x09, 0x08, 0x2c, 0x89, 0x53, 0x6b, 0xa7, 0x5e, 0x68, 0x81, 0x63, 0x3f, 0x47, 0x63, 0x9b, 0x6e, 0x5d, 0x62, 0x04, 0x9c, 0x34, 0x31, 0x65, 0x09, 0xcb, 0xef, 0xa8, 0x90}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - gcp_GCPSEVSNP = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xcf, 0x2d, 0x2c, 0x25, 0x5c, 0xa1, 0xa5, 0x34, 0xc2, 0xd1, 0x37, 0x0f, 0xc3, 0x81, 0x4f, 0x14, 0x84, 0xd7, 0x5b, 0x25, 0x28, 0xde, 0x47, 0x42, 0x39, 0x66, 0xb3, 0xaa, 0x7a, 0xb6, 0x66, 0x67}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xf3, 0x15, 0x4c, 0xa7, 0x2c, 0xad, 0x80, 0x3c, 0x27, 0x9b, 0x9e, 0xba, 0x10, 0x6d, 0x83, 0xcd, 0x3a, 0x23, 0x54, 0xe4, 0x20, 0xab, 0x28, 0x68, 0x5c, 0x17, 0xa0, 0x81, 0xce, 0x9f, 0x25, 0xa2}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x81, 0x9d, 0xa9, 0xf1, 0xe9, 0x2e, 0x00, 0x90, 0xec, 0x04, 0xec, 0x64, 0xe3, 0x8e, 0x05, 0xcb, 0xc8, 0x4c, 0xfa, 0xde, 0x56, 0xc0, 0x97, 0xcd, 0xe1, 0xcc, 0xd3, 0xe9, 0x8c, 0x35, 0x91, 0x1c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - openstack_QEMUVTPM = M{4: {Expected: []byte{0x5a, 0xaa, 0xd6, 0xeb, 0xb2, 0x69, 0x42, 0xc4, 0x26, 0xce, 0x6a, 0xe0, 0xa6, 0xa2, 0x49, 0x50, 0xab, 0x3f, 0x0c, 0x21, 0x9e, 0x50, 0x9e, 0xfc, 0x41, 0x76, 0x56, 0x93, 0x5d, 0x0e, 0x7c, 0xf4}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xae, 0x0e, 0x32, 0xa7, 0xc7, 0x35, 0xc2, 0x43, 0xf9, 0x6b, 0xcb, 0x5f, 0x72, 0xce, 0x2a, 0x21, 0x58, 0x72, 0xf4, 0x4e, 0x1f, 0xdf, 0x4c, 0xb4, 0x39, 0x32, 0xbd, 0x52, 0xf1, 0x9a, 0xae, 0xa2}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x4b, 0xb5, 0xfd, 0x12, 0xbb, 0x96, 0xa9, 0xbf, 0x2d, 0x86, 0x09, 0x7e, 0xec, 0x25, 0xc1, 0xa5, 0x2e, 0x60, 0xcc, 0xfe, 0x84, 0xf1, 0x03, 0x8c, 0x9a, 0x84, 0xb9, 0x31, 0x2f, 0xc4, 0xa2, 0x9f}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x2b, 0x4d, 0x39, 0xd2, 0x79, 0x27, 0xe8, 0xff, 0x7a, 0x3e, 0x96, 0x70, 0x4a, 0xc3, 0x47, 0x26, 0xeb, 0x39, 0x7d, 0x2e, 0xbb, 0xae, 0xf6, 0x7d, 0xab, 0x3e, 0x2d, 0x05, 0x20, 0xf9, 0x02, 0xa1}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb8, 0xf3, 0xd9, 0x17, 0xe7, 0x91, 0x90, 0x76, 0xae, 0x7a, 0xce, 0x48, 0x4f, 0xaf, 0xdd, 0x9f, 0xd3, 0x78, 0x60, 0x93, 0x5f, 0x72, 0xec, 0x57, 0x90, 0xa0, 0x2b, 0x1d, 0x5c, 0xc3, 0xc5, 0x0f}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xec, 0x9a, 0xab, 0xe9, 0xd9, 0xd8, 0xd9, 0xd6, 0x63, 0x9d, 0x78, 0x20, 0x16, 0x92, 0xe2, 0xf4, 0xcb, 0xec, 0xf6, 0xfc, 0x0e, 0xe2, 0x80, 0xe8, 0xf7, 0x7a, 0x03, 0xb3, 0x6c, 0x5e, 0x3e, 0x3b}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVSNP = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x12, 0x98, 0x00, 0x8f, 0xa6, 0x82, 0x7e, 0x80, 0x7b, 0x10, 0xe7, 0xcd, 0xbb, 0x8c, 0x97, 0x93, 0xc1, 0xa9, 0x8b, 0x50, 0x99, 0x1a, 0x7c, 0x24, 0xdf, 0x0a, 0xa7, 0x8c, 0xe3, 0xed, 0xd5, 0xfe}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x18, 0x1f, 0xdb, 0x21, 0xad, 0xba, 0x89, 0x6c, 0xbf, 0x52, 0x68, 0x26, 0x67, 0x1a, 0xd4, 0xb6, 0x05, 0x8b, 0x70, 0x42, 0xab, 0x26, 0x63, 0x49, 0xfd, 0x5d, 0x9f, 0xbe, 0xea, 0xa4, 0x12, 0x03}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xb9, 0xa0, 0x6c, 0x3f, 0x1b, 0x95, 0xc5, 0x5e, 0x38, 0x80, 0xb0, 0x12, 0x41, 0x88, 0x66, 0x43, 0x9c, 0xa2, 0xc0, 0x65, 0x29, 0x9c, 0x93, 0x14, 0xfe, 0x49, 0x3b, 0x0f, 0xff, 0xdd, 0xcc, 0xec}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + openstack_QEMUVTPM = M{4: {Expected: []byte{0xc3, 0xb3, 0x01, 0x07, 0x71, 0x61, 0x37, 0x66, 0x56, 0xa1, 0xce, 0x51, 0x93, 0x14, 0xd9, 0x59, 0xbf, 0x7a, 0xc3, 0xd0, 0x9f, 0xd8, 0x34, 0xb7, 0x7a, 0x0b, 0x48, 0xc1, 0xc2, 0xa1, 0x6e, 0x83}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x13, 0x34, 0x8c, 0x05, 0x86, 0xea, 0xa6, 0x22, 0xcf, 0x06, 0xf6, 0x50, 0x75, 0xea, 0x85, 0xba, 0x3d, 0x95, 0xe8, 0xcf, 0x43, 0x77, 0x63, 0xec, 0x44, 0x3e, 0xb9, 0xea, 0x22, 0x48, 0x6a, 0xcd}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xd9, 0x3b, 0x0b, 0x33, 0x44, 0x05, 0x9e, 0x42, 0x82, 0xf0, 0xdf, 0xe5, 0x77, 0x60, 0x01, 0x67, 0x9e, 0xfe, 0x49, 0xe4, 0x7a, 0xd0, 0x4b, 0xb8, 0xc7, 0x4d, 0xc1, 0x5c, 0xad, 0x23, 0x80, 0x09}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} qemu_QEMUTDX M - qemu_QEMUVTPM = M{4: {Expected: []byte{0x3e, 0x27, 0xe0, 0xd0, 0xe9, 0xa1, 0xf0, 0x29, 0xfd, 0xf7, 0x5f, 0x43, 0xab, 0x98, 0xef, 0x76, 0x34, 0x8f, 0xbe, 0xb4, 0x70, 0x9f, 0xe6, 0x7d, 0xc8, 0xc5, 0xdb, 0xd8, 0x32, 0xe0, 0xe6, 0xae}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb7, 0x5d, 0x3e, 0xd8, 0xb8, 0x2d, 0xb8, 0x28, 0xf5, 0xa9, 0xbe, 0x34, 0xca, 0xc9, 0xe3, 0x5f, 0x53, 0x2b, 0xc3, 0xfc, 0xbf, 0xd4, 0xe6, 0xe9, 0x58, 0xe7, 0x66, 0x4d, 0x57, 0xb6, 0xc1, 0xd3}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x16, 0x5e, 0x9e, 0xf3, 0xaa, 0x15, 0xce, 0x50, 0x06, 0x15, 0xbe, 0xbd, 0x54, 0x5f, 0x0b, 0x7e, 0x55, 0xf8, 0x91, 0xd8, 0x86, 0xb4, 0x39, 0xb0, 0x44, 0x37, 0x77, 0x96, 0xd8, 0x00, 0xde, 0xb1}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + qemu_QEMUVTPM = M{4: {Expected: []byte{0xbd, 0xcc, 0xb5, 0x34, 0x12, 0xbf, 0xbf, 0x08, 0x7f, 0xb1, 0xe6, 0xe8, 0x23, 0x42, 0xa4, 0xc0, 0x1a, 0xe4, 0xc6, 0x0d, 0x97, 0x44, 0x0b, 0xb7, 0xba, 0x03, 0x02, 0x84, 0xf3, 0xea, 0x0a, 0xad}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xd1, 0xf1, 0x0f, 0x36, 0x4a, 0xc9, 0x50, 0xa6, 0xb4, 0x22, 0x5e, 0xcf, 0x87, 0xd2, 0x12, 0xdd, 0xaa, 0x3d, 0xff, 0xc0, 0x59, 0xfb, 0xc3, 0xf5, 0x7a, 0xe7, 0xfb, 0x8e, 0x74, 0xf2, 0x6a, 0x2f}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xa5, 0x8e, 0x1a, 0xe6, 0x7d, 0x24, 0x42, 0xd3, 0xc9, 0xeb, 0xef, 0x0c, 0x86, 0x21, 0xc3, 0x05, 0x9b, 0xae, 0x83, 0x77, 0x6f, 0x4e, 0xd8, 0xc8, 0x4d, 0x66, 0x11, 0xf7, 0x61, 0x48, 0x6a, 0x3d}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} ) diff --git a/internal/attestation/measurements/measurements_oss.go b/internal/attestation/measurements/measurements_oss.go index 895a5d258..0ef7ce640 100644 --- a/internal/attestation/measurements/measurements_oss.go +++ b/internal/attestation/measurements/measurements_oss.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measurements diff --git a/internal/attestation/measurements/measurements_test.go b/internal/attestation/measurements/measurements_test.go index f2cdf4d50..73cee7479 100644 --- a/internal/attestation/measurements/measurements_test.go +++ b/internal/attestation/measurements/measurements_test.go @@ -1,13 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measurements import ( "bytes" + "context" "encoding/json" "io" "net/http" @@ -457,7 +458,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) { require.NoError(err) hash, err := m.fetchAndVerify( - t.Context(), client, verifier, + context.Background(), client, verifier, measurementsURL, signatureURL, tc.imageVersion, tc.csp, diff --git a/internal/attestation/measurements/overrides.go b/internal/attestation/measurements/overrides.go index d81851449..3067d51a7 100644 --- a/internal/attestation/measurements/overrides.go +++ b/internal/attestation/measurements/overrides.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package measurements diff --git a/internal/attestation/qemu/issuer.go b/internal/attestation/qemu/issuer.go index bbc9b6c58..8214e8a27 100644 --- a/internal/attestation/qemu/issuer.go +++ b/internal/attestation/qemu/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package qemu diff --git a/internal/attestation/qemu/qemu.go b/internal/attestation/qemu/qemu.go index 1856470d4..424215a6e 100644 --- a/internal/attestation/qemu/qemu.go +++ b/internal/attestation/qemu/qemu.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/qemu/validator.go b/internal/attestation/qemu/validator.go index 001acb3d7..e2c172f3b 100644 --- a/internal/attestation/qemu/validator.go +++ b/internal/attestation/qemu/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package qemu diff --git a/internal/attestation/simulator/simulator.go b/internal/attestation/simulator/simulator.go index 5e612445d..03baabdf5 100644 --- a/internal/attestation/simulator/simulator.go +++ b/internal/attestation/simulator/simulator.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // TPM2 simulator used for unit tests. diff --git a/internal/attestation/simulator/simulator_disabled.go b/internal/attestation/simulator/simulator_disabled.go index 61adff724..1470e20cd 100644 --- a/internal/attestation/simulator/simulator_disabled.go +++ b/internal/attestation/simulator/simulator_disabled.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package simulator diff --git a/internal/attestation/snp/snp.go b/internal/attestation/snp/snp.go index a296d7721..c45147390 100644 --- a/internal/attestation/snp/snp.go +++ b/internal/attestation/snp/snp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package SNP provides types shared by SNP-based attestation implementations. diff --git a/internal/attestation/snp/snp_test.go b/internal/attestation/snp/snp_test.go index 19485e47d..366a3ba4a 100644 --- a/internal/attestation/snp/snp_test.go +++ b/internal/attestation/snp/snp_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package snp diff --git a/internal/attestation/snp/testdata/testdata.go b/internal/attestation/snp/testdata/testdata.go index ba93753bd..c749dd899 100644 --- a/internal/attestation/snp/testdata/testdata.go +++ b/internal/attestation/snp/testdata/testdata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package testdata contains testing data for an attestation process. diff --git a/internal/attestation/tdx/issuer.go b/internal/attestation/tdx/issuer.go index 58be53de6..0dadb4b3c 100644 --- a/internal/attestation/tdx/issuer.go +++ b/internal/attestation/tdx/issuer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package tdx diff --git a/internal/attestation/tdx/tdx.go b/internal/attestation/tdx/tdx.go index 25141b609..ea0cb67c4 100644 --- a/internal/attestation/tdx/tdx.go +++ b/internal/attestation/tdx/tdx.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package TDX implements attestation for Intel TDX. diff --git a/internal/attestation/tdx/validator.go b/internal/attestation/tdx/validator.go index 6a5bde48a..dcf92d742 100644 --- a/internal/attestation/tdx/validator.go +++ b/internal/attestation/tdx/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package tdx diff --git a/internal/attestation/variant/variant.go b/internal/attestation/variant/variant.go index 97ed68244..abe70fcaf 100644 --- a/internal/attestation/variant/variant.go +++ b/internal/attestation/variant/variant.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go index 98d3a9ad2..364ab1163 100644 --- a/internal/attestation/vtpm/attestation.go +++ b/internal/attestation/vtpm/attestation.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package vtpm diff --git a/internal/attestation/vtpm/attestation_test.go b/internal/attestation/vtpm/attestation_test.go index 4b1e58b75..311b9ebad 100644 --- a/internal/attestation/vtpm/attestation_test.go +++ b/internal/attestation/vtpm/attestation_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package vtpm @@ -90,7 +90,7 @@ func TestValidate(t *testing.T) { nonce := []byte{1, 2, 3, 4} challenge := []byte("Constellation") - ctx := t.Context() + ctx := context.Background() attDocRaw, err := issuer.Issue(ctx, challenge, nonce) require.NoError(err) @@ -347,7 +347,7 @@ func TestFailIssuer(t *testing.T) { tc.issuer.log = logger.NewTest(t) - _, err := tc.issuer.Issue(t.Context(), tc.userData, tc.nonce) + _, err := tc.issuer.Issue(context.Background(), tc.userData, tc.nonce) assert.Error(err) }) } diff --git a/internal/attestation/vtpm/vtpm.go b/internal/attestation/vtpm/vtpm.go index 26b568043..3a969eb2d 100644 --- a/internal/attestation/vtpm/vtpm.go +++ b/internal/attestation/vtpm/vtpm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/attestation/vtpm/vtpm_test.go b/internal/attestation/vtpm/vtpm_test.go index fece3a088..2a6e20668 100644 --- a/internal/attestation/vtpm/vtpm_test.go +++ b/internal/attestation/vtpm/vtpm_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package vtpm diff --git a/internal/cloud/aws/aws.go b/internal/cloud/aws/aws.go index 3d0c8b316..bfa1d0b54 100644 --- a/internal/cloud/aws/aws.go +++ b/internal/cloud/aws/aws.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/cloud/aws/aws_test.go b/internal/cloud/aws/aws_test.go index d8b7541b7..e1b05ee88 100644 --- a/internal/cloud/aws/aws_test.go +++ b/internal/cloud/aws/aws_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package aws @@ -185,7 +185,7 @@ func TestSelf(t *testing.T) { ec2: tc.ec2API, } - self, err := m.Self(t.Context()) + self, err := m.Self(context.Background()) if tc.wantErr { assert.Error(err) return @@ -431,7 +431,7 @@ func TestList(t *testing.T) { ec2: tc.ec2, } - list, err := m.List(t.Context()) + list, err := m.List(context.Background()) if tc.wantErr { assert.Error(err) return @@ -694,7 +694,7 @@ func TestGetLoadBalancerEndpoint(t *testing.T) { ec2: successfulEC2, } - gotHost, gotPort, err := m.GetLoadBalancerEndpoint(t.Context()) + gotHost, gotPort, err := m.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) return diff --git a/internal/cloud/azure/BUILD.bazel b/internal/cloud/azure/BUILD.bazel index 29f4750d7..e91e22cb3 100644 --- a/internal/cloud/azure/BUILD.bazel +++ b/internal/cloud/azure/BUILD.bazel @@ -25,9 +25,11 @@ go_library( ] + select({ "@io_bazel_rules_go//go/platform:android": [ "@io_k8s_kubernetes//pkg/util/iptables", + "@io_k8s_utils//exec", ], "@io_bazel_rules_go//go/platform:linux": [ "@io_k8s_kubernetes//pkg/util/iptables", + "@io_k8s_utils//exec", ], "//conditions:default": [], }), diff --git a/internal/cloud/azure/azure.go b/internal/cloud/azure/azure.go index 02b78c9b2..e0ee19750 100644 --- a/internal/cloud/azure/azure.go +++ b/internal/cloud/azure/azure.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -392,8 +392,8 @@ func (c *Cloud) getLoadBalancerPublicIP(ctx context.Context) (string, error) { } /* -// TODO: uncomment and use as soon as we switch the primary endpoint to DNS. -// We have to think about how to handle DNS for internal load balancers +// TODO(malt3): uncomment and use as soon as we switch the primary endpoint to DNS. +// Addition from 3u13r: We have to think about how to handle DNS for internal load balancers // that only have a private IP address and therefore no DNS name by default. // // getLoadBalancerDNSName retrieves the dns name of the load balancer. diff --git a/internal/cloud/azure/azure_test.go b/internal/cloud/azure/azure_test.go index 84182f9a0..2b1daaab7 100644 --- a/internal/cloud/azure/azure_test.go +++ b/internal/cloud/azure/azure_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azure @@ -150,7 +150,7 @@ func TestGetInstance(t *testing.T) { scaleSetsVMAPI: tc.scaleSetsVMAPI, netIfacAPI: tc.networkInterfacesAPI, } - instance, err := metadata.getInstance(t.Context(), tc.providerID) + instance, err := metadata.getInstance(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -186,7 +186,7 @@ func TestUID(t *testing.T) { cloud := &Cloud{ imds: tc.imdsAPI, } - uid, err := cloud.UID(t.Context()) + uid, err := cloud.UID(context.Background()) if tc.wantErr { assert.Error(err) return @@ -222,7 +222,7 @@ func TestInitSecretHash(t *testing.T) { cloud := &Cloud{ imds: tc.imdsAPI, } - initSecretHash, err := cloud.InitSecretHash(t.Context()) + initSecretHash, err := cloud.InitSecretHash(context.Background()) if tc.wantErr { assert.Error(err) return @@ -410,7 +410,7 @@ func TestList(t *testing.T) { scaleSetsAPI: tc.scaleSetsAPI, scaleSetsVMAPI: tc.scaleSetsVMAPI, } - instances, err := azureMetadata.List(t.Context()) + instances, err := azureMetadata.List(context.Background()) if tc.wantErr { assert.Error(err) @@ -473,7 +473,7 @@ func TestGetNetworkSecurityGroupName(t *testing.T) { metadata := Cloud{ secGroupAPI: tc.securityGroupsAPI, } - name, err := metadata.getNetworkSecurityGroupName(t.Context(), "resource-group", "uid") + name, err := metadata.getNetworkSecurityGroupName(context.Background(), "resource-group", "uid") if tc.wantErr { assert.Error(err) return @@ -547,7 +547,7 @@ func TestGetSubnetworkCIDR(t *testing.T) { imds: tc.imdsAPI, virtNetAPI: tc.virtualNetworksAPI, } - subnetworkCIDR, err := metadata.getSubnetworkCIDR(t.Context()) + subnetworkCIDR, err := metadata.getSubnetworkCIDR(context.Background()) if tc.wantErr { assert.Error(err) return @@ -708,7 +708,7 @@ func TestGetLoadBalancerEndpoint(t *testing.T) { loadBalancerAPI: tc.loadBalancerAPI, pubIPAPI: tc.publicIPAddressesAPI, } - gotHost, gotPort, err := metadata.GetLoadBalancerEndpoint(t.Context()) + gotHost, gotPort, err := metadata.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) return diff --git a/internal/cloud/azure/imds.go b/internal/cloud/azure/imds.go index 6dea3d667..21309b38a 100644 --- a/internal/cloud/azure/imds.go +++ b/internal/cloud/azure/imds.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azure diff --git a/internal/cloud/azure/imds_test.go b/internal/cloud/azure/imds_test.go index bf119f7b3..242a052e7 100644 --- a/internal/cloud/azure/imds_test.go +++ b/internal/cloud/azure/imds_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azure @@ -214,7 +214,7 @@ func TestIMDSClient(t *testing.T) { } iClient := IMDSClient{client: &hClient} - ctx := t.Context() + ctx := context.Background() id, err := iClient.providerID(ctx) if tc.wantProviderIDErr { diff --git a/internal/cloud/azure/interface.go b/internal/cloud/azure/interface.go index 63a5afba9..e2b44ad6d 100644 --- a/internal/cloud/azure/interface.go +++ b/internal/cloud/azure/interface.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azure diff --git a/internal/cloud/azure/iptables_cross.go b/internal/cloud/azure/iptables_cross.go index d64b09db2..901b92c1d 100644 --- a/internal/cloud/azure/iptables_cross.go +++ b/internal/cloud/azure/iptables_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azure diff --git a/internal/cloud/azure/iptables_linux.go b/internal/cloud/azure/iptables_linux.go index c2d42a843..24ada6de0 100644 --- a/internal/cloud/azure/iptables_linux.go +++ b/internal/cloud/azure/iptables_linux.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azure @@ -15,6 +15,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/role" "k8s.io/kubernetes/pkg/util/iptables" + "k8s.io/utils/exec" ) // PrepareControlPlaneNode sets up iptables for the control plane node only @@ -53,7 +54,7 @@ func (c *Cloud) PrepareControlPlaneNode(ctx context.Context, log *slog.Logger) e } log.Info(fmt.Sprintf("Setting up iptables for control plane node with load balancer IP %s", loadbalancerIP)) - iptablesExec := iptables.New(iptables.ProtocolIPv4) + iptablesExec := iptables.New(exec.New(), iptables.ProtocolIPv4) const chainName = "azure-lb-nat" if _, err := iptablesExec.EnsureChain(iptables.TableNAT, chainName); err != nil { diff --git a/internal/cloud/azureshared/appcredentials.go b/internal/cloud/azureshared/appcredentials.go index fe5c8b6d9..7c6c7ec65 100644 --- a/internal/cloud/azureshared/appcredentials.go +++ b/internal/cloud/azureshared/appcredentials.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azureshared diff --git a/internal/cloud/azureshared/appcredentials_test.go b/internal/cloud/azureshared/appcredentials_test.go index 27cddf96f..0c7d65424 100644 --- a/internal/cloud/azureshared/appcredentials_test.go +++ b/internal/cloud/azureshared/appcredentials_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azureshared diff --git a/internal/cloud/azureshared/azureshared.go b/internal/cloud/azureshared/azureshared.go index f8909e3b7..38cf82b27 100644 --- a/internal/cloud/azureshared/azureshared.go +++ b/internal/cloud/azureshared/azureshared.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/cloud/azureshared/metadata.go b/internal/cloud/azureshared/metadata.go index 1289adc8d..b21ffd4c3 100644 --- a/internal/cloud/azureshared/metadata.go +++ b/internal/cloud/azureshared/metadata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azureshared diff --git a/internal/cloud/azureshared/metadata_test.go b/internal/cloud/azureshared/metadata_test.go index a7c562fe6..61d71a94d 100644 --- a/internal/cloud/azureshared/metadata_test.go +++ b/internal/cloud/azureshared/metadata_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azureshared diff --git a/internal/cloud/cloud.go b/internal/cloud/cloud.go index 7d255bd19..e7e9a88ca 100644 --- a/internal/cloud/cloud.go +++ b/internal/cloud/cloud.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/cloud/cloudprovider/cloudprovider.go b/internal/cloud/cloudprovider/cloudprovider.go index c25b18d69..204ae305c 100644 --- a/internal/cloud/cloudprovider/cloudprovider.go +++ b/internal/cloud/cloudprovider/cloudprovider.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudprovider diff --git a/internal/cloud/cloudprovider/cloudprovider_test.go b/internal/cloud/cloudprovider/cloudprovider_test.go index e7154195c..b8c7a4d40 100644 --- a/internal/cloud/cloudprovider/cloudprovider_test.go +++ b/internal/cloud/cloudprovider/cloudprovider_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cloudprovider diff --git a/internal/cloud/gcp/gcp.go b/internal/cloud/gcp/gcp.go index f38d848f6..ba689ef3a 100644 --- a/internal/cloud/gcp/gcp.go +++ b/internal/cloud/gcp/gcp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/cloud/gcp/gcp_test.go b/internal/cloud/gcp/gcp_test.go index 4066f3c5b..fa2179163 100644 --- a/internal/cloud/gcp/gcp_test.go +++ b/internal/cloud/gcp/gcp_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcp @@ -172,7 +172,7 @@ func TestGetInstance(t *testing.T) { instanceAPI: &tc.instanceAPI, subnetAPI: &tc.subnetAPI, } - instance, err := cloud.getInstance(t.Context(), tc.projectID, tc.zone, tc.instanceName) + instance, err := cloud.getInstance(context.Background(), tc.projectID, tc.zone, tc.instanceName) if tc.wantErr { assert.Error(err) @@ -474,7 +474,7 @@ func TestGetLoadbalancerEndpoint(t *testing.T) { regionalForwardingRulesAPI: &tc.regionalForwardingRulesAPI, } - gotHost, gotPort, err := cloud.GetLoadBalancerEndpoint(t.Context()) + gotHost, gotPort, err := cloud.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) return @@ -810,7 +810,7 @@ func TestList(t *testing.T) { zoneAPI: &tc.zoneAPI, } - instances, err := cloud.List(t.Context()) + instances, err := cloud.List(context.Background()) if tc.wantErr { assert.Error(err) return @@ -915,7 +915,7 @@ func TestZones(t *testing.T) { assert.Empty(cloud.zoneCache) - gotZones, err := cloud.zones(t.Context(), "someProject", "someregion-west3") + gotZones, err := cloud.zones(context.Background(), "someProject", "someregion-west3") if tc.wantErr { assert.Error(err) return @@ -1066,7 +1066,7 @@ func TestUID(t *testing.T) { instanceAPI: &tc.instanceAPI, } - uid, err := cloud.UID(t.Context()) + uid, err := cloud.UID(context.Background()) if tc.wantErr { assert.Error(err) return @@ -1170,7 +1170,7 @@ func TestInitSecretHash(t *testing.T) { instanceAPI: &tc.instanceAPI, } - initSecretHash, err := cloud.InitSecretHash(t.Context()) + initSecretHash, err := cloud.InitSecretHash(context.Background()) if tc.wantErr { assert.Error(err) return diff --git a/internal/cloud/gcp/interface.go b/internal/cloud/gcp/interface.go index ad9f131f7..e78c9861b 100644 --- a/internal/cloud/gcp/interface.go +++ b/internal/cloud/gcp/interface.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcp diff --git a/internal/cloud/gcp/wrappers.go b/internal/cloud/gcp/wrappers.go index b8d60b92a..72b46399a 100644 --- a/internal/cloud/gcp/wrappers.go +++ b/internal/cloud/gcp/wrappers.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcp diff --git a/internal/cloud/gcpshared/gcpshared.go b/internal/cloud/gcpshared/gcpshared.go index 667ad4647..93b4a41fa 100644 --- a/internal/cloud/gcpshared/gcpshared.go +++ b/internal/cloud/gcpshared/gcpshared.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/cloud/gcpshared/providerid.go b/internal/cloud/gcpshared/providerid.go index 0a32af728..70c26334c 100644 --- a/internal/cloud/gcpshared/providerid.go +++ b/internal/cloud/gcpshared/providerid.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcpshared diff --git a/internal/cloud/gcpshared/providerid_test.go b/internal/cloud/gcpshared/providerid_test.go index 1ebeb8e86..61fbdb2f5 100644 --- a/internal/cloud/gcpshared/providerid_test.go +++ b/internal/cloud/gcpshared/providerid_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcpshared diff --git a/internal/cloud/gcpshared/serviceaccountkey.go b/internal/cloud/gcpshared/serviceaccountkey.go index 6908b385d..bb90cdde2 100644 --- a/internal/cloud/gcpshared/serviceaccountkey.go +++ b/internal/cloud/gcpshared/serviceaccountkey.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcpshared diff --git a/internal/cloud/gcpshared/serviceaccountkey_test.go b/internal/cloud/gcpshared/serviceaccountkey_test.go index de77f6ff2..54cf7296b 100644 --- a/internal/cloud/gcpshared/serviceaccountkey_test.go +++ b/internal/cloud/gcpshared/serviceaccountkey_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcpshared diff --git a/internal/cloud/metadata/metadata.go b/internal/cloud/metadata/metadata.go index fe2b844c5..7b3aed893 100644 --- a/internal/cloud/metadata/metadata.go +++ b/internal/cloud/metadata/metadata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package metadata diff --git a/internal/cloud/openstack/accountkey.go b/internal/cloud/openstack/accountkey.go index 49d359e6f..d781091e9 100644 --- a/internal/cloud/openstack/accountkey.go +++ b/internal/cloud/openstack/accountkey.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/accountkey_test.go b/internal/cloud/openstack/accountkey_test.go index b15da3a81..e9805e1d9 100644 --- a/internal/cloud/openstack/accountkey_test.go +++ b/internal/cloud/openstack/accountkey_test.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/api.go b/internal/cloud/openstack/api.go index 839a47fbb..f81e51e67 100644 --- a/internal/cloud/openstack/api.go +++ b/internal/cloud/openstack/api.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/api_test.go b/internal/cloud/openstack/api_test.go index 9acb07494..11479d233 100644 --- a/internal/cloud/openstack/api_test.go +++ b/internal/cloud/openstack/api_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/clouds/read.go b/internal/cloud/openstack/clouds/read.go index 1ffa4976a..d4259c338 100644 --- a/internal/cloud/openstack/clouds/read.go +++ b/internal/cloud/openstack/clouds/read.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package clouds diff --git a/internal/cloud/openstack/imds.go b/internal/cloud/openstack/imds.go index 50d255903..101808a37 100644 --- a/internal/cloud/openstack/imds.go +++ b/internal/cloud/openstack/imds.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/imds_test.go b/internal/cloud/openstack/imds_test.go index f3a135bfa..ce45dbd3d 100644 --- a/internal/cloud/openstack/imds_test.go +++ b/internal/cloud/openstack/imds_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack @@ -176,7 +176,7 @@ func TestProviderID(t *testing.T) { cacheTime: tc.cacheTime, } - result, err := tu.method(imds, t.Context()) + result, err := tu.method(imds, context.Background()) if tc.wantErr { assert.Error(err) @@ -264,7 +264,7 @@ func TestRole(t *testing.T) { cacheTime: tc.cacheTime, } - result, err := imds.role(t.Context()) + result, err := imds.role(context.Background()) if tc.wantErr { assert.Error(err) @@ -336,7 +336,7 @@ func TestVPCIP(t *testing.T) { vpcIPCacheTime: tc.cacheTime, } - result, err := imds.vpcIP(t.Context()) + result, err := imds.vpcIP(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/internal/cloud/openstack/openstack.go b/internal/cloud/openstack/openstack.go index 4fae03421..4ff3b2b32 100644 --- a/internal/cloud/openstack/openstack.go +++ b/internal/cloud/openstack/openstack.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/openstack_test.go b/internal/cloud/openstack/openstack_test.go index 0b9ecbbf8..33835b243 100644 --- a/internal/cloud/openstack/openstack_test.go +++ b/internal/cloud/openstack/openstack_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack import ( + "context" "errors" "fmt" "testing" @@ -87,7 +88,7 @@ func TestSelf(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, err := c.Self(t.Context()) + got, err := c.Self(context.Background()) if tc.wantErr { assert.Error(err) @@ -383,7 +384,7 @@ func TestList(t *testing.T) { c := &MetadataClient{imds: tc.imds, api: tc.api} - got, err := c.List(t.Context()) + got, err := c.List(context.Background()) if tc.wantErr { assert.Error(err) @@ -417,7 +418,7 @@ func TestUID(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, err := c.UID(t.Context()) + got, err := c.UID(context.Background()) if tc.wantErr { assert.Error(err) @@ -451,7 +452,7 @@ func TestInitSecretHash(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, err := c.InitSecretHash(t.Context()) + got, err := c.InitSecretHash(context.Background()) if tc.wantErr { assert.Error(err) @@ -485,7 +486,7 @@ func TestGetLoadBalancerEndpoint(t *testing.T) { c := &MetadataClient{imds: tc.imds} - got, _, err := c.GetLoadBalancerEndpoint(t.Context()) + got, _, err := c.GetLoadBalancerEndpoint(context.Background()) if tc.wantErr { assert.Error(err) diff --git a/internal/cloud/openstack/plumbing.go b/internal/cloud/openstack/plumbing.go index f99bafe75..fa304994e 100644 --- a/internal/cloud/openstack/plumbing.go +++ b/internal/cloud/openstack/plumbing.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/plumbing_test.go b/internal/cloud/openstack/plumbing_test.go index 40354da33..5f13fd42c 100644 --- a/internal/cloud/openstack/plumbing_test.go +++ b/internal/cloud/openstack/plumbing_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/openstack/wrappers.go b/internal/cloud/openstack/wrappers.go index 002916541..6a0cb7aaf 100644 --- a/internal/cloud/openstack/wrappers.go +++ b/internal/cloud/openstack/wrappers.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package openstack diff --git a/internal/cloud/qemu/qemu.go b/internal/cloud/qemu/qemu.go index a68682501..5451342ab 100644 --- a/internal/cloud/qemu/qemu.go +++ b/internal/cloud/qemu/qemu.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/compatibility/compatibility.go b/internal/compatibility/compatibility.go index c1a4ec08e..e089a7ddd 100644 --- a/internal/compatibility/compatibility.go +++ b/internal/compatibility/compatibility.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/compatibility/compatibility_test.go b/internal/compatibility/compatibility_test.go index 48da2d4b8..35c4e7517 100644 --- a/internal/compatibility/compatibility_test.go +++ b/internal/compatibility/compatibility_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package compatibility diff --git a/internal/config/attestation.go b/internal/config/attestation.go index 08f980681..f635ebbbd 100644 --- a/internal/config/attestation.go +++ b/internal/config/attestation.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/attestation_test.go b/internal/config/attestation_test.go index a13562ac1..a690ba40b 100644 --- a/internal/config/attestation_test.go +++ b/internal/config/attestation_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/attestationversion.go b/internal/config/attestationversion.go index c64025ca0..e2e5a12a5 100644 --- a/internal/config/attestationversion.go +++ b/internal/config/attestationversion.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/attestationversion_test.go b/internal/config/attestationversion_test.go index c731831d2..45a401216 100644 --- a/internal/config/attestationversion_test.go +++ b/internal/config/attestationversion_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/aws.go b/internal/config/aws.go index 43594342e..10dc449e2 100644 --- a/internal/config/aws.go +++ b/internal/config/aws.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/azure.go b/internal/config/azure.go index 3631b52c8..273f54381 100644 --- a/internal/config/azure.go +++ b/internal/config/azure.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/config.go b/internal/config/config.go index 4397fa3fa..5aefb05b3 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // This binary can be build from siderolabs/talos projects. Located at: @@ -188,9 +188,6 @@ type GCPConfig struct { // Path of service account key file. For required service account roles, see https://docs.edgeless.systems/constellation/getting-started/install#authorization ServiceAccountKeyPath string `yaml:"serviceAccountKeyPath" validate:"required"` // description: | - // GCP service account mail address. This is being attached to the VMs for authorization. - IAMServiceAccountVM string `yaml:"IAMServiceAccountVM"` - // description: | // Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"` // description: | @@ -352,7 +349,6 @@ func Default() *Config { Region: "", Zone: "", ServiceAccountKeyPath: "", - IAMServiceAccountVM: "", DeployCSIDriver: toPtr(true), UseMarketplaceImage: toPtr(false), }, diff --git a/internal/config/config_doc.go b/internal/config/config_doc.go index b87db6b86..d26af1643 100644 --- a/internal/config/config_doc.go +++ b/internal/config/config_doc.go @@ -241,7 +241,7 @@ func init() { FieldName: "gcp", }, } - GCPConfigDoc.Fields = make([]encoder.Doc, 7) + GCPConfigDoc.Fields = make([]encoder.Doc, 6) GCPConfigDoc.Fields[0].Name = "project" GCPConfigDoc.Fields[0].Type = "string" GCPConfigDoc.Fields[0].Note = "" @@ -262,21 +262,16 @@ func init() { GCPConfigDoc.Fields[3].Note = "" GCPConfigDoc.Fields[3].Description = "Path of service account key file. For required service account roles, see https://docs.edgeless.systems/constellation/getting-started/install#authorization" GCPConfigDoc.Fields[3].Comments[encoder.LineComment] = "Path of service account key file. For required service account roles, see https://docs.edgeless.systems/constellation/getting-started/install#authorization" - GCPConfigDoc.Fields[4].Name = "IAMServiceAccountVM" - GCPConfigDoc.Fields[4].Type = "string" + GCPConfigDoc.Fields[4].Name = "deployCSIDriver" + GCPConfigDoc.Fields[4].Type = "bool" GCPConfigDoc.Fields[4].Note = "" - GCPConfigDoc.Fields[4].Description = "GCP service account mail address. This is being attached to the VMs for authorization." - GCPConfigDoc.Fields[4].Comments[encoder.LineComment] = "GCP service account mail address. This is being attached to the VMs for authorization." - GCPConfigDoc.Fields[5].Name = "deployCSIDriver" + GCPConfigDoc.Fields[4].Description = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" + GCPConfigDoc.Fields[4].Comments[encoder.LineComment] = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" + GCPConfigDoc.Fields[5].Name = "useMarketplaceImage" GCPConfigDoc.Fields[5].Type = "bool" GCPConfigDoc.Fields[5].Note = "" - GCPConfigDoc.Fields[5].Description = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" - GCPConfigDoc.Fields[5].Comments[encoder.LineComment] = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" - GCPConfigDoc.Fields[6].Name = "useMarketplaceImage" - GCPConfigDoc.Fields[6].Type = "bool" - GCPConfigDoc.Fields[6].Note = "" - GCPConfigDoc.Fields[6].Description = "Use the specified GCP Marketplace image offering." - GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Use the specified GCP Marketplace image offering." + GCPConfigDoc.Fields[5].Description = "Use the specified GCP Marketplace image offering." + GCPConfigDoc.Fields[5].Comments[encoder.LineComment] = "Use the specified GCP Marketplace image offering." OpenStackConfigDoc.Type = "OpenStackConfig" OpenStackConfigDoc.Comments[encoder.LineComment] = "OpenStackConfig holds config information for OpenStack based Constellation deployments." diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 1c9fbe50f..5c60b26dc 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config @@ -333,7 +333,7 @@ func TestValidate(t *testing.T) { const awsErrCount = 8 const gcpErrCount = 8 - // TODO(AB#3132): refactor config validation tests + // TODO(AB#3132,3u13r): refactor config validation tests // Note that the `cnf.Image = ""` is a hack to align `bazel test` with `go test` behavior // since first does version stamping. testCases := map[string]struct { @@ -464,7 +464,6 @@ func TestValidate(t *testing.T) { gcp.Project = "test-project" gcp.Zone = "test-zone" gcp.ServiceAccountKeyPath = "test-key-path" - gcp.IAMServiceAccountVM = "example@example.com" cnf.Provider = ProviderConfig{} cnf.Provider.GCP = gcp cnf.Attestation.GCPSEVSNP.Measurements = measurements.M{ diff --git a/internal/config/disktypes/aws.go b/internal/config/disktypes/aws.go index bb0e0586b..8fcdc354a 100644 --- a/internal/config/disktypes/aws.go +++ b/internal/config/disktypes/aws.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package disktypes diff --git a/internal/config/disktypes/azure.go b/internal/config/disktypes/azure.go index 94078b07f..8903a45d2 100644 --- a/internal/config/disktypes/azure.go +++ b/internal/config/disktypes/azure.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package disktypes diff --git a/internal/config/disktypes/gcp.go b/internal/config/disktypes/gcp.go index cfb9315c2..3880b9a2f 100644 --- a/internal/config/disktypes/gcp.go +++ b/internal/config/disktypes/gcp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package disktypes diff --git a/internal/config/gcp.go b/internal/config/gcp.go index 79fe43399..20f8eaac5 100644 --- a/internal/config/gcp.go +++ b/internal/config/gcp.go @@ -1,6 +1,6 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/image_enterprise.go b/internal/config/image_enterprise.go index 0079dd7b6..052a3b6ed 100644 --- a/internal/config/image_enterprise.go +++ b/internal/config/image_enterprise.go @@ -3,12 +3,12 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config const ( // defaultImage is the default image to use. - defaultImage = "ref/main/stream/nightly/v2.24.0-pre.0.20250716082406-5171a01b951e" + defaultImage = "v2.20.0" ) diff --git a/internal/config/image_oss.go b/internal/config/image_oss.go index dc9141a8e..939c16995 100644 --- a/internal/config/image_oss.go +++ b/internal/config/image_oss.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/imageversion/imageversion.go b/internal/config/imageversion/imageversion.go index 9e968715a..c295c40f4 100644 --- a/internal/config/imageversion/imageversion.go +++ b/internal/config/imageversion/imageversion.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package imageversion contains the pinned container images for the config. diff --git a/internal/config/imageversion/placeholder.go b/internal/config/imageversion/placeholder.go index a0273b96f..f5ba25ea4 100644 --- a/internal/config/imageversion/placeholder.go +++ b/internal/config/imageversion/placeholder.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package imageversion diff --git a/internal/config/instancetypes/aws.go b/internal/config/instancetypes/aws.go index edafba99d..712cc4f86 100644 --- a/internal/config/instancetypes/aws.go +++ b/internal/config/instancetypes/aws.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package instancetypes diff --git a/internal/config/instancetypes/azure.go b/internal/config/instancetypes/azure.go index 483e950bd..c07609710 100644 --- a/internal/config/instancetypes/azure.go +++ b/internal/config/instancetypes/azure.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package instancetypes diff --git a/internal/config/instancetypes/gcp.go b/internal/config/instancetypes/gcp.go index 5d85a9a60..c9d02a345 100644 --- a/internal/config/instancetypes/gcp.go +++ b/internal/config/instancetypes/gcp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package instancetypes diff --git a/internal/config/instancetypes/stackit.go b/internal/config/instancetypes/stackit.go index 83ab851c1..68ea21d94 100644 --- a/internal/config/instancetypes/stackit.go +++ b/internal/config/instancetypes/stackit.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package instancetypes diff --git a/internal/config/migration/migration.go b/internal/config/migration/migration.go index 4799f162f..d8fdd659c 100644 --- a/internal/config/migration/migration.go +++ b/internal/config/migration/migration.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package migration contains outdated configuration formats and their migration functions. @@ -140,6 +140,10 @@ type AWSSEVSNP struct { // description: | // Expected TPM measurements. Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"` + // TODO(derpsteb): reenable launchMeasurement once SNP is fixed on AWS. + // description: | + // Expected launch measurement in SNP report. + // LaunchMeasurement measurements.Measurement `json:"launchMeasurement" yaml:"launchMeasurement" validate:"required"` } // AWSNitroTPM is the configuration for AWS Nitro TPM attestation. diff --git a/internal/config/validation.go b/internal/config/validation.go index 68a7bf821..ebd39512f 100644 --- a/internal/config/validation.go +++ b/internal/config/validation.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/config/validation_test.go b/internal/config/validation_test.go index 2cf9dbc8a..0a996580e 100644 --- a/internal/config/validation_test.go +++ b/internal/config/validation_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package config diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 2ad4a775f..c313b74a6 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -42,16 +42,6 @@ const ( DefaultWorkerGroupName = "worker_default" // CLIDebugLogFile is the name of the debug log file for constellation init/constellation apply. CLIDebugLogFile = "constellation-debug.log" - // SSHCAKeySuffix is the suffix used together with the DEKPrefix to derive an SSH CA key for emergency ssh access. - SSHCAKeySuffix = "ca_emergency_ssh" - // SSHCAKeyPath is the path to the emergency SSH CA key on the node. - SSHCAKeyPath = "/var/run/state/ssh/ssh_ca.pub" - // SSHHostKeyPath is the path to the SSH host key of the node. - SSHHostKeyPath = "/var/run/state/ssh/ssh_host_ed25519_key" - // SSHHostCertificatePath is the path to the SSH host certificate. - SSHHostCertificatePath = "/var/run/state/ssh/ssh_host_cert.pub" - // SSHAdditionalPrincipalsPath stores additional principals (like the public IP of the load balancer) that get added to all host certificates. - SSHAdditionalPrincipalsPath = "/var/run/state/ssh/additional_principals.txt" // // Ports. diff --git a/internal/constants/enterprise.go b/internal/constants/enterprise.go index 9c4d7421c..7e219eb95 100644 --- a/internal/constants/enterprise.go +++ b/internal/constants/enterprise.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constants diff --git a/internal/constants/oss.go b/internal/constants/oss.go index 122d3e8f8..505084c59 100644 --- a/internal/constants/oss.go +++ b/internal/constants/oss.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constants diff --git a/internal/constellation/apply.go b/internal/constellation/apply.go index 6c541cb3b..a9f9228dd 100644 --- a/internal/constellation/apply.go +++ b/internal/constellation/apply.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constellation diff --git a/internal/constellation/apply_test.go b/internal/constellation/apply_test.go index c7864a7b2..54e845033 100644 --- a/internal/constellation/apply_test.go +++ b/internal/constellation/apply_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constellation @@ -38,7 +38,7 @@ func TestCheckLicense(t *testing.T) { require := require.New(t) a := &Applier{licenseChecker: tc.licenseChecker, log: logger.NewTest(t)} - _, err := a.CheckLicense(t.Context(), cloudprovider.Unknown, true, license.CommunityLicense) + _, err := a.CheckLicense(context.Background(), cloudprovider.Unknown, true, license.CommunityLicense) if tc.wantErr { require.Error(err) } else { diff --git a/internal/constellation/applyinit.go b/internal/constellation/applyinit.go index 05a9b1e39..bfc7ac085 100644 --- a/internal/constellation/applyinit.go +++ b/internal/constellation/applyinit.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constellation diff --git a/internal/constellation/applyinit_test.go b/internal/constellation/applyinit_test.go index 59025bad2..7d16d5fe7 100644 --- a/internal/constellation/applyinit_test.go +++ b/internal/constellation/applyinit_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constellation @@ -214,7 +214,7 @@ func TestInit(t *testing.T) { } clusterLogs := &bytes.Buffer{} - ctx, cancel := context.WithTimeout(t.Context(), time.Second*4) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*4) defer cancel() _, err := a.Init(ctx, nil, tc.state, clusterLogs, InitPayload{ MasterSecret: uri.MasterSecret{}, @@ -280,7 +280,7 @@ func TestAttestation(t *testing.T) { } state := &state.State{Version: state.Version1, Infrastructure: state.Infrastructure{ClusterEndpoint: "192.0.2.4"}} - ctx := t.Context() + ctx := context.Background() ctx, cancel := context.WithTimeout(ctx, 4*time.Second) defer cancel() diff --git a/internal/constellation/constellation.go b/internal/constellation/constellation.go index 27202159e..af0fb6b4c 100644 --- a/internal/constellation/constellation.go +++ b/internal/constellation/constellation.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/constellation/featureset/featureset.go b/internal/constellation/featureset/featureset.go index c20f9c361..b2ebb9cf7 100644 --- a/internal/constellation/featureset/featureset.go +++ b/internal/constellation/featureset/featureset.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package featureset provides a way to check whether a feature is enabled in the current build. diff --git a/internal/constellation/featureset/featureset_enterprise.go b/internal/constellation/featureset/featureset_enterprise.go index d79ccc006..3cd69c785 100644 --- a/internal/constellation/featureset/featureset_enterprise.go +++ b/internal/constellation/featureset/featureset_enterprise.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package featureset diff --git a/internal/constellation/featureset/featureset_oss.go b/internal/constellation/featureset/featureset_oss.go index 82f95317d..2072641d3 100644 --- a/internal/constellation/featureset/featureset_oss.go +++ b/internal/constellation/featureset/featureset_oss.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package featureset diff --git a/internal/constellation/helm.go b/internal/constellation/helm.go index 7d9cca7de..ed1345459 100644 --- a/internal/constellation/helm.go +++ b/internal/constellation/helm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constellation diff --git a/internal/constellation/helm/BUILD.bazel b/internal/constellation/helm/BUILD.bazel index e82a7dfb8..928681b90 100644 --- a/internal/constellation/helm/BUILD.bazel +++ b/internal/constellation/helm/BUILD.bazel @@ -473,7 +473,6 @@ go_library( "charts/coredns/templates/deployment.yaml", "charts/coredns/templates/service.yaml", "charts/coredns/templates/serviceaccount.yaml", - "charts/aws-load-balancer-controller/templates/hpa.yaml", ], importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm", visibility = ["//:__subpackages__"], diff --git a/internal/constellation/helm/action.go b/internal/constellation/helm/action.go index f405beb29..30c1c312d 100644 --- a/internal/constellation/helm/action.go +++ b/internal/constellation/helm/action.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/actionfactory.go b/internal/constellation/helm/actionfactory.go index 059ebe712..67ca3ab34 100644 --- a/internal/constellation/helm/actionfactory.go +++ b/internal/constellation/helm/actionfactory.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/actionfactory_test.go b/internal/constellation/helm/actionfactory_test.go index 93ec54dc8..960ea5a52 100644 --- a/internal/constellation/helm/actionfactory_test.go +++ b/internal/constellation/helm/actionfactory_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml index 1f1b4e9ba..363fff854 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.11.0 -appVersion: v2.11.0 +version: 1.5.4 +appVersion: v2.5.3 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/README.md b/internal/constellation/helm/charts/aws-load-balancer-controller/README.md index 180e50c08..ee4be9aad 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/README.md +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/README.md @@ -22,11 +22,7 @@ AWS Load Balancer controller manages the following AWS resources As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). ## Prerequisites -- Supported Kubernetes Versions - - Chart version v1.5.0+ requires Kubernetes 1.22+ - - Chart version v1.4.0+ requires Kubernetes 1.19+ - - Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21 - - Chart version v1.1.6 and before supports Kubernetes 1.15 +- Kubernetes >= 1.19 - IAM permissions - Helm v3 - Optional dependencies @@ -78,7 +74,7 @@ If migrating from ALB ingress controller, grant [additional IAM permissions](htt - Additional IAM permissions required, ensure you have granted the [required IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). - CRDs need to be updated as follows ```shell script -kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master" +kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" ``` - you can run helm upgrade without uninstalling the old chart completely @@ -96,11 +92,8 @@ If you are setting `serviceMonitor.enabled: true` you need to have installed the ## Installing the Chart **Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed. - **Note**: Starting chart version 1.4.1, you need to explicitly set `clusterSecretsPermissions.allowAllSecrets` to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)]. -**Note**: To ensure compatibility, we recommend installing the AWS Load Balancer controller image version with its compatible Helm chart version. Use the ```helm search repo eks/aws-load-balancer-controller --versions``` command to find the compatible versions. - Add the EKS repository to Helm: ```shell script helm repo add eks https://aws.github.io/eks-charts @@ -109,7 +102,7 @@ helm repo add eks https://aws.github.io/eks-charts Install the TargetGroupBinding CRDs: ```shell script -kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master" +kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" ``` Install the AWS Load Balancer controller, if using iamserviceaccount @@ -178,106 +171,88 @@ Chart release v1.2.0 and later enables high availability configuration by defaul The following tables lists the configurable parameters of the chart and their default values. The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options). - -| Parameter | Description | Default | -| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | -| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | -| `image.tag` | image tag | `` | -| `image.pullPolicy` | image pull policy | `IfNotPresent` | -| `clusterName` | Kubernetes cluster name | None | -| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | -| `securityContext` | Set to security context for pod | `{}` | -| `resources` | Controller pod resource requests & limits | `{}` | -| `priorityClassName` | Controller pod priority class | system-cluster-critical | -| `nodeSelector` | Node labels for controller pod assignment | `{}` | -| `tolerations` | Controller pod toleration for taints | `{}` | -| `affinity` | Affinity for pod assignment | `{}` | -| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | -| `deploymentAnnotations` | Annotations to add to deployment | `{}` | -| `podAnnotations` | Annotations to add to each pod | `{}` | -| `podLabels` | Labels to add to each pod | `{}` | -| `additionalLabels` | Labels to add to all components | `{}` | -| `rbac.create` | if `true`, create and use RBAC resources | `true` | -| `serviceAccount.annotations` | optional annotations to add to service account | None | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | -| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used | None | -| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | -| `ingressClass` | The ingress class to satisfy | alb | -| `createIngressClassResource` | Create ingressClass resource | true | -| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | -| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | -| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | -| `region` | The AWS region for the kubernetes cluster | None | -| `vpcId` | The VPC ID for the Kubernetes cluster | None | -| `awsApiEndpoints` | Custom AWS API Endpoints | None | -| `awsApiThrottle` | Custom AWS API throttle settings | None | -| `awsMaxRetries` | Maximum retries for AWS APIs | None | -| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | -| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | -| `enableShield` | Enable Shield addon for ALB | None | -| `enableWaf` | Enable WAF addon for ALB | None | -| `enableWafv2` | Enable WAF V2 addon for ALB | None | -| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | -| `logLevel` | Set the controller log level - info, debug | None | -| `metricsBindAddr` | The address the metric endpoint binds to | "" | -| `webhookConfig.disableIngressValidation` | Disables the validation of resources of kind Ingress | None | -| `webhookBindPort` | The TCP port the Webhook server binds to | None | -| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | -| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | -| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | -| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | -| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | -| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | -| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | -| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | -| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | -| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | -| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | -| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | -| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | -| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | -| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | -| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | -| `env` | Environment variables to set for aws-load-balancer-controller pod | None | -| `envFrom` | Environment variables to set for aws-load-balancer-controller pod from configMap or Secret | None | -| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | -| `hostNetwork` | If `true`, use hostNetwork | `false` | -| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | -| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | -| `extraVolumes` | Extra volumes for the pod | `[]` | -| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | -| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | -| `revisionHistoryLimit` | Number of revisions to keep | `10` | -| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | -| `updateStrategy` | Defines the update strategy for the deployment | `{}` | -| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | -| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | -| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | -| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | -| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | -| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | -| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | -| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | -| `serviceMonitor.namespace` | Namespace in which to create the service monitor | None | -| `serviceMonitor.additionalLabels` | Labels to add to the service monitor | `{}` | -| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | -| `serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `1m` | -| `serviceMonitor.relabelings` | Relabelings to apply to samples before ingestion | `1m` | -| `serviceMonitor.metricRelabelings` | Metric relabelings to apply to samples before ingestion | `1m` | -| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | -| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | -| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | -| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | -| `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` | -| `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` | -| `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` | -| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | -| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | -| `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` | -| `creator` | if set to a `value!=helm`, it will disable the addition of default helm labels | `helm` | -| `runtimeClassName` | Runtime class name for the controller pods , such as `gvisor` or `kata`. An unspecified `nil` or empty `""` RuntimeClassName is equivalent to the backwards-compatible default behavior as if the RuntimeClass feature is disabled. | "" | +| Parameter | Description | Default | +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| +| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | +| `image.tag` | image tag | `` | +| `image.pullPolicy` | image pull policy | `IfNotPresent` | +| `clusterName` | Kubernetes cluster name | None | +| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | +| `securityContext` | Set to security context for pod | `{}` | +| `resources` | Controller pod resource requests & limits | `{}` | +| `priorityClassName` | Controller pod priority class | system-cluster-critical | +| `nodeSelector` | Node labels for controller pod assignment | `{}` | +| `tolerations` | Controller pod toleration for taints | `{}` | +| `affinity` | Affinity for pod assignment | `{}` | +| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | +| `deploymentAnnotations` | Annotations to add to deployment | `{}` | +| `podAnnotations` | Annotations to add to each pod | `{}` | +| `podLabels` | Labels to add to each pod | `{}` | +| `additionalLabels` | Labels to add to all components | `{}` | +| `rbac.create` | if `true`, create and use RBAC resources | `true` | +| `serviceAccount.annotations` | optional annotations to add to service account | None | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | +| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used | None | +| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | +| `ingressClass` | The ingress class to satisfy | alb | +| `createIngressClassResource` | Create ingressClass resource | true | +| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | +| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | +| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | +| `region` | The AWS region for the kubernetes cluster | None | +| `vpcId` | The VPC ID for the Kubernetes cluster | None | +| `awsApiEndpoints` | Custom AWS API Endpoints | None | +| `awsApiThrottle` | Custom AWS API throttle settings | None | +| `awsMaxRetries` | Maximum retries for AWS APIs | None | +| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | +| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | +| `enableShield` | Enable Shield addon for ALB | None | +| `enableWaf` | Enable WAF addon for ALB | None | +| `enableWafv2` | Enable WAF V2 addon for ALB | None | +| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | +| `logLevel` | Set the controller log level - info, debug | None | +| `metricsBindAddr` | The address the metric endpoint binds to | "" | +| `webhookBindPort` | The TCP port the Webhook server binds to | None | +| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | +| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | +| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | +| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | +| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | +| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | +| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | +| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | +| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | +| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | +| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | +| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | +| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | +| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | +| `env` | Environment variables to set for aws-load-balancer-controller pod | None | +| `hostNetwork` | If `true`, use hostNetwork | `false` | +| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | +| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | +| `extraVolumes` | Extra volumes for the pod | `[]` | +| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | +| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | +| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | +| `updateStrategy` | Defines the update strategy for the deployment | `{}` | +| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | +| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | +| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | +| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | +| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | +| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | +| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | +| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | +| `serviceMonitor.additionalLabels` | Labels to add to the service account | `{}` | +| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | +| `serviceMonitor.namespace` | Namespace in which Prometheus is running | None | +| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | +| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | +| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | +| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml index b72e68789..78c226660 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml @@ -2,7 +2,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null name: ingressclassparams.elbv2.k8s.aws spec: group: elbv2.k8s.aws @@ -35,31 +36,20 @@ spec: description: IngressClassParams is the Schema for the IngressClassParams API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: IngressClassParamsSpec defines the desired state of IngressClassParams properties: - certificateArn: - description: CertificateArn specifies the ARN of the certificates - for all Ingresses that belong to IngressClass with this IngressClassParams. - items: - type: string - type: array group: description: Group defines the IngressGroup for all Ingresses that belong to IngressClass with this IngressClassParams. @@ -82,38 +72,7 @@ spec: enum: - ipv4 - dualstack - - dualstack-without-public-ipv4 type: string - listeners: - description: Listeners define a list of listeners with their protocol, - port and attributes. - items: - properties: - listenerAttributes: - description: The attributes of the listener - items: - description: Attributes defines custom attributes on resources. - properties: - key: - description: The key of the attribute. - type: string - value: - description: The value of the attribute. - type: string - required: - - key - - value - type: object - type: array - port: - description: The port of the listener - format: int32 - type: integer - protocol: - description: The protocol of the listener - type: string - type: object - type: array loadBalancerAttributes: description: LoadBalancerAttributes define the custom attributes to LoadBalancers for all Ingress that that belong to IngressClass with @@ -132,63 +91,50 @@ spec: - value type: object type: array - minimumLoadBalancerCapacity: - description: MinimumLoadBalancerCapacity define the capacity reservation - for LoadBalancers for all Ingress that belong to IngressClass with - this IngressClassParams. - properties: - capacityUnits: - description: The Capacity Units Value. - format: int32 - type: integer - required: - - capacityUnits - type: object namespaceSelector: - description: |- - NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. + description: NamespaceSelector restrict the namespaces of Ingresses + that are allowed to specify the IngressClass with this IngressClassParams. * if absent or present but empty, it selects all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -221,11 +167,10 @@ spec: items: type: string type: array - description: |- - Tags specifies subnets in the load balancer's VPC where each - tag specified in the map key contains one of the values in the corresponding - value list. - Exactly one of this or `ids` must be specified. + description: Tags specifies subnets in the load balancer's VPC + where each tag specified in the map key contains one of the + values in the corresponding value list. Exactly one of this + or `ids` must be specified. type: object type: object tags: @@ -255,7 +200,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null name: targetgroupbindings.elbv2.k8s.aws spec: group: elbv2.k8s.aws @@ -284,11 +230,6 @@ spec: name: ARN priority: 1 type: string - - description: The AWS TargetGroup's Name - jsonPath: .spec.targetGroupName - name: NAME - priority: 2 - type: string - jsonPath: .metadata.creationTimestamp name: AGE type: date @@ -298,29 +239,20 @@ spec: description: TargetGroupBinding is the Schema for the TargetGroupBinding API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding properties: - multiClusterTargetGroup: - description: MultiClusterTargetGroup Denotes if the TargetGroup is - shared among multiple clusters - type: boolean networking: description: networking provides the networking setup for ELBV2 LoadBalancer to access targets in TargetGroup. @@ -331,30 +263,28 @@ spec: items: properties: from: - description: |- - List of peers which should be able to access the targets in TargetGroup. - At least one NetworkingPeer should be specified. + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. items: description: NetworkingPeer defines the source/destination peer for networking rules. properties: ipBlock: - description: |- - IPBlock defines an IPBlock peer. - If specified, none of the other fields can be set. + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. properties: cidr: - description: |- - CIDR is the network CIDR. - Both IPV4 or IPV6 CIDR are accepted. + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. type: string required: - cidr type: object securityGroup: - description: |- - SecurityGroup defines a SecurityGroup peer. - If specified, none of the other fields can be set. + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. properties: groupID: description: GroupID is the EC2 SecurityGroupID. @@ -365,24 +295,24 @@ spec: type: object type: array ports: - description: |- - List of ports which should be made accessible on the targets in TargetGroup. - If ports is empty or unspecified, it defaults to all ports with TCP. + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. items: properties: port: anyOf: - type: integer - type: string - description: |- - The port which traffic must match. - When NodePort endpoints(instance TargetType) is used, this must be a numerical port. - When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. - if port is unspecified, it defaults to all ports. + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. x-kubernetes-int-or-string: true protocol: - description: |- - The protocol which traffic must match. + description: The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. enum: - TCP @@ -417,9 +347,6 @@ spec: description: targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup. type: string - targetGroupName: - description: targetGroupName is the Name of the TargetGroup. - type: string targetType: description: targetType is the TargetType of TargetGroup. If unspecified, it will be automatically inferred. @@ -429,6 +356,7 @@ spec: type: string required: - serviceRef + - targetGroupARN type: object status: description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding @@ -461,11 +389,6 @@ spec: name: ARN priority: 1 type: string - - description: The AWS TargetGroup's Name - jsonPath: .spec.targetGroupName - name: NAME - priority: 2 - type: string - jsonPath: .metadata.creationTimestamp name: AGE type: date @@ -475,19 +398,14 @@ spec: description: TargetGroupBinding is the Schema for the TargetGroupBinding API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -501,10 +419,6 @@ spec: - ipv4 - ipv6 type: string - multiClusterTargetGroup: - description: MultiClusterTargetGroup Denotes if the TargetGroup is - shared among multiple clusters - type: boolean networking: description: networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup. @@ -517,30 +431,28 @@ spec: of traffic that is allowed to access TargetGroup's targets. properties: from: - description: |- - List of peers which should be able to access the targets in TargetGroup. - At least one NetworkingPeer should be specified. + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. items: description: NetworkingPeer defines the source/destination peer for networking rules. properties: ipBlock: - description: |- - IPBlock defines an IPBlock peer. - If specified, none of the other fields can be set. + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. properties: cidr: - description: |- - CIDR is the network CIDR. - Both IPV4 or IPV6 CIDR are accepted. + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. type: string required: - cidr type: object securityGroup: - description: |- - SecurityGroup defines a SecurityGroup peer. - If specified, none of the other fields can be set. + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. properties: groupID: description: GroupID is the EC2 SecurityGroupID. @@ -551,9 +463,9 @@ spec: type: object type: array ports: - description: |- - List of ports which should be made accessible on the targets in TargetGroup. - If ports is empty or unspecified, it defaults to all ports with TCP. + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. items: description: NetworkingPort defines the port and protocol for networking rules. @@ -562,15 +474,15 @@ spec: anyOf: - type: integer - type: string - description: |- - The port which traffic must match. - When NodePort endpoints(instance TargetType) is used, this must be a numerical port. - When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. - if port is unspecified, it defaults to all ports. + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. x-kubernetes-int-or-string: true protocol: - description: |- - The protocol which traffic must match. + description: The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. enum: - TCP @@ -592,42 +504,41 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -651,9 +562,7 @@ spec: targetGroupARN: description: targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup. - type: string - targetGroupName: - description: targetGroupName is the Name of the TargetGroup. + minLength: 1 type: string targetType: description: targetType is the TargetType of TargetGroup. If unspecified, @@ -662,12 +571,9 @@ spec: - instance - ip type: string - vpcID: - description: VpcID is the VPC of the TargetGroup. If unspecified, - it will be automatically inferred. - type: string required: - serviceRef + - targetGroupARN type: object status: description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl index d916b99c4..660f6ee9d 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl @@ -45,14 +45,12 @@ This enables using a shorter name for the resources, for example aws-load-balanc Common labels */}} {{- define "aws-load-balancer-controller.labels" -}} -{{- if eq (default "helm" .Values.creator) "helm" -}} -app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "aws-load-balancer-controller.chart" . }} -{{- end }} {{ include "aws-load-balancer-controller.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.additionalLabels }} {{ toYaml .Values.additionalLabels }} {{- end -}} diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml index 4506d489e..e2b5225ff 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml @@ -11,7 +11,6 @@ metadata: {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} @@ -38,9 +37,6 @@ spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.runtimeClassName }} - runtimeClassName: {{ .Values.runtimeClassName }} {{- end }} serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }} volumes: @@ -62,17 +58,15 @@ spec: containers: - name: {{ .Chart.Name }} args: - - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" (tpl (default "" .Values.clusterName) .) }} + - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" .Values.clusterName }} {{- if .Values.ingressClass }} - --ingress-class={{ .Values.ingressClass }} {{- end }} - {{- $region := tpl (default "" .Values.region) . }} - {{- if $region }} + {{- if .Values.region }} - --aws-region={{ .Values.region }} {{- end }} - {{- $vpcID := tpl (default "" .Values.vpcId) . }} - {{- if $vpcID }} - - --aws-vpc-id={{ $vpcID }} + {{- if .Values.vpcId }} + - --aws-vpc-id={{ .Values.vpcId }} {{- end }} {{- if .Values.awsApiEndpoints }} - --aws-api-endpoints={{ .Values.awsApiEndpoints }} @@ -110,9 +104,6 @@ spec: {{- if .Values.targetgroupbindingMaxExponentialBackoffDelay }} - --targetgroupbinding-max-exponential-backoff-delay={{ .Values.targetgroupbindingMaxExponentialBackoffDelay }} {{- end }} - {{- if .Values.lbStabilizationMonitorInterval }} - - --lb-stabilization-monitor-interval={{ .Values.lbStabilizationMonitorInterval }} - {{- end }} {{- if .Values.logLevel }} - --log-level={{ .Values.logLevel }} {{- end }} @@ -131,12 +122,6 @@ spec: {{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }} - --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }} {{- end }} - {{- if kindIs "bool" .Values.tolerateNonExistentBackendService }} - - --tolerate-non-existent-backend-service={{ .Values.tolerateNonExistentBackendService }} - {{- end }} - {{- if kindIs "bool" .Values.tolerateNonExistentBackendAction }} - - --tolerate-non-existent-backend-action={{ .Values.tolerateNonExistentBackendAction }} - {{- end }} {{- if .Values.defaultSSLPolicy }} - --default-ssl-policy={{ .Values.defaultSSLPolicy }} {{- end }} @@ -164,42 +149,13 @@ spec: {{- if ne .Values.defaultTargetType "instance" }} - --default-target-type={{ .Values.defaultTargetType }} {{- end }} - {{- if .Values.serviceTargetENISGTags }} - - --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }} - {{- end }} - {{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }} - - --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }} - {{- end }} - {{- if .Values.loadBalancerClass }} - - --load-balancer-class={{ .Values.loadBalancerClass }} - {{- end }} - {{- if or .Values.env .Values.envSecretName }} + {{- if .Values.env }} env: - {{- if .Values.env}} {{- range $key, $value := .Values.env }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} - {{- if .Values.envSecretName }} - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ .Values.envSecretName }} - key: key_id - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.envSecretName }} - key: access_key - optional: true - {{- end }} - {{- end }} - {{- if .Values.envFrom }} - envFrom: - {{- toYaml .Values.envFrom | nindent 10 }} - {{- end }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -224,10 +180,6 @@ spec: livenessProbe: {{- toYaml . | nindent 10 }} {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 10 }} - {{- end }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/hpa.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/hpa.yaml deleted file mode 100644 index 68689ba66..000000000 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/hpa.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.Version)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "aws-load-balancer-controller.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ required "A valid .Values.autoscaling.maxReplicas value is required" .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml index 0dcc68c77..fc3bda695 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml @@ -75,9 +75,6 @@ rules: - apiGroups: [""] resources: [nodes, namespaces, endpoints] verbs: [get, list, watch] -- apiGroups: [""] - resources: [configmaps] - verbs: [get, delete, create, update] {{- if .Values.clusterSecretsPermissions.allowAllSecrets }} - apiGroups: [""] resources: [secrets] diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml index 0454558c2..c811be253 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml @@ -3,14 +3,18 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} labels: {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - {{- with .Values.serviceMonitor.additionalLabels }} + {{- with .Values.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: - jobLabel: app.kubernetes.io/instance + jobLabel: {{ .Release.Name }} namespaceSelector: matchNames: - {{ .Release.Namespace }} @@ -25,19 +29,7 @@ spec: endpoints: - port: metrics-server path: /metrics - scheme: http - {{- with .Values.serviceMonitor.interval }} + {{- with .Values.serviceMonitor.interval }} interval: {{ . }} - {{- end }} - {{- with .Values.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- with .Values.serviceMonitor.relabelings }} - relabelings: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.serviceMonitor.metricRelabelings }} - metricRelabelings: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end -}} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml index 504f08ccb..e7d557e41 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml @@ -65,7 +65,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /mutate-v1-service - failurePolicy: {{ .Values.serviceMutatorWebhookConfig.failurePolicy }} + failurePolicy: Fail name: mservice.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -75,21 +75,13 @@ webhooks: operator: NotIn values: - {{ include "aws-load-balancer-controller.name" . }} - {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions }} - {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions | nindent 4 }} - {{- end }} - - {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels }} - matchLabels: - {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels | nindent 6 }} - {{- end }} rules: - apiGroups: - "" apiVersions: - v1 operations: - {{- toYaml .Values.serviceMutatorWebhookConfig.operations | nindent 4 }} + - CREATE resources: - services sideEffects: None @@ -181,7 +173,6 @@ webhooks: resources: - targetgroupbindings sideEffects: None -{{- if not $.Values.webhookConfig.disableIngressValidation }} - clientConfig: {{ if not $.Values.enableCertManager -}} caBundle: {{ $tls.caCert }} @@ -206,7 +197,6 @@ webhooks: resources: - ingresses sideEffects: None -{{- end }} --- {{- if not $.Values.enableCertManager }} apiVersion: v1 diff --git a/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml b/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml index c2f465bcd..dea199559 100644 --- a/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml +++ b/internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml @@ -4,29 +4,15 @@ replicaCount: 2 -revisionHistoryLimit: 10 - image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.11.0 + tag: v2.5.3 pullPolicy: IfNotPresent -runtimeClassName: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -# AWS LBC only has 1 main working pod, other pods are just standby -# the purpose of enable hpa is to survive load induced failure by the calls to the aws-load-balancer-webhook-service -# since the calls from kube-apiserver are sent round-robin to all replicas, and the failure policy on those webhooks is Fail -# if the pods become overloaded and do not respond within the timeout that could block the creation of pods, targetgroupbindings or ingresses -# Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - serviceAccount: # Specifies whether a service account should be created create: true @@ -120,8 +106,8 @@ clusterName: # cluster contains configurations specific to the kubernetes cluster cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local + # Cluster DNS domain (required for requesting TLS certificates) + dnsDomain: cluster.local # The ingress class this controller will satisfy. If not specified, controller will match all # ingresses without ingress class annotation and ingresses of type alb @@ -201,10 +187,6 @@ logLevel: # The address the metric endpoint binds to. (default ":8080") metricsBindAddr: "" -webhookConfig: - # disableIngressValidation disables the validation of resources of kind Ingress, false by default - disableIngressValidation: - # The TCP port the Webhook server binds to. (default 9443) webhookBindPort: @@ -214,7 +196,7 @@ webhookTLS: cert: key: -# array of namespace selectors for the pod mutator webhook +# array of namespace selectors for the webhook webhookNamespaceSelectors: # - key: elbv2.k8s.aws/pod-readiness-gate-inject # operator: In @@ -233,10 +215,7 @@ targetgroupbindingMaxConcurrentReconciles: # Maximum duration of exponential backoff for targetGroupBinding reconcile failures targetgroupbindingMaxExponentialBackoffDelay: -# Interval at which the controller monitors the state of load balancer after creation for stabilization -lbStabilizationMonitorInterval: - -# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s) +# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) syncPeriod: # Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. @@ -248,12 +227,6 @@ disableIngressClassAnnotation: # disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default disableIngressGroupNameAnnotation: -# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist) -tolerateNonExistentBackendService: - -# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist) -tolerateNonExistentBackendAction: - # defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners defaultSSLPolicy: @@ -267,17 +240,6 @@ livenessProbe: initialDelaySeconds: 30 timeoutSeconds: 10 -# readiness probe configuration for the controller -readinessProbe: - failureThreshold: 2 - httpGet: - path: /readyz - port: 61779 - scheme: HTTP - successThreshold: 1 - initialDelaySeconds: 10 - timeoutSeconds: 10 - # Environment variables to set for aws-load-balancer-controller pod. # We strongly discourage programming access credentials in the controller environment. You should setup IRSA or # comparable solutions like kube2iam, kiam etc instead. @@ -285,15 +247,8 @@ env: # ENV_1: "" # ENV_2: "" -# Use Environment variables credentials from Secret (aws-secret) for aws-load-balancer-controller pod similarly as The EBS CSI Driver does. -# envSecretName: aws-secret - -# Use envFrom to set environment variables from a Secret or ConfigMap -# envFrom: -# - secretRef: -# name: my-secret - # Specifies if aws-load-balancer-controller should be started in hostNetwork mode. +# # This is required if using a custom CNI where the managed control plane nodes are unable to initiate # network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or # recommended if using the Amazon VPC CNI plugin. @@ -360,11 +315,6 @@ controllerConfig: # EnableIPTargetType: true # SubnetsClusterTagCheck: true # NLBHealthCheckAdvancedConfig: true - # ALBSingleSubnet: false - # LBCapacityReservation: true - -certDiscovery: - allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope # objectSelector for webhook objectSelector: @@ -379,18 +329,12 @@ objectSelector: serviceMonitor: # Specifies whether a service monitor should be created enabled: false - # Namespace to create the service monitor in - namespace: - # Labels to add to the service monitor + # Labels to add to the service account additionalLabels: {} # Prometheus scrape interval interval: 1m - # Prometheus scrape timeout - scrapeTimeout: - # Relabelings to apply to samples before ingestion - relabelings: - # Metric relabelings to apply to samples before ingestion - metricRelabelings: + # Namespace to create the service monitor in + namespace: # clusterSecretsPermissions lets you configure RBAC permissions for secret resources # Access to secrets resource is required only if you use the OIDC feature, and instead of @@ -407,30 +351,3 @@ ingressClassConfig: # enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer enableServiceMutatorWebhook: true - -# serviceMutatorWebhook contains configurations specific to the service mutator webhook -serviceMutatorWebhookConfig: - # whether or not to fail the service creation if the webhook fails - failurePolicy: Fail - # limit webhook to only mutate services matching the objectSelector - objectSelector: - matchExpressions: [] - # - key: - # operator: - # values: - # - - matchLabels: {} - # key: value - # which operations trigger the webhook - operations: - - CREATE - # - UPDATE - -# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. -serviceTargetENISGTags: - -# Specifies the class of load balancer to use for services. This affects how services are provisioned if type LoadBalancer is used (default service.k8s.aws/nlb) -loadBalancerClass: - -# creator will disable helm default labels, so you can only add yours -# creator: "me" diff --git a/internal/constellation/helm/charts/coredns/templates/configmap.yaml b/internal/constellation/helm/charts/coredns/templates/configmap.yaml index 03f06d623..58a48a318 100644 --- a/internal/constellation/helm/charts/coredns/templates/configmap.yaml +++ b/internal/constellation/helm/charts/coredns/templates/configmap.yaml @@ -16,10 +16,7 @@ data: forward . /etc/resolv.conf { max_concurrent 1000 } - cache 30 { - disable success {{ .Values.dnsDomain }} - disable denial {{ .Values.dnsDomain }} - } + cache 30 loop reload loadbalance diff --git a/internal/constellation/helm/charts/coredns/values.yaml b/internal/constellation/helm/charts/coredns/values.yaml index c740ed71c..9b3f72414 100644 --- a/internal/constellation/helm/charts/coredns/values.yaml +++ b/internal/constellation/helm/charts/coredns/values.yaml @@ -1,3 +1,3 @@ clusterIP: 10.96.0.10 dnsDomain: cluster.local -image: registry.k8s.io/coredns/coredns:v1.12.0@sha256:40384aa1f5ea6bfdc77997d243aec73da05f27aed0c5e9d65bfa98933c519d97 +image: registry.k8s.io/coredns/coredns:v1.11.3@sha256:9caabbf6238b189a65d0d6e6ac138de60d6a1c419e5a341fbbb7c78382559c6e diff --git a/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml b/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml index 220c3efc6..06a971465 100644 --- a/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml +++ b/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml @@ -5,11 +5,5 @@ metadata: name: gceconf namespace: {{ .Release.Namespace }} data: - gce.conf: | - [global] - project-id = {{.Values.GCP.projectID }} - use-metadata-server = true - node-tags = constellation-{{ .Values.GCP.uid }} - regional = true - token-url = nil # This forces use of GOOGLE_APPLICATION_CREDENTIALS. + gce.conf: "[global]\nproject-id = {{.Values.GCP.projectID }}\nuse-metadata-server = true\nnode-tags = constellation-{{ .Values.GCP.uid }}\nregional = true\n" {{- end -}} diff --git a/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml index a7bfe1656..fe6460d4a 100644 --- a/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider={{ .Values.csp }} - --key-service-endpoint=key-service.{{ .Release.Namespace }}:{{ .Values.global.keyServicePort }} - --attestation-variant={{ .Values.attestationVariant }} - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: {{ .Values.global.serviceBasePath | quote }} name: config @@ -50,11 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /var/run/state/ssh - name: ssh ports: - containerPort: {{ .Values.joinServicePort }} name: tcp @@ -62,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: @@ -76,7 +64,4 @@ spec: - name: kubeadm hostPath: path: /etc/kubernetes - - name: ssh - hostPath: - path: /var/run/state/ssh updateStrategy: {} diff --git a/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml b/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml index 88e453caf..b03a97492 100644 --- a/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml +++ b/internal/constellation/helm/charts/edgeless/csi/charts/snapshot-controller/values.yaml @@ -3,12 +3,12 @@ snapshotController: snapshotController: image: repository: registry.k8s.io/sig-storage/snapshot-controller - tag: v8.2.1@sha256:472fa35a89dadb5a715454fad576ec11aa6f2e8378fc09ae26473d139b77c437 + tag: v8.1.0@sha256:a8a6749641849a6d7e560d26647e88dbd605a75cbff1823568ab90287ea29038 imagePullPolicy: IfNotPresent snapshotWebhook: replicas: 1 webhook: image: repository: registry.k8s.io/sig-storage/snapshot-validation-webhook - tag: v8.1.1@sha256:979842f9a6c23ae1b2ddd26603c27412dfc4d3c027d9cda1cb87a67b91ae9ac8 + tag: v8.1.0@sha256:35fa940f062222dfa3257e0c74837a22c35976be899bab6103b433bab0e03a81 imagePullPolicy: IfNotPresent diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml index 9156e3e71..18dce5e37 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/autoscalingstrategy-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: autoscalingstrategies.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -21,19 +20,14 @@ spec: API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -54,8 +48,8 @@ spec: deployment. type: string enabled: - description: Enabled defines whether cluster autoscaling should be - enabled or not. + description: Enabled defines whether cluster autoscaling should be enabled + or not. type: boolean required: - deploymentName @@ -70,8 +64,7 @@ spec: enabled or not. type: boolean replicas: - description: Replicas is the number of replicas for the autoscaler - deployment. + description: Replicas is the number of replicas for the autoscaler deployment. format: int32 type: integer type: object @@ -80,3 +73,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml index 1beca7221..88fb65ae8 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/joiningnode-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: joiningnodes.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: JoiningNode is the Schema for the joiningnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -65,3 +59,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml index 4b7f7b7e0..9c46b695c 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/nodeversion-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: nodeversions.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: NodeVersion is the Schema for the nodeversions API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -66,49 +60,65 @@ spec: description: AwaitingAnnotation is a list of nodes that are waiting for the operator to annotate them. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array budget: description: Budget is the amount of extra nodes that can be created @@ -119,35 +129,43 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -162,6 +180,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -177,389 +199,516 @@ spec: description: Donors is a list of outdated nodes that donate labels to heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array heirs: description: Heirs is a list of nodes using the latest image that still need to inherit labels from donors. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array invalid: description: Invalid is a list of invalid nodes (nodes that cannot be processed by the operator due to missing information or transient faults). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array mints: description: Mints is a list of up to date nodes that will become heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array obsolete: description: Obsolete is a list of obsolete nodes (nodes that have been created by the operator but are no longer needed). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array outdated: description: Outdated is a list of nodes that are using an outdated image. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array pending: description: Pending is a list of pending nodes (joining or leaving the cluster). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array upToDate: description: UpToDate is a list of nodes that are using the latest image and labels. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array required: - - activeclusterversionupgrade - budget - conditions type: object diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml index c6cd2db6a..41b5a4cd7 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/pendingnode-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: pendingnodes.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: PendingNode is the Schema for the pendingnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -40,11 +34,10 @@ spec: description: PendingNodeSpec defines the desired state of PendingNode. properties: deadline: - description: |- - Deadline is the deadline for reaching the goal state. - Joining nodes will be terminated if the deadline is exceeded. - Leaving nodes will remain as unschedulable to prevent data loss. - If not specified, the node may remain in the pending state indefinitely. + description: Deadline is the deadline for reaching the goal state. Joining + nodes will be terminated if the deadline is exceeded. Leaving nodes + will remain as unschedulable to prevent data loss. If not specified, + the node may remain in the pending state indefinitely. format: date-time type: string goal: @@ -54,8 +47,8 @@ spec: - Leave type: string groupID: - description: ScalingGroupID is the ID of the group that this node - shall be part of. + description: ScalingGroupID is the ID of the group that this node shall + be part of. type: string nodeName: description: NodeName is the kubernetes internal name of the node. @@ -79,8 +72,7 @@ spec: - Failed type: string reachedGoal: - description: ReachedGoal is true if the node has reached the goal - state. + description: ReachedGoal is true if the node has reached the goal state. type: boolean type: object type: object @@ -88,3 +80,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml index 5eed4ebc8..0e334ae29 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/crds/scalinggroup-crd.yaml @@ -1,10 +1,9 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 name: scalinggroups.update.edgeless.systems + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 spec: group: update.edgeless.systems names: @@ -20,19 +19,14 @@ spec: description: ScalingGroup is the Schema for the scalinggroups API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -43,16 +37,16 @@ spec: description: AutoscalerGroupName is name that is expected by the autoscaler. type: string autoscaling: - description: Autoscaling specifies wether the scaling group should - automatically scale using the cluster-autoscaler. + description: Autoscaling specifies wether the scaling group should automatically + scale using the cluster-autoscaler. type: boolean groupId: - description: GroupID is the CSP specific, canonical identifier of - a scaling group. + description: GroupID is the CSP specific, canonical identifier of a + scaling group. type: string max: - description: Max is the maximum number of autoscaled nodes in the - scaling group (used by cluster-autoscaler). + description: Max is the maximum number of autoscaled nodes in the scaling + group (used by cluster-autoscaler). format: int32 type: integer min: @@ -61,11 +55,11 @@ spec: format: int32 type: integer nodeGroupName: - description: NodeGroupName is the human friendly name of the node - group as defined in the Constellation configuration. + description: NodeGroupName is the human friendly name of the node group + as defined in the Constellation configuration. type: string nodeImage: - description: NodeVersion is the name of the NodeVersion resource. + description: NodeImage is the name of the NodeImage resource. type: string role: description: Role is the role of the nodes in the scaling group. @@ -81,36 +75,44 @@ spec: description: Conditions represent the latest available observations of an object's state. items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating details + about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers of + specific condition types may define expected values and meanings + for this field, and whether the values are considered a guaranteed + API. The value should be a CamelCase string. This field may + not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -124,6 +126,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -136,8 +142,8 @@ spec: type: object type: array imageReference: - description: ImageReference is the image currently used for newly - created nodes in this scaling group. + description: ImageReference is the image currently used for newly created + nodes in this scaling group. type: string required: - conditions @@ -147,3 +153,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml index 5afe29d9b..9083df141 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml @@ -42,8 +42,6 @@ spec: value: {{ .Values.csp | quote }} - name: constellation-uid value: {{ .Values.constellationUID | quote }} - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json image: {{ .Values.controllerManager.manager.image | quote }} livenessProbe: httpGet: @@ -74,9 +72,6 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -114,10 +109,6 @@ spec: name: gceconf optional: true name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml index 0e271ff7f..45dddbdd9 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -13,7 +13,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -59,10 +58,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -75,20 +70,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -107,6 +120,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/chartutil.go b/internal/constellation/helm/chartutil.go index 1f5017519..405b57175 100644 --- a/internal/constellation/helm/chartutil.go +++ b/internal/constellation/helm/chartutil.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/corednsgen/corednsgen.go b/internal/constellation/helm/corednsgen/corednsgen.go index c648cca69..5c7bc08f2 100644 --- a/internal/constellation/helm/corednsgen/corednsgen.go +++ b/internal/constellation/helm/corednsgen/corednsgen.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // corednsgen synthesizes a Helm chart from the resource templates embedded in diff --git a/internal/constellation/helm/helm.go b/internal/constellation/helm/helm.go index 3ac7be9e1..474044138 100644 --- a/internal/constellation/helm/helm.go +++ b/internal/constellation/helm/helm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/constellation/helm/helm_test.go b/internal/constellation/helm/helm_test.go index 9d2e75e2e..e22a5fb21 100644 --- a/internal/constellation/helm/helm_test.go +++ b/internal/constellation/helm/helm_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/imageversion/imageversion.go b/internal/constellation/helm/imageversion/imageversion.go index 266840bda..a29126f87 100644 --- a/internal/constellation/helm/imageversion/imageversion.go +++ b/internal/constellation/helm/imageversion/imageversion.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package imageversion contains the pinned container images for the helm charts. diff --git a/internal/constellation/helm/imageversion/placeholder.go b/internal/constellation/helm/imageversion/placeholder.go index a754ade5e..22bb65b41 100644 --- a/internal/constellation/helm/imageversion/placeholder.go +++ b/internal/constellation/helm/imageversion/placeholder.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package imageversion diff --git a/internal/constellation/helm/loader.go b/internal/constellation/helm/loader.go index fbe6c4a0b..dfbe31209 100644 --- a/internal/constellation/helm/loader.go +++ b/internal/constellation/helm/loader.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/loader_test.go b/internal/constellation/helm/loader_test.go index 6ee767e73..765bbf221 100644 --- a/internal/constellation/helm/loader_test.go +++ b/internal/constellation/helm/loader_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/overrides.go b/internal/constellation/helm/overrides.go index 6c05c0b10..fdadaac88 100644 --- a/internal/constellation/helm/overrides.go +++ b/internal/constellation/helm/overrides.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* Overrides contains helm values that are dynamically injected into the helm charts. @@ -48,7 +48,7 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou extraVals := map[string]any{} strictMode := map[string]any{} - // TODO: Once we are able to set the subnet of the load balancer VMs + // TODO(@3u13r): Once we are able to set the subnet of the load balancer VMs // on STACKIT, we can remove the OpenStack exception here. if provider != cloudprovider.QEMU && provider != cloudprovider.OpenStack { strictMode = map[string]any{ diff --git a/internal/constellation/helm/release.go b/internal/constellation/helm/release.go index 21ad1e9aa..c7be7ab5c 100644 --- a/internal/constellation/helm/release.go +++ b/internal/constellation/helm/release.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package helm provides types and functions shared across services. diff --git a/internal/constellation/helm/retryaction.go b/internal/constellation/helm/retryaction.go index 4725c8659..7117f0b45 100644 --- a/internal/constellation/helm/retryaction.go +++ b/internal/constellation/helm/retryaction.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/retryaction_test.go b/internal/constellation/helm/retryaction_test.go index f7259a358..6a39d7cb2 100644 --- a/internal/constellation/helm/retryaction_test.go +++ b/internal/constellation/helm/retryaction_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm @@ -64,7 +64,7 @@ func TestRetryApply(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - err := retryApply(t.Context(), tc.applier, time.Millisecond, logger.NewTest(t)) + err := retryApply(context.Background(), tc.applier, time.Millisecond, logger.NewTest(t)) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/constellation/helm/serviceversion.go b/internal/constellation/helm/serviceversion.go index 06603e293..a3d9ca57c 100644 --- a/internal/constellation/helm/serviceversion.go +++ b/internal/constellation/helm/serviceversion.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml index fa41d793b..01d9e6f57 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: GCP - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: GCP + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml index 046ae08e6..2156f82a6 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=AWS - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=aws-nitro-tpm - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,11 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /var/run/state/ssh - name: ssh ports: - containerPort: 9090 name: tcp @@ -62,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: @@ -76,7 +64,4 @@ spec: - name: kubeadm hostPath: path: /etc/kubernetes - - name: ssh - hostPath: - path: /var/run/state/ssh updateStrategy: {} diff --git a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml index 23b5ac730..d50c5492f 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: Azure - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: Azure + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml index 80e151886..05f397876 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=Azure - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=azure-sev-snp - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,11 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /var/run/state/ssh - name: ssh ports: - containerPort: 9090 name: tcp @@ -62,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: @@ -76,7 +64,4 @@ spec: - name: kubeadm hostPath: path: /etc/kubernetes - - name: ssh - hostPath: - path: /var/run/state/ssh updateStrategy: {} diff --git a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml index fa41d793b..01d9e6f57 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: GCP - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: GCP + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml b/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml index c0ed7d331..5855fb988 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml @@ -4,4 +4,4 @@ metadata: name: gceconf namespace: testNamespace data: - gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\nregional = true\ntoken-url = nil # This forces use of GOOGLE_APPLICATION_CREDENTIALS." + gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\nregional = true\n" diff --git a/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml index c16d77b4f..0ddfa9201 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=GCP - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=gcp-sev-es - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,11 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /var/run/state/ssh - name: ssh ports: - containerPort: 9090 name: tcp @@ -62,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: @@ -76,7 +64,4 @@ spec: - name: kubeadm hostPath: path: /etc/kubernetes - - name: ssh - hostPath: - path: /var/run/state/ssh updateStrategy: {} diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml index fa41d793b..01d9e6f57 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -37,63 +37,58 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - - --leader-elect - command: - - /node-operator - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: cluster.local - - name: CONSTEL_CSP - value: GCP - - name: constellation-uid - value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - image: constellationOperatorImage - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /etc/kubernetes/pki/etcd - name: etcd-certs - - mountPath: /host/usr/lib/os-release - name: usr-lib-os-release - - mountPath: /etc/os-release - name: etc-os-release - - mountPath: /etc/azure - name: azureconfig - readOnly: true - - mountPath: /etc/gce - name: gceconf - readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /etc/constellation-upgrade-agent.sock - name: upgrade-agent-socket - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /node-operator + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + - name: CONSTEL_CSP + value: GCP + - name: constellation-uid + value: "42424242424242" + image: constellationOperatorImage + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + - mountPath: /host/usr/lib/os-release + name: usr-lib-os-release + - mountPath: /etc/os-release + name: etc-os-release + - mountPath: /etc/azure + name: azureconfig + readOnly: true + - mountPath: /etc/gce + name: gceconf + readOnly: true + - mountPath: /etc/constellation-upgrade-agent.sock + name: upgrade-agent-socket + readOnly: true nodeSelector: node-role.kubernetes.io/control-plane: "" securityContext: @@ -101,38 +96,34 @@ spec: serviceAccountName: constellation-operator-controller-manager terminationGracePeriodSeconds: 10 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists volumes: - - hostPath: - path: /etc/kubernetes/pki/etcd - type: Directory - name: etcd-certs - - hostPath: - path: /usr/lib/os-release - type: File - name: usr-lib-os-release - - hostPath: - path: /etc/os-release - type: File - name: etc-os-release - - name: azureconfig - secret: - optional: true - secretName: azureconfig - - configMap: - name: gceconf - optional: true + - hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + name: etcd-certs + - hostPath: + path: /usr/lib/os-release + type: File + name: usr-lib-os-release + - hostPath: + path: /etc/os-release + type: File + name: etc-os-release + - name: azureconfig + secret: + optional: true + secretName: azureconfig + - configMap: name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - - name: upgrade-agent-socket - hostPath: - path: /run/constellation-upgrade-agent.sock - type: Socket + optional: true + name: gceconf + - name: upgrade-agent-socket + hostPath: + path: /run/constellation-upgrade-agent.sock + type: Socket diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml index c77b395b1..0ed907f4d 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=OpenStack - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=qemu-vtpm - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,11 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /var/run/state/ssh - name: ssh ports: - containerPort: 9090 name: tcp @@ -62,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: @@ -76,7 +64,4 @@ spec: - name: kubeadm hostPath: path: /etc/kubernetes - - name: ssh - hostPath: - path: /var/run/state/ssh updateStrategy: {} diff --git a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml index edad32c8d..99e4a790d 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -50,8 +50,6 @@ spec: value: QEMU - name: constellation-uid value: "42424242424242" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json image: constellationOperatorImage livenessProbe: httpGet: @@ -88,9 +86,6 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -128,10 +123,6 @@ spec: name: gceconf optional: true name: gceconf - - name: gcekey - secret: - secretName: gcekey - optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml index 56bf77080..4fa4863c8 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml @@ -16,7 +16,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -62,10 +61,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -78,20 +73,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -110,6 +123,84 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml index 7e8443eb4..71ad80428 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,9 +40,6 @@ spec: - --cloud-provider=QEMU - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=qemu-vtpm - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -50,11 +47,6 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - - mountPath: /var/run/state/ssh - name: ssh ports: - containerPort: 9090 name: tcp @@ -62,10 +54,6 @@ spec: securityContext: privileged: true volumes: - - name: gcekey - secret: - secretName: gcekey - optional: true - name: config projected: sources: @@ -76,7 +64,4 @@ spec: - name: kubeadm hostPath: path: /etc/kubernetes - - name: ssh - hostPath: - path: /var/run/state/ssh updateStrategy: {} diff --git a/internal/constellation/helm/update-aws-load-balancer-chart.sh b/internal/constellation/helm/update-aws-load-balancer-chart.sh index 797defaa8..1c6a8519c 100755 --- a/internal/constellation/helm/update-aws-load-balancer-chart.sh +++ b/internal/constellation/helm/update-aws-load-balancer-chart.sh @@ -8,7 +8,7 @@ set -o errtrace shopt -s inherit_errexit echo "Updating AWS Load Balancer Controller Helm chart..." -branch="v0.0.190" # releases can update the AWS load-balancer-controller chart +branch="v0.0.140" # releases can update the AWS load-balancer-controller chart # Required tools if ! command -v git &> /dev/null; then echo "git could not be found" diff --git a/internal/constellation/helm/values.go b/internal/constellation/helm/values.go index 807f84b0e..bb36cf0fe 100644 --- a/internal/constellation/helm/values.go +++ b/internal/constellation/helm/values.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/helm/versionlister.go b/internal/constellation/helm/versionlister.go index c5faf1aea..526cfebe3 100644 --- a/internal/constellation/helm/versionlister.go +++ b/internal/constellation/helm/versionlister.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package helm diff --git a/internal/constellation/kubecmd/BUILD.bazel b/internal/constellation/kubecmd/BUILD.bazel index aca26d0bb..71bae3c32 100644 --- a/internal/constellation/kubecmd/BUILD.bazel +++ b/internal/constellation/kubecmd/BUILD.bazel @@ -30,11 +30,8 @@ go_library( "@io_k8s_apimachinery//pkg/apis/meta/v1/unstructured", "@io_k8s_apimachinery//pkg/runtime", "@io_k8s_apimachinery//pkg/runtime/schema", - "@io_k8s_apimachinery//pkg/runtime/serializer/json", "@io_k8s_client_go//util/retry", - "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm", - "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/scheme", - "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta4", + "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3", "@io_k8s_sigs_yaml//:yaml", ], ) diff --git a/internal/constellation/kubecmd/backup.go b/internal/constellation/kubecmd/backup.go index 93a9cada7..e4ad27633 100644 --- a/internal/constellation/kubecmd/backup.go +++ b/internal/constellation/kubecmd/backup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubecmd diff --git a/internal/constellation/kubecmd/backup_test.go b/internal/constellation/kubecmd/backup_test.go index ac6e42d54..a95c26be5 100644 --- a/internal/constellation/kubecmd/backup_test.go +++ b/internal/constellation/kubecmd/backup_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubecmd @@ -57,7 +57,7 @@ func TestBackupCRDs(t *testing.T) { log: stubLog{}, } - _, err = client.BackupCRDs(t.Context(), file.NewHandler(memFs), tc.upgradeID) + _, err = client.BackupCRDs(context.Background(), file.NewHandler(memFs), tc.upgradeID) if tc.wantError { assert.Error(err) return @@ -146,7 +146,7 @@ func TestBackupCRs(t *testing.T) { log: stubLog{}, } - err := client.BackupCRs(t.Context(), file.NewHandler(memFs), []apiextensionsv1.CustomResourceDefinition{tc.crd}, tc.upgradeID) + err := client.BackupCRs(context.Background(), file.NewHandler(memFs), []apiextensionsv1.CustomResourceDefinition{tc.crd}, tc.upgradeID) if tc.wantError { assert.Error(err) return diff --git a/internal/constellation/kubecmd/kubecmd.go b/internal/constellation/kubecmd/kubecmd.go index 7fb911e44..1ebf99265 100644 --- a/internal/constellation/kubecmd/kubecmd.go +++ b/internal/constellation/kubecmd/kubecmd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -42,11 +42,9 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - k8sjson "k8s.io/apimachinery/pkg/runtime/serializer/json" "k8s.io/client-go/util/retry" - "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" - kubeadmscheme "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme" - kubeadmv1beta4 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4" + kubeadmv1beta3 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" + "sigs.k8s.io/yaml" ) // ErrInProgress signals that an upgrade is in progress inside the cluster. @@ -131,18 +129,6 @@ func (k *KubeCmd) UpgradeKubernetesVersion(ctx context.Context, kubernetesVersio ) } - // TODO(burgerdev): remove after releasing v2.19 - // Workaround for https://github.com/kubernetes/kubernetes/issues/127316: force kubelet to - // connect to the local API server. - if err := k.patchKubeadmConfig(ctx, func(cc *kubeadm.ClusterConfiguration) { - if cc.FeatureGates == nil { - cc.FeatureGates = map[string]bool{} - } - cc.FeatureGates["ControlPlaneKubeletLocalMode"] = true - }); err != nil { - return fmt.Errorf("setting FeatureGate ControlPlaneKubeletLocalMode: %w", err) - } - versionConfig, ok := versions.VersionConfigs[kubernetesVersion] if !ok { return fmt.Errorf("skipping Kubernetes upgrade: %w", compatibility.NewInvalidUpgradeError( @@ -248,32 +234,48 @@ func (k *KubeCmd) ApplyJoinConfig(ctx context.Context, newAttestConfig config.At // ExtendClusterConfigCertSANs extends the ClusterConfig stored under "kube-system/kubeadm-config" with the given SANs. // Empty strings are ignored, existing SANs are preserved. func (k *KubeCmd) ExtendClusterConfigCertSANs(ctx context.Context, alternativeNames []string) error { - if err := k.patchKubeadmConfig(ctx, func(clusterConfiguration *kubeadm.ClusterConfiguration) { - existingSANs := make(map[string]struct{}) - for _, existingSAN := range clusterConfiguration.APIServer.CertSANs { - existingSANs[existingSAN] = struct{}{} - } + clusterConfiguration, kubeadmConfig, err := k.getClusterConfiguration(ctx) + if err != nil { + return fmt.Errorf("getting ClusterConfig: %w", err) + } - var missingSANs []string - for _, san := range alternativeNames { - if san == "" { - continue // skip empty SANs - } - if _, ok := existingSANs[san]; !ok { - missingSANs = append(missingSANs, san) - existingSANs[san] = struct{}{} // make sure we don't add the same SAN twice - } - } + existingSANs := make(map[string]struct{}) + for _, existingSAN := range clusterConfiguration.APIServer.CertSANs { + existingSANs[existingSAN] = struct{}{} + } - if len(missingSANs) == 0 { - k.log.Debug("No new SANs to add to the cluster's apiserver SAN field") + var missingSANs []string + for _, san := range alternativeNames { + if san == "" { + continue // skip empty SANs } - k.log.Debug("Extending the cluster's apiserver SAN field", "certSANs", strings.Join(missingSANs, ", ")) + if _, ok := existingSANs[san]; !ok { + missingSANs = append(missingSANs, san) + existingSANs[san] = struct{}{} // make sure we don't add the same SAN twice + } + } - clusterConfiguration.APIServer.CertSANs = append(clusterConfiguration.APIServer.CertSANs, missingSANs...) - sort.Strings(clusterConfiguration.APIServer.CertSANs) + if len(missingSANs) == 0 { + k.log.Debug("No new SANs to add to the cluster's apiserver SAN field") + return nil + } + k.log.Debug("Extending the cluster's apiserver SAN field", "certSANs", strings.Join(missingSANs, ", ")) + + clusterConfiguration.APIServer.CertSANs = append(clusterConfiguration.APIServer.CertSANs, missingSANs...) + sort.Strings(clusterConfiguration.APIServer.CertSANs) + + newConfigYAML, err := yaml.Marshal(clusterConfiguration) + if err != nil { + return fmt.Errorf("marshaling ClusterConfiguration: %w", err) + } + + kubeadmConfig.Data[constants.ClusterConfigurationKey] = string(newConfigYAML) + k.log.Debug("Triggering kubeadm config update now") + if err = k.retryAction(ctx, func(ctx context.Context) error { + _, err := k.kubectl.UpdateConfigMap(ctx, kubeadmConfig) + return err }); err != nil { - return fmt.Errorf("extending ClusterConfig.CertSANs: %w", err) + return fmt.Errorf("setting new kubeadm config: %w", err) } k.log.Debug("Successfully extended the cluster's apiserver SAN field") @@ -314,6 +316,31 @@ func (k *KubeCmd) getConstellationVersion(ctx context.Context) (updatev1alpha1.N return nodeVersion, nil } +// getClusterConfiguration fetches the kubeadm-config configmap from the cluster, extracts the config +// and returns both the full configmap and the ClusterConfiguration. +func (k *KubeCmd) getClusterConfiguration(ctx context.Context) (kubeadmv1beta3.ClusterConfiguration, *corev1.ConfigMap, error) { + var existingConf *corev1.ConfigMap + if err := k.retryAction(ctx, func(ctx context.Context) error { + var err error + existingConf, err = k.kubectl.GetConfigMap(ctx, constants.ConstellationNamespace, constants.KubeadmConfigMap) + return err + }); err != nil { + return kubeadmv1beta3.ClusterConfiguration{}, nil, fmt.Errorf("retrieving current kubeadm-config: %w", err) + } + + clusterConf, ok := existingConf.Data[constants.ClusterConfigurationKey] + if !ok { + return kubeadmv1beta3.ClusterConfiguration{}, nil, errors.New("ClusterConfiguration missing from kubeadm-config") + } + + var existingClusterConfig kubeadmv1beta3.ClusterConfiguration + if err := yaml.Unmarshal([]byte(clusterConf), &existingClusterConfig); err != nil { + return kubeadmv1beta3.ClusterConfiguration{}, nil, fmt.Errorf("unmarshaling ClusterConfiguration: %w", err) + } + + return existingClusterConfig, existingConf, nil +} + // applyComponentsCM applies the k8s components ConfigMap to the cluster. func (k *KubeCmd) applyComponentsCM(ctx context.Context, components *corev1.ConfigMap) error { if err := k.retryAction(ctx, func(ctx context.Context) error { @@ -441,51 +468,6 @@ func (k *KubeCmd) retryAction(ctx context.Context, action func(ctx context.Conte return retrier.Do(ctx) } -// patchKubeadmConfig fetches and unpacks the kube-system/kubeadm-config ClusterConfiguration entry, -// runs doPatch on it and uploads the result. -func (k *KubeCmd) patchKubeadmConfig(ctx context.Context, doPatch func(*kubeadm.ClusterConfiguration)) error { - var kubeadmConfig *corev1.ConfigMap - if err := k.retryAction(ctx, func(ctx context.Context) error { - var err error - kubeadmConfig, err = k.kubectl.GetConfigMap(ctx, constants.ConstellationNamespace, constants.KubeadmConfigMap) - return err - }); err != nil { - return fmt.Errorf("retrieving current kubeadm-config: %w", err) - } - - clusterConfigData, ok := kubeadmConfig.Data[constants.ClusterConfigurationKey] - if !ok { - return errors.New("ClusterConfiguration missing from kubeadm-config") - } - - var clusterConfiguration kubeadm.ClusterConfiguration - if err := runtime.DecodeInto(kubeadmscheme.Codecs.UniversalDecoder(), []byte(clusterConfigData), &clusterConfiguration); err != nil { - return fmt.Errorf("decoding cluster configuration data: %w", err) - } - - doPatch(&clusterConfiguration) - - opt := k8sjson.SerializerOptions{Yaml: true} - serializer := k8sjson.NewSerializerWithOptions(k8sjson.DefaultMetaFactory, kubeadmscheme.Scheme, kubeadmscheme.Scheme, opt) - encoder := kubeadmscheme.Codecs.EncoderForVersion(serializer, kubeadmv1beta4.SchemeGroupVersion) - newConfigYAML, err := runtime.Encode(encoder, &clusterConfiguration) - if err != nil { - return fmt.Errorf("marshaling ClusterConfiguration: %w", err) - } - - kubeadmConfig.Data[constants.ClusterConfigurationKey] = string(newConfigYAML) - k.log.Debug("Triggering kubeadm config update now") - if err = k.retryAction(ctx, func(ctx context.Context) error { - _, err := k.kubectl.UpdateConfigMap(ctx, kubeadmConfig) - return err - }); err != nil { - return fmt.Errorf("setting new kubeadm config: %w", err) - } - - k.log.Debug("Successfully patched the cluster's kubeadm-config") - return nil -} - func checkForApplyError(expected, actual updatev1alpha1.NodeVersion) error { var err error switch { diff --git a/internal/constellation/kubecmd/kubecmd_test.go b/internal/constellation/kubecmd/kubecmd_test.go index 3e861afb7..74e9562c1 100644 --- a/internal/constellation/kubecmd/kubecmd_test.go +++ b/internal/constellation/kubecmd/kubecmd_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubecmd @@ -180,7 +180,7 @@ func TestUpgradeNodeImage(t *testing.T) { log: logger.NewTest(t), } - err = upgrader.UpgradeNodeImage(t.Context(), tc.newImageVersion, fmt.Sprintf("/path/to/image:%s", tc.newImageVersion.String()), tc.force) + err = upgrader.UpgradeNodeImage(context.Background(), tc.newImageVersion, fmt.Sprintf("/path/to/image:%s", tc.newImageVersion.String()), tc.force) // Check upgrades first because if we checked err first, UpgradeImage may error due to other reasons and still trigger an upgrade. if tc.wantUpdate { assert.NotNil(unstructuredClient.updatedObject) @@ -281,9 +281,6 @@ func TestUpgradeKubernetesVersion(t *testing.T) { } kubectl := &stubKubectl{ unstructuredInterface: unstructuredClient, - configMaps: map[string]*corev1.ConfigMap{ - constants.KubeadmConfigMap: {Data: map[string]string{"ClusterConfiguration": kubeadmClusterConfigurationV1Beta4}}, - }, } if tc.customClientFn != nil { kubectl.unstructuredInterface = tc.customClientFn(nodeVersion) @@ -296,7 +293,7 @@ func TestUpgradeKubernetesVersion(t *testing.T) { log: logger.NewTest(t), } - err = upgrader.UpgradeKubernetesVersion(t.Context(), tc.newKubernetesVersion, tc.force) + err = upgrader.UpgradeKubernetesVersion(context.Background(), tc.newKubernetesVersion, tc.force) // Check upgrades first because if we checked err first, UpgradeImage may error due to other reasons and still trigger an upgrade. if tc.wantUpdate { assert.NotNil(unstructuredClient.updatedObject) @@ -603,7 +600,7 @@ func TestApplyJoinConfig(t *testing.T) { maxAttempts: 5, } - err := cmd.ApplyJoinConfig(t.Context(), tc.newAttestationCfg, []byte{0x11}) + err := cmd.ApplyJoinConfig(context.Background(), tc.newAttestationCfg, []byte{0x11}) if tc.wantErr { assert.Error(err) return @@ -667,7 +664,7 @@ func TestRetryAction(t *testing.T) { return errs[failureCtr] } - err := k.retryAction(t.Context(), action) + err := k.retryAction(context.Background(), action) if tc.wantErr { assert.Error(err) assert.Equal(min(tc.failures, maxAttempts), failureCtr) @@ -679,50 +676,6 @@ func TestRetryAction(t *testing.T) { } } -func TestExtendClusterConfigCertSANs(t *testing.T) { - ctx := t.Context() - - testCases := map[string]struct { - clusterConfig string - }{ - "kubeadmv1beta3.ClusterConfiguration": { - clusterConfig: kubeadmClusterConfigurationV1Beta3, - }, - "kubeadmv1beta4.ClusterConfiguration": { - clusterConfig: kubeadmClusterConfigurationV1Beta4, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - require := require.New(t) - assert := assert.New(t) - kubectl := &fakeConfigMapClient{ - configMaps: map[string]*corev1.ConfigMap{ - constants.KubeadmConfigMap: {Data: map[string]string{"ClusterConfiguration": tc.clusterConfig}}, - }, - } - cmd := &KubeCmd{ - kubectl: kubectl, - log: logger.NewTest(t), - retryInterval: time.Millisecond, - } - - err := cmd.ExtendClusterConfigCertSANs(ctx, []string{"example.com"}) - require.NoError(err) - - cm := kubectl.configMaps["kubeadm-config"] - require.NotNil(cm) - cc := cm.Data["ClusterConfiguration"] - require.NotNil(cc) - // Verify that SAN was added. - assert.Contains(cc, "example.com") - // Verify that config was written in v1beta4, regardless of the version read. - assert.Contains(cc, "kubeadm.k8s.io/v1beta4") - }) - } -} - type fakeUnstructuredClient struct { mock.Mock } @@ -882,83 +835,3 @@ func supportedValidK8sVersions() (res []versions.ValidK8sVersion) { } return } - -var kubeadmClusterConfigurationV1Beta3 = ` -apiVersion: kubeadm.k8s.io/v1beta3 -kind: ClusterConfiguration -apiServer: - certSANs: - - 127.0.0.1 - extraArgs: - kubelet-certificate-authority: /etc/kubernetes/pki/ca.crt - profiling: "false" - extraVolumes: - - hostPath: /var/log/kubernetes/audit/ - mountPath: /var/log/kubernetes/audit/ - name: audit-log - pathType: DirectoryOrCreate -certificatesDir: /etc/kubernetes/pki -clusterName: test-55bbf58d -controlPlaneEndpoint: 34.149.125.227:6443 -controllerManager: - extraArgs: - cloud-provider: external -dns: - disabled: true -encryptionAlgorithm: RSA-2048 -etcd: - local: - dataDir: /var/lib/etcd -imageRepository: registry.k8s.io -kubernetesVersion: v1.31.1 -networking: - dnsDomain: cluster.local - serviceSubnet: 10.96.0.0/12 -proxy: - disabled: true -scheduler: - extraArgs: - profiling: "false" -` - -var kubeadmClusterConfigurationV1Beta4 = ` -apiVersion: kubeadm.k8s.io/v1beta4 -kind: ClusterConfiguration -apiServer: - certSANs: - - 127.0.0.1 - extraArgs: - - name: kubelet-certificate-authority - value: /etc/kubernetes/pki/ca.crt - - name: profiling - value: "false" - extraVolumes: - - hostPath: /var/log/kubernetes/audit/ - mountPath: /var/log/kubernetes/audit/ - name: audit-log - pathType: DirectoryOrCreate -certificatesDir: /etc/kubernetes/pki -clusterName: test-55bbf58d -controlPlaneEndpoint: 34.149.125.227:6443 -controllerManager: - extraArgs: - - name: cloud-provider - value: external -dns: - disabled: true -encryptionAlgorithm: RSA-2048 -etcd: - local: - dataDir: /var/lib/etcd -imageRepository: registry.k8s.io -kubernetesVersion: v1.31.1 -networking: - dnsDomain: cluster.local - serviceSubnet: 10.96.0.0/12 -proxy: - disabled: true -scheduler: - extraArgs: - - name: profiling - value: "false" -` diff --git a/internal/constellation/kubecmd/status.go b/internal/constellation/kubecmd/status.go index 328ed38ba..4b7838246 100644 --- a/internal/constellation/kubecmd/status.go +++ b/internal/constellation/kubecmd/status.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubecmd diff --git a/internal/constellation/kubernetes.go b/internal/constellation/kubernetes.go index 30b553816..af038adce 100644 --- a/internal/constellation/kubernetes.go +++ b/internal/constellation/kubernetes.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constellation diff --git a/internal/constellation/serviceaccount.go b/internal/constellation/serviceaccount.go index 9c38c94e6..c88d92a19 100644 --- a/internal/constellation/serviceaccount.go +++ b/internal/constellation/serviceaccount.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constellation diff --git a/internal/constellation/state/state.go b/internal/constellation/state/state.go index af902900c..68e9b2845 100644 --- a/internal/constellation/state/state.go +++ b/internal/constellation/state/state.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // This binary can be build from siderolabs/talos projects. Located at: diff --git a/internal/constellation/state/state_test.go b/internal/constellation/state/state_test.go index 402f49681..bf23e78bc 100644 --- a/internal/constellation/state/state_test.go +++ b/internal/constellation/state/state_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package state diff --git a/internal/constellation/state/validation_test.go b/internal/constellation/state/validation_test.go index 5c5b458fa..f3753e132 100644 --- a/internal/constellation/state/validation_test.go +++ b/internal/constellation/state/validation_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package state diff --git a/internal/containerimage/containerimage.go b/internal/containerimage/containerimage.go index 6ed7d20a5..f5b5fd433 100644 --- a/internal/containerimage/containerimage.go +++ b/internal/containerimage/containerimage.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/crypto/BUILD.bazel b/internal/crypto/BUILD.bazel index 0b3e402d9..28131c022 100644 --- a/internal/crypto/BUILD.bazel +++ b/internal/crypto/BUILD.bazel @@ -6,10 +6,7 @@ go_library( srcs = ["crypto.go"], importpath = "github.com/edgelesssys/constellation/v2/internal/crypto", visibility = ["//:__subpackages__"], - deps = [ - "@org_golang_x_crypto//hkdf", - "@org_golang_x_crypto//ssh", - ], + deps = ["@org_golang_x_crypto//hkdf"], ) go_test( diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go index 788f4ec89..081e25d71 100644 --- a/internal/crypto/crypto.go +++ b/internal/crypto/crypto.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package crypto provides functions to for cryptography and random numbers. @@ -9,7 +9,6 @@ package crypto import ( "bytes" - "crypto/ed25519" "crypto/rand" "crypto/sha256" "crypto/x509" @@ -17,10 +16,8 @@ import ( "fmt" "io" "math/big" - "time" "golang.org/x/crypto/hkdf" - "golang.org/x/crypto/ssh" ) const ( @@ -65,41 +62,6 @@ func GenerateRandomBytes(length int) ([]byte, error) { return nonce, nil } -// GenerateEmergencySSHCAKey creates a CA that is used to sign keys for emergency ssh access. -func GenerateEmergencySSHCAKey(seed []byte) (ssh.Signer, error) { - _, priv, err := ed25519.GenerateKey(bytes.NewReader(seed)) - if err != nil { - return nil, err - } - ca, err := ssh.NewSignerFromSigner(priv) - if err != nil { - return nil, err - } - return ca, nil -} - -// GenerateSSHHostCertificate takes a given public key and CA to generate a host certificate. -func GenerateSSHHostCertificate(principals []string, publicKey ssh.PublicKey, ca ssh.Signer) (*ssh.Certificate, error) { - certificate := ssh.Certificate{ - CertType: ssh.HostCert, - ValidPrincipals: principals, - ValidAfter: uint64(time.Now().Unix()), - ValidBefore: ssh.CertTimeInfinity, - Reserved: []byte{}, - Key: publicKey, - KeyId: principals[0], - Permissions: ssh.Permissions{ - CriticalOptions: map[string]string{}, - Extensions: map[string]string{}, - }, - } - if err := certificate.SignCert(rand.Reader, ca); err != nil { - return nil, err - } - - return &certificate, nil -} - // PemToX509Cert takes a list of PEM-encoded certificates, parses the first one and returns it // as an x.509 certificate. func PemToX509Cert(raw []byte) (*x509.Certificate, error) { diff --git a/internal/crypto/crypto_test.go b/internal/crypto/crypto_test.go index a99e62dd4..674ec4c84 100644 --- a/internal/crypto/crypto_test.go +++ b/internal/crypto/crypto_test.go @@ -1,13 +1,12 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package crypto import ( - "crypto/ed25519" "crypto/x509" "testing" @@ -122,47 +121,6 @@ func TestGenerateRandomBytes(t *testing.T) { assert.Len(n3, 16) } -func TestGenerateEmergencySSHCAKey(t *testing.T) { - nullKey := make([]byte, ed25519.SeedSize) - - testCases := map[string]struct { - key []byte - wantErr bool - }{ - "key length = 0": { - key: make([]byte, 0), - wantErr: true, - }, - "valid key": { - key: nullKey, - }, - "nil input": { - key: nil, - wantErr: true, - }, - "long key": { - key: make([]byte, 256), - }, - "key too short": { - key: make([]byte, ed25519.SeedSize-1), - wantErr: true, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - - _, err := GenerateEmergencySSHCAKey(tc.key) - if tc.wantErr { - assert.Error(err) - } else { - assert.NoError(err) - } - }) - } -} - func TestPemToX509Cert(t *testing.T) { testCases := map[string]struct { pemCert []byte diff --git a/internal/crypto/testvector/testvector.go b/internal/crypto/testvector/testvector.go index 1e02e13c0..38eac83be 100644 --- a/internal/crypto/testvector/testvector.go +++ b/internal/crypto/testvector/testvector.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package testvector provides test vectors for key derivation and crypto functions. diff --git a/internal/cryptsetup/cryptsetup.go b/internal/cryptsetup/cryptsetup.go index 67e31825a..a61fb83e8 100644 --- a/internal/cryptsetup/cryptsetup.go +++ b/internal/cryptsetup/cryptsetup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/cryptsetup/cryptsetup_cgo.go b/internal/cryptsetup/cryptsetup_cgo.go index e8ac2e31a..555e07dfe 100644 --- a/internal/cryptsetup/cryptsetup_cgo.go +++ b/internal/cryptsetup/cryptsetup_cgo.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cryptsetup diff --git a/internal/cryptsetup/cryptsetup_cross.go b/internal/cryptsetup/cryptsetup_cross.go index 325a86be4..df1a30790 100644 --- a/internal/cryptsetup/cryptsetup_cross.go +++ b/internal/cryptsetup/cryptsetup_cross.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cryptsetup diff --git a/internal/encoding/encoding.go b/internal/encoding/encoding.go index c1fed1815..fba7f33da 100644 --- a/internal/encoding/encoding.go +++ b/internal/encoding/encoding.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package encoding provides data types and functions for JSON or YAML encoding/decoding. diff --git a/internal/encoding/encoding_test.go b/internal/encoding/encoding_test.go index 54600e88f..0c6e4a130 100644 --- a/internal/encoding/encoding_test.go +++ b/internal/encoding/encoding_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package encoding diff --git a/internal/file/file.go b/internal/file/file.go index 8bfb9ecbe..4fa0d1efe 100644 --- a/internal/file/file.go +++ b/internal/file/file.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/file/file_test.go b/internal/file/file_test.go index e18341a18..35c6b3bfc 100644 --- a/internal/file/file_test.go +++ b/internal/file/file_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package file diff --git a/internal/grpc/atlscredentials/atlscredentials.go b/internal/grpc/atlscredentials/atlscredentials.go index cb1c1dca5..949f9af41 100644 --- a/internal/grpc/atlscredentials/atlscredentials.go +++ b/internal/grpc/atlscredentials/atlscredentials.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package atlscredentials handles creation of TLS credentials for attested TLS (ATLS). diff --git a/internal/grpc/atlscredentials/atlscredentials_test.go b/internal/grpc/atlscredentials/atlscredentials_test.go index d03a03e94..5753eb631 100644 --- a/internal/grpc/atlscredentials/atlscredentials_test.go +++ b/internal/grpc/atlscredentials/atlscredentials_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package atlscredentials @@ -73,7 +73,7 @@ func TestATLSCredentials(t *testing.T) { defer conn.Close() client := initproto.NewAPIClient(conn) - _, err = client.Init(t.Context(), &initproto.InitRequest{}) + _, err = client.Init(context.Background(), &initproto.InitRequest{}) }() } diff --git a/internal/grpc/dialer/dialer.go b/internal/grpc/dialer/dialer.go index b81ad1fe4..44bf33d87 100644 --- a/internal/grpc/dialer/dialer.go +++ b/internal/grpc/dialer/dialer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package dialer provides a grpc dialer that can be used to create grpc client connections with different levels of ATLS encryption / verification. @@ -67,9 +67,6 @@ func (d *Dialer) DialNoVerify(target string) (*grpc.ClientConn, error) { } func (d *Dialer) grpcWithDialer() grpc.DialOption { - if d.netDialer == nil { - return grpc.EmptyDialOption{} - } return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) { return d.netDialer.DialContext(ctx, "tcp", addr) }) diff --git a/internal/grpc/dialer/dialer_test.go b/internal/grpc/dialer/dialer_test.go index 6520cf08d..6c93c64f9 100644 --- a/internal/grpc/dialer/dialer_test.go +++ b/internal/grpc/dialer/dialer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package dialer @@ -86,7 +86,7 @@ func TestDial(t *testing.T) { defer conn.Close() client := grpc_testing.NewTestServiceClient(conn) - _, err = client.EmptyCall(t.Context(), &grpc_testing.Empty{}) + _, err = client.EmptyCall(context.Background(), &grpc_testing.Empty{}) if tc.wantErr { assert.Error(err) diff --git a/internal/grpc/grpclog/grpclog.go b/internal/grpc/grpclog/grpclog.go index c92a4f7f4..be4d27ff3 100644 --- a/internal/grpc/grpclog/grpclog.go +++ b/internal/grpc/grpclog/grpclog.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // grpclog provides a logging utilities for gRPC. diff --git a/internal/grpc/grpclog/grpclog_test.go b/internal/grpc/grpclog/grpclog_test.go index caebc0770..eb912521f 100644 --- a/internal/grpc/grpclog/grpclog_test.go +++ b/internal/grpc/grpclog/grpclog_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // grpclog provides a logging utilities for gRPC. @@ -76,7 +76,7 @@ func TestLogStateChanges(t *testing.T) { var wg sync.WaitGroup isReadyCallbackCalled := false - LogStateChangesUntilReady(t.Context(), tc.conn, logger, &wg, func() { isReadyCallbackCalled = true }) + LogStateChangesUntilReady(context.Background(), tc.conn, logger, &wg, func() { isReadyCallbackCalled = true }) wg.Wait() tc.assert(t, logger, isReadyCallbackCalled) }) diff --git a/internal/grpc/retry/retry.go b/internal/grpc/retry/retry.go index 3a0f1724b..b7457fc1f 100644 --- a/internal/grpc/retry/retry.go +++ b/internal/grpc/retry/retry.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package retry provides functions to check if a gRPC error is retryable. diff --git a/internal/grpc/retry/retry_test.go b/internal/grpc/retry/retry_test.go index b6ad075ed..5e51e4bb0 100644 --- a/internal/grpc/retry/retry_test.go +++ b/internal/grpc/retry/retry_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package retry diff --git a/internal/grpc/testdialer/testdialer.go b/internal/grpc/testdialer/testdialer.go index d95c2be69..e6771903f 100644 --- a/internal/grpc/testdialer/testdialer.go +++ b/internal/grpc/testdialer/testdialer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package testdialer provides a fake dialer for testing. diff --git a/internal/imagefetcher/imagefetcher.go b/internal/imagefetcher/imagefetcher.go index 827adfc89..ebbf74e41 100644 --- a/internal/imagefetcher/imagefetcher.go +++ b/internal/imagefetcher/imagefetcher.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/imagefetcher/imagefetcher_test.go b/internal/imagefetcher/imagefetcher_test.go index e60443ccc..1397c4fb4 100644 --- a/internal/imagefetcher/imagefetcher_test.go +++ b/internal/imagefetcher/imagefetcher_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package imagefetcher @@ -256,7 +256,7 @@ func TestFetchReference(t *testing.T) { fs: af, } - reference, err := fetcher.FetchReference(t.Context(), tc.provider, variant.Dummy{}, + reference, err := fetcher.FetchReference(context.Background(), tc.provider, variant.Dummy{}, tc.image, "someRegion", false) if tc.wantErr { diff --git a/internal/imagefetcher/raw.go b/internal/imagefetcher/raw.go index 1375fdca7..593b0d9e7 100644 --- a/internal/imagefetcher/raw.go +++ b/internal/imagefetcher/raw.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package imagefetcher diff --git a/internal/imagefetcher/raw_test.go b/internal/imagefetcher/raw_test.go index 86a44ab88..e2bbd8b9d 100644 --- a/internal/imagefetcher/raw_test.go +++ b/internal/imagefetcher/raw_test.go @@ -1,13 +1,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package imagefetcher import ( "bytes" + "context" "io" "net/http" "os" @@ -90,7 +91,7 @@ func TestDownloadWithProgress(t *testing.T) { fs: fs, } var outBuffer bytes.Buffer - err := downloader.downloadWithProgress(t.Context(), &outBuffer, false, tc.source, "someVersion.raw") + err := downloader.downloadWithProgress(context.Background(), &outBuffer, false, tc.source, "someVersion.raw") if tc.wantErr { assert.Error(err) return @@ -166,7 +167,7 @@ func TestDownload(t *testing.T) { fs: fs, } var outBuffer bytes.Buffer - gotDestination, err := downloader.Download(t.Context(), &outBuffer, false, tc.source, "someVersion") + gotDestination, err := downloader.Download(context.Background(), &outBuffer, false, tc.source, "someVersion") if tc.wantErr { assert.Error(err) return diff --git a/internal/installer/installer.go b/internal/installer/installer.go index 324815b74..dd26ea12e 100644 --- a/internal/installer/installer.go +++ b/internal/installer/installer.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package installer provides functionality to install binary components of supported kubernetes versions. diff --git a/internal/installer/installer_test.go b/internal/installer/installer_test.go index 517a070de..1e346f434 100644 --- a/internal/installer/installer_test.go +++ b/internal/installer/installer_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package installer @@ -132,7 +132,7 @@ func TestInstall(t *testing.T) { retriable: func(_ error) bool { return false }, } - err := inst.Install(t.Context(), tc.component) + err := inst.Install(context.Background(), tc.component) if tc.wantErr { assert.Error(err) return @@ -340,7 +340,7 @@ func TestRetryDownloadToTempDir(t *testing.T) { } // abort retryDownloadToTempDir in some test cases by using the context - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) defer cancel() wg := sync.WaitGroup{} @@ -429,7 +429,7 @@ func TestDownloadToTempDir(t *testing.T) { fs: &afero.Afero{Fs: afs}, hClient: &hClient, } - path, err := inst.downloadToTempDir(t.Context(), "http://server/path") + path, err := inst.downloadToTempDir(context.Background(), "http://server/path") if tc.wantErr { assert.Error(err) return diff --git a/internal/kms/config/config.go b/internal/kms/config/config.go index 92f54979e..5af6d3e39 100644 --- a/internal/kms/config/config.go +++ b/internal/kms/config/config.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package config provides configuration constants for the KeyService. diff --git a/internal/kms/kms/aws/aws.go b/internal/kms/kms/aws/aws.go index 9efe03a75..e47cbb9da 100644 --- a/internal/kms/kms/aws/aws.go +++ b/internal/kms/kms/aws/aws.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package aws implements a KMS backend for AWS KMS. diff --git a/internal/kms/kms/azure/azure.go b/internal/kms/kms/azure/azure.go index abbf34ed2..64deec26e 100644 --- a/internal/kms/kms/azure/azure.go +++ b/internal/kms/kms/azure/azure.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package azure implements KMS backends for Azure Key Vault and Azure managed HSM. diff --git a/internal/kms/kms/cluster/cluster.go b/internal/kms/kms/cluster/cluster.go index a9bc0bab2..6ade22f40 100644 --- a/internal/kms/kms/cluster/cluster.go +++ b/internal/kms/kms/cluster/cluster.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kms/kms/cluster/cluster_test.go b/internal/kms/kms/cluster/cluster_test.go index f276f096e..d9ec6d7a1 100644 --- a/internal/kms/kms/cluster/cluster_test.go +++ b/internal/kms/kms/cluster/cluster_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package cluster import ( + "context" "strings" "testing" @@ -28,7 +29,7 @@ func TestClusterKMS(t *testing.T) { require.NoError(err) keyLower, err := kms.GetDEK( - t.Context(), + context.Background(), strings.ToLower(testVector.InfoPrefix+testVector.Info), int(testVector.Length), ) @@ -37,7 +38,7 @@ func TestClusterKMS(t *testing.T) { // output of the KMS should be case sensitive keyUpper, err := kms.GetDEK( - t.Context(), + context.Background(), strings.ToUpper(testVector.InfoPrefix+testVector.Info), int(testVector.Length), ) @@ -104,7 +105,7 @@ func TestVectorsHKDF(t *testing.T) { } require.NoError(err) - out, err := kms.GetDEK(t.Context(), tc.dekID, int(tc.dekSize)) + out, err := kms.GetDEK(context.Background(), tc.dekID, int(tc.dekSize)) require.NoError(err) assert.Equal(tc.wantKey, out) }) diff --git a/internal/kms/kms/gcp/gcp.go b/internal/kms/kms/gcp/gcp.go index 30a02449d..dfbdef9af 100644 --- a/internal/kms/kms/gcp/gcp.go +++ b/internal/kms/kms/gcp/gcp.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kms/kms/internal/internal.go b/internal/kms/kms/internal/internal.go index b6af19ef8..914295a43 100644 --- a/internal/kms/kms/internal/internal.go +++ b/internal/kms/kms/internal/internal.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kms/kms/internal/internal_test.go b/internal/kms/kms/internal/internal_test.go index 3058b4d7c..a7fc25ca6 100644 --- a/internal/kms/kms/internal/internal_test.go +++ b/internal/kms/kms/internal/internal_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package internal @@ -135,7 +135,7 @@ func TestGetDEK(t *testing.T) { Storage: tc.storage, } - dek, err := client.GetDEK(t.Context(), "volume-01", 32) + dek, err := client.GetDEK(context.Background(), "volume-01", 32) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/kms/kms.go b/internal/kms/kms/kms.go index fe63957f2..d14eb435e 100644 --- a/internal/kms/kms/kms.go +++ b/internal/kms/kms/kms.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package kms provides an abstract interface for Key Management Services. diff --git a/internal/kms/setup/setup.go b/internal/kms/setup/setup.go index 99f4bcf6c..eee089e77 100644 --- a/internal/kms/setup/setup.go +++ b/internal/kms/setup/setup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kms/setup/setup_test.go b/internal/kms/setup/setup_test.go index 1c8ee75e4..73bb29565 100644 --- a/internal/kms/setup/setup_test.go +++ b/internal/kms/setup/setup_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package setup import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/kms/uri" @@ -25,12 +26,12 @@ func TestMain(m *testing.M) { func TestSetUpKMS(t *testing.T) { assert := assert.New(t) - kms, err := KMS(t.Context(), "storage://unknown", "kms://unknown") + kms, err := KMS(context.Background(), "storage://unknown", "kms://unknown") assert.Error(err) assert.Nil(kms) masterSecret := uri.MasterSecret{Key: []byte("key"), Salt: []byte("salt")} - kms, err = KMS(t.Context(), "storage://no-store", masterSecret.EncodeToURI()) + kms, err = KMS(context.Background(), "storage://no-store", masterSecret.EncodeToURI()) assert.NoError(err) assert.NotNil(kms) } diff --git a/internal/kms/storage/awss3/awss3.go b/internal/kms/storage/awss3/awss3.go index c3d59c503..535ab944e 100644 --- a/internal/kms/storage/awss3/awss3.go +++ b/internal/kms/storage/awss3/awss3.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package awss3 implements a storage backend for the KMS using AWS S3: https://aws.amazon.com/s3/ diff --git a/internal/kms/storage/awss3/awss3_test.go b/internal/kms/storage/awss3/awss3_test.go index 153bbd209..4e07ab84d 100644 --- a/internal/kms/storage/awss3/awss3_test.go +++ b/internal/kms/storage/awss3/awss3_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package awss3 @@ -80,7 +80,7 @@ func TestAWSS3Get(t *testing.T) { client: tc.client, } - out, err := store.Get(t.Context(), "test-key") + out, err := store.Get(context.Background(), "test-key") if tc.wantErr { assert.Error(err) @@ -122,7 +122,7 @@ func TestAWSS3Put(t *testing.T) { testData := []byte{0x1, 0x2, 0x3} - err := store.Put(t.Context(), "test-key", testData) + err := store.Put(context.Background(), "test-key", testData) if tc.wantErr { assert.Error(err) } else { @@ -163,7 +163,7 @@ func TestAWSS3CreateBucket(t *testing.T) { client: tc.client, } - err := store.createBucket(t.Context(), "test-bucket", "test-region") + err := store.createBucket(context.Background(), "test-bucket", "test-region") if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/storage/azureblob/azureblob.go b/internal/kms/storage/azureblob/azureblob.go index 36483a684..e7e41424e 100644 --- a/internal/kms/storage/azureblob/azureblob.go +++ b/internal/kms/storage/azureblob/azureblob.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package azureblob implements a storage backend for the KMS using Azure Blob Storage. diff --git a/internal/kms/storage/azureblob/azureblob_test.go b/internal/kms/storage/azureblob/azureblob_test.go index 19c590be4..93a5f2987 100644 --- a/internal/kms/storage/azureblob/azureblob_test.go +++ b/internal/kms/storage/azureblob/azureblob_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package azureblob @@ -51,7 +51,7 @@ func TestAzureGet(t *testing.T) { container: "test", } - out, err := client.Get(t.Context(), "test-key") + out, err := client.Get(context.Background(), "test-key") if tc.wantErr { assert.Error(err) @@ -93,7 +93,7 @@ func TestAzurePut(t *testing.T) { container: "test", } - err := client.Put(t.Context(), "test-key", testData) + err := client.Put(context.Background(), "test-key", testData) if tc.wantErr { assert.Error(err) return @@ -130,7 +130,7 @@ func TestCreateContainerOrContinue(t *testing.T) { container: "test", } - err := client.createContainerOrContinue(t.Context()) + err := client.createContainerOrContinue(context.Background()) if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/storage/gcs/gcs.go b/internal/kms/storage/gcs/gcs.go index f3c19ef2b..ca53bf55f 100644 --- a/internal/kms/storage/gcs/gcs.go +++ b/internal/kms/storage/gcs/gcs.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package gcs implements a storage backend for the KMS using Google Cloud Storage (GCS). diff --git a/internal/kms/storage/gcs/gcs_test.go b/internal/kms/storage/gcs/gcs_test.go index 7d3d8dd27..5678afee5 100644 --- a/internal/kms/storage/gcs/gcs_test.go +++ b/internal/kms/storage/gcs/gcs_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package gcs @@ -103,7 +103,7 @@ func TestGCPGet(t *testing.T) { bucketName: "test", } - out, err := client.Get(t.Context(), "test-key") + out, err := client.Get(context.Background(), "test-key") if tc.wantErr { assert.Error(err) @@ -160,7 +160,7 @@ func TestGCPPut(t *testing.T) { } testData := []byte{0x1, 0x2, 0x3} - err := client.Put(t.Context(), "test-key", testData) + err := client.Put(context.Background(), "test-key", testData) if tc.wantErr { assert.Error(err) } else { @@ -211,7 +211,7 @@ func TestGCPCreateContainerOrContinue(t *testing.T) { bucketName: "test", } - err := client.createContainerOrContinue(t.Context(), "project") + err := client.createContainerOrContinue(context.Background(), "project") if tc.wantErr { assert.Error(err) } else { diff --git a/internal/kms/storage/memfs/memfs.go b/internal/kms/storage/memfs/memfs.go index 98f2d65af..3acb4ca53 100644 --- a/internal/kms/storage/memfs/memfs.go +++ b/internal/kms/storage/memfs/memfs.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package memfs implements a storage backend for the KMS that stores keys in memory only. diff --git a/internal/kms/storage/memfs/memfs_test.go b/internal/kms/storage/memfs/memfs_test.go index cad508632..98d246d1b 100644 --- a/internal/kms/storage/memfs/memfs_test.go +++ b/internal/kms/storage/memfs/memfs_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package memfs import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/kms/storage" @@ -29,7 +30,7 @@ func TestMemMapStorage(t *testing.T) { testDEK1 := []byte("test DEK") testDEK2 := []byte("more test DEK") - ctx := t.Context() + ctx := context.Background() // request unset value _, err := store.Get(ctx, "test:input") diff --git a/internal/kms/storage/storage.go b/internal/kms/storage/storage.go index 21cc04146..d8ec42c1e 100644 --- a/internal/kms/storage/storage.go +++ b/internal/kms/storage/storage.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kms/test/aws_test.go b/internal/kms/test/aws_test.go index bc1084c5b..073a80946 100644 --- a/internal/kms/test/aws_test.go +++ b/internal/kms/test/aws_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package test @@ -34,7 +34,7 @@ func TestAwsStorage(t *testing.T) { } require := require.New(t) - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() // create bucket @@ -105,7 +105,7 @@ func TestAwsKms(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AWSConfig{ diff --git a/internal/kms/test/azure_test.go b/internal/kms/test/azure_test.go index d5633b70a..855b4dd54 100644 --- a/internal/kms/test/azure_test.go +++ b/internal/kms/test/azure_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package test @@ -31,7 +31,7 @@ func TestAzureStorage(t *testing.T) { } require := require.New(t) - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AzureBlobConfig{ @@ -59,7 +59,7 @@ func TestAzureKeyKMS(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AzureConfig{ @@ -88,7 +88,7 @@ func TestAzureKeyHSM(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.AzureConfig{ diff --git a/internal/kms/test/gcp_test.go b/internal/kms/test/gcp_test.go index 598db9c13..35162e0f1 100644 --- a/internal/kms/test/gcp_test.go +++ b/internal/kms/test/gcp_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package test @@ -32,7 +32,7 @@ func TestGCPKMS(t *testing.T) { require := require.New(t) store := memfs.New() - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.GCPConfig{ @@ -59,7 +59,7 @@ func TestGcpStorage(t *testing.T) { } require := require.New(t) - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() cfg := uri.GoogleCloudStorageConfig{ diff --git a/internal/kms/test/integration_test.go b/internal/kms/test/integration_test.go index d63834f44..bd6dccd80 100644 --- a/internal/kms/test/integration_test.go +++ b/internal/kms/test/integration_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package test provides integration tests for KMS and storage backends. @@ -64,7 +64,7 @@ func runKMSTest(t *testing.T, kms kms.CloudKMS) { dekName := "test-dek" - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() res, err := kms.GetDEK(ctx, dekName, config.SymmetricKeyLength) @@ -90,7 +90,7 @@ func runStorageTest(t *testing.T, store kms.Storage) { testData := []byte("Constellation test data") testName := "constellation-test" - ctx, cancel := context.WithTimeout(t.Context(), time.Second*30) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() err := store.Put(ctx, testName, testData) diff --git a/internal/kms/uri/uri.go b/internal/kms/uri/uri.go index bcc3a5d5e..6a3de8887 100644 --- a/internal/kms/uri/uri.go +++ b/internal/kms/uri/uri.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kms/uri/uri_test.go b/internal/kms/uri/uri_test.go index 5532dc2c3..b7e2ea388 100644 --- a/internal/kms/uri/uri_test.go +++ b/internal/kms/uri/uri_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package uri diff --git a/internal/kubernetes/configmaps.go b/internal/kubernetes/configmaps.go index 3ad5f90af..0aed90a05 100644 --- a/internal/kubernetes/configmaps.go +++ b/internal/kubernetes/configmaps.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/internal/kubernetes/configmaps_test.go b/internal/kubernetes/configmaps_test.go index 702ab4d5e..96c3f475d 100644 --- a/internal/kubernetes/configmaps_test.go +++ b/internal/kubernetes/configmaps_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/internal/kubernetes/kubectl/kubectl.go b/internal/kubernetes/kubectl/kubectl.go index 2e8ddd7f5..dae2e2db6 100644 --- a/internal/kubernetes/kubectl/kubectl.go +++ b/internal/kubernetes/kubectl/kubectl.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kubernetes/kubectl/kubectl_test.go b/internal/kubernetes/kubectl/kubectl_test.go index 5bdee84f7..3ca00e51d 100644 --- a/internal/kubernetes/kubectl/kubectl_test.go +++ b/internal/kubernetes/kubectl/kubectl_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubectl diff --git a/internal/kubernetes/kubernetes.go b/internal/kubernetes/kubernetes.go index 6d43c1b51..cf8c478da 100644 --- a/internal/kubernetes/kubernetes.go +++ b/internal/kubernetes/kubernetes.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/kubernetes/marshal.go b/internal/kubernetes/marshal.go index 958cbf956..d402ce824 100644 --- a/internal/kubernetes/marshal.go +++ b/internal/kubernetes/marshal.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/internal/kubernetes/marshal_test.go b/internal/kubernetes/marshal_test.go index 2dff4d4fd..9da401000 100644 --- a/internal/kubernetes/marshal_test.go +++ b/internal/kubernetes/marshal_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/internal/kubernetes/secrets.go b/internal/kubernetes/secrets.go index 7cdfc848b..4c8847c61 100644 --- a/internal/kubernetes/secrets.go +++ b/internal/kubernetes/secrets.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/internal/kubernetes/secrets_test.go b/internal/kubernetes/secrets_test.go index 972d539bc..bc91da831 100644 --- a/internal/kubernetes/secrets_test.go +++ b/internal/kubernetes/secrets_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/internal/license/checker_enterprise.go b/internal/license/checker_enterprise.go index 9807c992c..f98fe7e98 100644 --- a/internal/license/checker_enterprise.go +++ b/internal/license/checker_enterprise.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package license diff --git a/internal/license/checker_enterprise_test.go b/internal/license/checker_enterprise_test.go index fd35b786c..1443ef2f1 100644 --- a/internal/license/checker_enterprise_test.go +++ b/internal/license/checker_enterprise_test.go @@ -3,13 +3,14 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package license import ( "bytes" + "context" "io" "net/http" "testing" @@ -82,7 +83,7 @@ func TestQuotaCheck(t *testing.T) { }), } - quota, err := client.CheckLicense(t.Context(), cloudprovider.Unknown, Init, tc.license) + quota, err := client.CheckLicense(context.Background(), cloudprovider.Unknown, Init, tc.license) if tc.wantError { assert.Error(err) diff --git a/internal/license/checker_oss.go b/internal/license/checker_oss.go index 3ada97f0a..58253817e 100644 --- a/internal/license/checker_oss.go +++ b/internal/license/checker_oss.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package license diff --git a/internal/license/file.go b/internal/license/file.go index 9df7d6ab0..01f5afdff 100644 --- a/internal/license/file.go +++ b/internal/license/file.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package license diff --git a/internal/license/file_test.go b/internal/license/file_test.go index 3114a5f27..84101dd72 100644 --- a/internal/license/file_test.go +++ b/internal/license/file_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package license diff --git a/internal/license/integration/license_integration_test.go b/internal/license/integration/license_integration_test.go index 64ba47011..f4b67f00d 100644 --- a/internal/license/integration/license_integration_test.go +++ b/internal/license/integration/license_integration_test.go @@ -3,12 +3,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package integration import ( + "context" "testing" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" @@ -38,7 +39,7 @@ func TestQuotaCheckIntegration(t *testing.T) { client := license.NewChecker() - quota, err := client.CheckLicense(t.Context(), cloudprovider.Unknown, "test", tc.license) + quota, err := client.CheckLicense(context.Background(), cloudprovider.Unknown, "test", tc.license) if tc.wantError { assert.Error(err) diff --git a/internal/license/license.go b/internal/license/license.go index 5fcd91f98..0010bd2d0 100644 --- a/internal/license/license.go +++ b/internal/license/license.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package license provides functions to check a user's Constellation license. diff --git a/internal/logger/cmdline.go b/internal/logger/cmdline.go index 9bdfa95cf..f03b773b0 100644 --- a/internal/logger/cmdline.go +++ b/internal/logger/cmdline.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package logger diff --git a/internal/logger/grpclogger.go b/internal/logger/grpclogger.go index fead5cf8a..d67e4af8e 100644 --- a/internal/logger/grpclogger.go +++ b/internal/logger/grpclogger.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package logger diff --git a/internal/logger/levelhandler.go b/internal/logger/levelhandler.go index d9b4cec29..201bc90a0 100644 --- a/internal/logger/levelhandler.go +++ b/internal/logger/levelhandler.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package logger diff --git a/internal/logger/log.go b/internal/logger/log.go index 0f1b23789..0b6426b6e 100644 --- a/internal/logger/log.go +++ b/internal/logger/log.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/maa/maa.go b/internal/maa/maa.go index cd1012cd7..fcbea6db7 100644 --- a/internal/maa/maa.go +++ b/internal/maa/maa.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package maa provides an interface for interacting with an MAA service diff --git a/internal/maa/patch.go b/internal/maa/patch.go index 28b496658..d9ac35b4c 100644 --- a/internal/maa/patch.go +++ b/internal/maa/patch.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package maa diff --git a/internal/maa/patch_test.go b/internal/maa/patch_test.go index af87a8432..f00c30c7c 100644 --- a/internal/maa/patch_test.go +++ b/internal/maa/patch_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package maa diff --git a/internal/mpimage/mpimage.go b/internal/mpimage/mpimage.go index b25526d20..89b6d1fa9 100644 --- a/internal/mpimage/mpimage.go +++ b/internal/mpimage/mpimage.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // The mpimage package provides utilities for handling CSP marketplace OS images. diff --git a/internal/mpimage/uri.go b/internal/mpimage/uri.go index 9a41fafac..36c13afb2 100644 --- a/internal/mpimage/uri.go +++ b/internal/mpimage/uri.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package mpimage diff --git a/internal/mpimage/uri_test.go b/internal/mpimage/uri_test.go index cf7eac912..f7dfd3fe1 100644 --- a/internal/mpimage/uri_test.go +++ b/internal/mpimage/uri_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package mpimage diff --git a/internal/nodestate/nodestate.go b/internal/nodestate/nodestate.go index e31dee7e8..40e8113c7 100644 --- a/internal/nodestate/nodestate.go +++ b/internal/nodestate/nodestate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package nodestate is used to persist the state of a Constellation node to disk. diff --git a/internal/nodestate/nodestate_test.go b/internal/nodestate/nodestate_test.go index 576242a48..41081f87f 100644 --- a/internal/nodestate/nodestate_test.go +++ b/internal/nodestate/nodestate_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package nodestate diff --git a/internal/osimage/archive/archive.go b/internal/osimage/archive/archive.go index e4c9f6e2d..f49cf0de8 100644 --- a/internal/osimage/archive/archive.go +++ b/internal/osimage/archive/archive.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package archive is used to archive OS images in S3. diff --git a/internal/osimage/imageinfo/imageinfo.go b/internal/osimage/imageinfo/imageinfo.go index 95a30595c..844690bd9 100644 --- a/internal/osimage/imageinfo/imageinfo.go +++ b/internal/osimage/imageinfo/imageinfo.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package imageinfo is used to upload image info JSON files to S3. diff --git a/internal/osimage/measurementsuploader/measurementsuploader.go b/internal/osimage/measurementsuploader/measurementsuploader.go index 928089e10..59c2eecfe 100644 --- a/internal/osimage/measurementsuploader/measurementsuploader.go +++ b/internal/osimage/measurementsuploader/measurementsuploader.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package measurementsuploader is used to upload measurements (v2) JSON files (and signatures) to S3. diff --git a/internal/osimage/nop/nop.go b/internal/osimage/nop/nop.go index 43c57000b..883a7bf3c 100644 --- a/internal/osimage/nop/nop.go +++ b/internal/osimage/nop/nop.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package nop implements a no-op for CSPs that don't require custom image upload functionality. diff --git a/internal/osimage/osimage.go b/internal/osimage/osimage.go index 035c0d966..9e0cfdc1a 100644 --- a/internal/osimage/osimage.go +++ b/internal/osimage/osimage.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package osimage is used to handle osimages in the CI (uploading and maintenance). diff --git a/internal/osimage/secureboot/secureboot.go b/internal/osimage/secureboot/secureboot.go index 470982342..363355efe 100644 --- a/internal/osimage/secureboot/secureboot.go +++ b/internal/osimage/secureboot/secureboot.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package secureboot holds secure boot configuration for image uploads. diff --git a/internal/osimage/secureboot/secureboot_test.go b/internal/osimage/secureboot/secureboot_test.go index d9ac7e98c..679888190 100644 --- a/internal/osimage/secureboot/secureboot_test.go +++ b/internal/osimage/secureboot/secureboot_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package secureboot diff --git a/internal/osimage/secureboot/zlibdict.go b/internal/osimage/secureboot/zlibdict.go index 61511653b..34e81369b 100644 --- a/internal/osimage/secureboot/zlibdict.go +++ b/internal/osimage/secureboot/zlibdict.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package secureboot diff --git a/internal/osimage/uplosi/uplosi.conf.in b/internal/osimage/uplosi/uplosi.conf.in index 2978d31e0..74ec45434 100644 --- a/internal/osimage/uplosi/uplosi.conf.in +++ b/internal/osimage/uplosi/uplosi.conf.in @@ -12,7 +12,6 @@ subscriptionID = "0d202bbb-4fa7-4af8-8125-58c269a05435" location = "northeurope" resourceGroup = "constellation-images" sharingNamePrefix = "constellation" -sharingProfile = "community" sku = "constellation" publisher = "edgelesssys" diff --git a/internal/osimage/uplosi/uplosiupload.go b/internal/osimage/uplosi/uplosiupload.go index bf2d0f1e3..588f332aa 100644 --- a/internal/osimage/uplosi/uplosiupload.go +++ b/internal/osimage/uplosi/uplosiupload.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // package uplosi implements uploading os images using uplosi. diff --git a/internal/retry/retry.go b/internal/retry/retry.go index 7ff799660..ab8bbdfdc 100644 --- a/internal/retry/retry.go +++ b/internal/retry/retry.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package retry provides a simple interface for retrying operations. diff --git a/internal/retry/retry_test.go b/internal/retry/retry_test.go index c4dc68227..8885ac715 100644 --- a/internal/retry/retry_test.go +++ b/internal/retry/retry_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package retry @@ -71,7 +71,7 @@ func TestDo(t *testing.T) { retriable: isRetriable, } retrierResult := make(chan error, 1) - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) defer cancel() go func() { retrierResult <- retrier.Do(ctx) }() diff --git a/internal/role/role.go b/internal/role/role.go index 6259764d6..4288bdae8 100644 --- a/internal/role/role.go +++ b/internal/role/role.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package role diff --git a/internal/role/role_test.go b/internal/role/role_test.go index 1c7132349..4ad65ea4b 100644 --- a/internal/role/role_test.go +++ b/internal/role/role_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package role diff --git a/internal/semver/semver.go b/internal/semver/semver.go index 4feb735be..72dc19f51 100644 --- a/internal/semver/semver.go +++ b/internal/semver/semver.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/semver/semver_test.go b/internal/semver/semver_test.go index 4f9ad658e..30b798514 100644 --- a/internal/semver/semver_test.go +++ b/internal/semver/semver_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package semver diff --git a/internal/sigstore/keyselect/keyselect.go b/internal/sigstore/keyselect/keyselect.go index ecfb10bf5..7e08e09a5 100644 --- a/internal/sigstore/keyselect/keyselect.go +++ b/internal/sigstore/keyselect/keyselect.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package keyselect is used to select the correct public key for signature verification. diff --git a/internal/sigstore/rekor.go b/internal/sigstore/rekor.go index a116bc011..a45377bd3 100644 --- a/internal/sigstore/rekor.go +++ b/internal/sigstore/rekor.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sigstore diff --git a/internal/sigstore/rekor_integration_test.go b/internal/sigstore/rekor_integration_test.go index 8f2a042ce..4870109fb 100644 --- a/internal/sigstore/rekor_integration_test.go +++ b/internal/sigstore/rekor_integration_test.go @@ -3,12 +3,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sigstore import ( + "context" "testing" "github.com/stretchr/testify/assert" @@ -42,7 +43,7 @@ func TestRekorSearchByHash(t *testing.T) { rekor, err := NewRekor() require.NoError(err) - uuids, err := rekor.SearchByHash(t.Context(), tc.hash) + uuids, err := rekor.SearchByHash(context.Background(), tc.hash) assert.NoError(err) if tc.wantEmpty { @@ -84,7 +85,7 @@ func TestVerifyEntry(t *testing.T) { rekor, err := NewRekor() require.NoError(err) - err = rekor.VerifyEntry(t.Context(), tc.uuid, tc.pubKey) + err = rekor.VerifyEntry(context.Background(), tc.uuid, tc.pubKey) if tc.wantError { assert.Error(err) return diff --git a/internal/sigstore/rekor_test.go b/internal/sigstore/rekor_test.go index 6d2db56c0..cbbeb3ddd 100644 --- a/internal/sigstore/rekor_test.go +++ b/internal/sigstore/rekor_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sigstore diff --git a/internal/sigstore/sign.go b/internal/sigstore/sign.go index 84fb58652..a98e6be9d 100644 --- a/internal/sigstore/sign.go +++ b/internal/sigstore/sign.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sigstore diff --git a/internal/sigstore/sign_test.go b/internal/sigstore/sign_test.go index 16659c04e..fefbdabd3 100644 --- a/internal/sigstore/sign_test.go +++ b/internal/sigstore/sign_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sigstore diff --git a/internal/sigstore/sigstore.go b/internal/sigstore/sigstore.go index dee491aed..0c90bd898 100644 --- a/internal/sigstore/sigstore.go +++ b/internal/sigstore/sigstore.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package sigstore is used to verify Constellation components using sigstore, cosign and rekor. diff --git a/internal/sigstore/verify.go b/internal/sigstore/verify.go index f24194c56..a13a3285e 100644 --- a/internal/sigstore/verify.go +++ b/internal/sigstore/verify.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sigstore diff --git a/internal/sigstore/verify_test.go b/internal/sigstore/verify_test.go index 7f5fd9fe6..ef7952b7a 100644 --- a/internal/sigstore/verify_test.go +++ b/internal/sigstore/verify_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sigstore diff --git a/internal/staticupload/delete.go b/internal/staticupload/delete.go index 5c87b3ea8..1d3fd12e1 100644 --- a/internal/staticupload/delete.go +++ b/internal/staticupload/delete.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package staticupload diff --git a/internal/staticupload/get.go b/internal/staticupload/get.go index db96b17a4..893fd243b 100644 --- a/internal/staticupload/get.go +++ b/internal/staticupload/get.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package staticupload diff --git a/internal/staticupload/staticupload.go b/internal/staticupload/staticupload.go index 2d4f21953..5b68e8ae0 100644 --- a/internal/staticupload/staticupload.go +++ b/internal/staticupload/staticupload.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/staticupload/staticupload_test.go b/internal/staticupload/staticupload_test.go index 7694afa0c..eace5cc1a 100644 --- a/internal/staticupload/staticupload_test.go +++ b/internal/staticupload/staticupload_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package staticupload @@ -108,7 +108,7 @@ func TestUpload(t *testing.T) { cacheInvalidationWaitTimeout: tc.cacheInvalidationWaitTimeout, logger: logger.NewTest(t), } - _, err := client.Upload(t.Context(), tc.in) + _, err := client.Upload(context.Background(), tc.in) var invalidationErr *InvalidationError if tc.wantCacheInvalidationErr { @@ -220,7 +220,7 @@ func TestDeleteObject(t *testing.T) { cacheInvalidationWaitTimeout: tc.cacheInvalidationWaitTimeout, logger: logger.NewTest(t), } - _, err := client.DeleteObject(t.Context(), newObjectInput(tc.nilInput, tc.nilKey)) + _, err := client.DeleteObject(context.Background(), newObjectInput(tc.nilInput, tc.nilKey)) var invalidationErr *InvalidationError if tc.wantCacheInvalidationErr { @@ -259,7 +259,7 @@ func TestDeleteObject(t *testing.T) { cacheInvalidationWaitTimeout: tc.cacheInvalidationWaitTimeout, logger: logger.NewTest(t), } - _, err := client.DeleteObjects(t.Context(), newObjectsInput(tc.nilInput, tc.nilKey)) + _, err := client.DeleteObjects(context.Background(), newObjectsInput(tc.nilInput, tc.nilKey)) var invalidationErr *InvalidationError if tc.wantCacheInvalidationErr { @@ -401,7 +401,7 @@ func TestFlush(t *testing.T) { invalidationIDs: tc.invalidationIDs, logger: logger.NewTest(t), } - err := client.Flush(t.Context()) + err := client.Flush(context.Background()) if tc.wantCacheInvalidationErr { var invalidationErr *InvalidationError @@ -444,18 +444,18 @@ func TestConcurrency(t *testing.T) { upload := func() { defer wg.Done() - _, _ = client.Upload(t.Context(), newInput()) + _, _ = client.Upload(context.Background(), newInput()) } deleteObject := func() { defer wg.Done() - _, _ = client.DeleteObject(t.Context(), &s3.DeleteObjectInput{ + _, _ = client.DeleteObject(context.Background(), &s3.DeleteObjectInput{ Bucket: ptr("test-bucket"), Key: ptr("test-key"), }) } deleteObjects := func() { defer wg.Done() - _, _ = client.DeleteObjects(t.Context(), &s3.DeleteObjectsInput{ + _, _ = client.DeleteObjects(context.Background(), &s3.DeleteObjectsInput{ Bucket: ptr("test-bucket"), Delete: &s3types.Delete{ Objects: []s3types.ObjectIdentifier{ @@ -466,7 +466,7 @@ func TestConcurrency(t *testing.T) { } flushClient := func() { defer wg.Done() - _ = client.Flush(t.Context()) + _ = client.Flush(context.Background()) } for i := 0; i < 100; i++ { diff --git a/internal/staticupload/upload.go b/internal/staticupload/upload.go index a779caae5..de954351f 100644 --- a/internal/staticupload/upload.go +++ b/internal/staticupload/upload.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package staticupload diff --git a/internal/validation/constraints.go b/internal/validation/constraints.go index 73c88529d..6de84d8d1 100644 --- a/internal/validation/constraints.go +++ b/internal/validation/constraints.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package validation diff --git a/internal/validation/constraints_test.go b/internal/validation/constraints_test.go index aa9531140..103649d56 100644 --- a/internal/validation/constraints_test.go +++ b/internal/validation/constraints_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package validation diff --git a/internal/validation/errors.go b/internal/validation/errors.go index ee06a900b..3b73a6e82 100644 --- a/internal/validation/errors.go +++ b/internal/validation/errors.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package validation diff --git a/internal/validation/errors_test.go b/internal/validation/errors_test.go index 5f12e7ef6..9fe7678ed 100644 --- a/internal/validation/errors_test.go +++ b/internal/validation/errors_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package validation diff --git a/internal/validation/validation.go b/internal/validation/validation.go index 335799cb6..30c705f15 100644 --- a/internal/validation/validation.go +++ b/internal/validation/validation.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/validation/validation_test.go b/internal/validation/validation_test.go index efde331ed..da65e9528 100644 --- a/internal/validation/validation_test.go +++ b/internal/validation/validation_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package validation diff --git a/internal/verify/verify.go b/internal/verify/verify.go index 63a0cf46a..27e5db853 100644 --- a/internal/verify/verify.go +++ b/internal/verify/verify.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/internal/verify/verify_test.go b/internal/verify/verify_test.go index 3bfb5707b..b0fdf3c5b 100644 --- a/internal/verify/verify_test.go +++ b/internal/verify/verify_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package verify diff --git a/internal/versions/components/components.go b/internal/versions/components/components.go index 8cb33f49b..88c36850f 100644 --- a/internal/versions/components/components.go +++ b/internal/versions/components/components.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package components diff --git a/internal/versions/components/components.pb.go b/internal/versions/components/components.pb.go index 5236421c8..90083065e 100644 --- a/internal/versions/components/components.pb.go +++ b/internal/versions/components/components.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: internal/versions/components/components.proto package components @@ -11,7 +11,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -22,13 +21,14 @@ const ( ) type Component struct { - state protoimpl.MessageState `protogen:"open.v1"` - Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` - Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` - InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` - Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` + Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"` + InstallPath string `protobuf:"bytes,3,opt,name=install_path,json=installPath,proto3" json:"install_path,omitempty"` + Extract bool `protobuf:"varint,4,opt,name=extract,proto3" json:"extract,omitempty"` } func (x *Component) Reset() { @@ -91,24 +91,33 @@ func (x *Component) GetExtract() bool { var File_internal_versions_components_components_proto protoreflect.FileDescriptor -const file_internal_versions_components_components_proto_rawDesc = "" + - "\n" + - "-internal/versions/components/components.proto\x12\n" + - "components\"n\n" + - "\tComponent\x12\x10\n" + - "\x03url\x18\x01 \x01(\tR\x03url\x12\x12\n" + - "\x04hash\x18\x02 \x01(\tR\x04hash\x12!\n" + - "\finstall_path\x18\x03 \x01(\tR\vinstallPath\x12\x18\n" + - "\aextract\x18\x04 \x01(\bR\aextractBFZDgithub.com/edgelesssys/constellation/v2/internal/versions/componentsb\x06proto3" +var file_internal_versions_components_components_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, + 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, + 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x0a, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x6e, 0x0a, 0x09, 0x43, + 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x61, + 0x73, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x12, 0x21, + 0x0a, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x50, 0x61, 0x74, + 0x68, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x42, 0x46, 0x5a, 0x44, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, + 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, + 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, + 0x6e, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} var ( file_internal_versions_components_components_proto_rawDescOnce sync.Once - file_internal_versions_components_components_proto_rawDescData []byte + file_internal_versions_components_components_proto_rawDescData = file_internal_versions_components_components_proto_rawDesc ) func file_internal_versions_components_components_proto_rawDescGZIP() []byte { file_internal_versions_components_components_proto_rawDescOnce.Do(func() { - file_internal_versions_components_components_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_internal_versions_components_components_proto_rawDesc), len(file_internal_versions_components_components_proto_rawDesc))) + file_internal_versions_components_components_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_versions_components_components_proto_rawDescData) }) return file_internal_versions_components_components_proto_rawDescData } @@ -134,7 +143,7 @@ func file_internal_versions_components_components_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_internal_versions_components_components_proto_rawDesc), len(file_internal_versions_components_components_proto_rawDesc)), + RawDescriptor: file_internal_versions_components_components_proto_rawDesc, NumEnums: 0, NumMessages: 1, NumExtensions: 0, @@ -145,6 +154,7 @@ func file_internal_versions_components_components_proto_init() { MessageInfos: file_internal_versions_components_components_proto_msgTypes, }.Build() File_internal_versions_components_components_proto = out.File + file_internal_versions_components_components_proto_rawDesc = nil file_internal_versions_components_components_proto_goTypes = nil file_internal_versions_components_components_proto_depIdxs = nil } diff --git a/internal/versions/components/components_test.go b/internal/versions/components/components_test.go index fe7aea408..4b26ef3c1 100644 --- a/internal/versions/components/components_test.go +++ b/internal/versions/components/components_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package components diff --git a/internal/versions/hash-generator/generate.go b/internal/versions/hash-generator/generate.go index 55c4de154..107060bd6 100644 --- a/internal/versions/hash-generator/generate.go +++ b/internal/versions/hash-generator/generate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // hash-generator updates the binary hashes and kubeadm patches in versions.go in place. diff --git a/internal/versions/hash-generator/generate_test.go b/internal/versions/hash-generator/generate_test.go index c7ea5df5c..e55c3c1ef 100644 --- a/internal/versions/hash-generator/generate_test.go +++ b/internal/versions/hash-generator/generate_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/internal/versions/versions.go b/internal/versions/versions.go index 8c7b1dc31..aadeae874 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -100,12 +100,12 @@ func ResolveK8sPatchVersion(k8sVersion string) (string, error) { // supported patch version as PATCH. func k8sVersionFromMajorMinor(version string) string { switch version { + case semver.MajorMinor(string(V1_28)): + return string(V1_28) case semver.MajorMinor(string(V1_29)): return string(V1_29) case semver.MajorMinor(string(V1_30)): return string(V1_30) - case semver.MajorMinor(string(V1_31)): - return string(V1_31) default: return "" } @@ -169,26 +169,26 @@ const ( // GcpGuestImage image for GCP guest agent. // Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml. - GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:v20250603.0.0@sha256:5edd1803e712928e4adda9a8be1b357576c0765f62e9a955a6013085556b53a0" // renovate:container + GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:v20240816.0.0@sha256:a6f871346da12d95a1961cb247343ccaa708039f49999ce56d00e35f3f701b97" // renovate:container // NodeMaintenanceOperatorImage is the image for the node maintenance operator. NodeMaintenanceOperatorImage = "quay.io/medik8s/node-maintenance-operator:v0.17.0@sha256:bf1c5758b3d266dd6234422d156c67ffdd47f50f70ce17d5cef1de6065030337" // renovate:container // LogstashImage is the container image of logstash, used for log collection by debugd. - LogstashImage = "ghcr.io/edgelesssys/constellation/logstash-debugd:v2.22.0-pre.0.20250401104011-810c8448d9ad@sha256:48d3de1c066a502ffa97b45ed39028a1e9cf0a63f5b57d29f9826c4d860f1a28" // renovate:container + LogstashImage = "ghcr.io/edgelesssys/constellation/logstash-debugd:v2.17.0-pre.0.20240627193502-8aed4bb0fe45@sha256:d6c5a06049e5c1b9d7ba4b83367fa0c06ba2d1b65e1d299f3e00f465f310642b" // renovate:container // FilebeatImage is the container image of filebeat, used for log collection by debugd. - FilebeatImage = "ghcr.io/edgelesssys/constellation/filebeat-debugd:v2.22.0-pre.0.20250401104011-810c8448d9ad@sha256:7dc8044f9968b9984a1a6da46ea24f7979223938ea9bf01d9847edabb1dc4c35" // renovate:container + FilebeatImage = "ghcr.io/edgelesssys/constellation/filebeat-debugd:v2.17.0-pre.0.20240627193502-8aed4bb0fe45@sha256:606adccf544a15e6b9ae9e11eec707668660bc1af346ff72559404e36da5baa2" // renovate:container // MetricbeatImage is the container image of filebeat, used for log collection by debugd. - MetricbeatImage = "ghcr.io/edgelesssys/constellation/metricbeat-debugd:v2.22.0-pre.0.20250401104011-810c8448d9ad@sha256:6df163384d3a905c8a182683a551b151f324588d1fbbf410c3988447b934e597" // renovate:container + MetricbeatImage = "ghcr.io/edgelesssys/constellation/metricbeat-debugd:v2.17.0-pre.0.20240627193502-8aed4bb0fe45@sha256:690b9d36cc334a7f83b58ca905169bb9f1c955b7a436c0044a07f4ce15a90594" // renovate:container // currently supported versions. //nolint:revive - V1_29 ValidK8sVersion = "v1.29.15" // renovate:kubernetes-release + V1_28 ValidK8sVersion = "v1.28.15" // renovate:kubernetes-release //nolint:revive - V1_30 ValidK8sVersion = "v1.30.13" // renovate:kubernetes-release + V1_29 ValidK8sVersion = "v1.29.11" // renovate:kubernetes-release //nolint:revive - V1_31 ValidK8sVersion = "v1.31.9" // renovate:kubernetes-release + V1_30 ValidK8sVersion = "v1.30.7" // renovate:kubernetes-release // Default k8s version deployed by Constellation. - Default ValidK8sVersion = V1_30 + Default ValidK8sVersion = V1_29 ) // Regenerate the hashes by running go generate. @@ -197,65 +197,132 @@ const ( // VersionConfigs holds download URLs for all required kubernetes components for every supported version. var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ - V1_29: { - ClusterVersion: "v1.29.15", // renovate:kubernetes-release + V1_28: { + ClusterVersion: "v1.28.15", // renovate:kubernetes-release KubernetesComponents: components.Components{ { - Url: "https://github.com/containernetworking/plugins/releases/download/v1.7.1/cni-plugins-linux-amd64-v1.7.1.tgz", // renovate:cni-plugins-release - Hash: "sha256:1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098", + Url: "https://github.com/containernetworking/plugins/releases/download/v1.6.0/cni-plugins-linux-amd64-v1.6.0.tgz", // renovate:cni-plugins-release + Hash: "sha256:682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d", InstallPath: constants.CniPluginsDir, Extract: true, }, { - Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.33.0/crictl-v1.33.0-linux-amd64.tar.gz", // renovate:crictl-release - Hash: "sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f", + Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.31.1/crictl-v1.31.1-linux-amd64.tar.gz", // renovate:crictl-release + Hash: "sha256:0a03ba6b1e4c253d63627f8d210b2ea07675a8712587e697657b236d06d7d231", InstallPath: constants.BinDir, Extract: true, }, { - Url: "https://dl.k8s.io/v1.29.15/bin/linux/amd64/kubelet", // renovate:kubernetes-release - Hash: "sha256:cd0228a5820f98bbb6371344e5d6645f6486d767c30f927a1d0ec8d17eca4da5", + Url: "https://dl.k8s.io/v1.28.15/bin/linux/amd64/kubelet", // renovate:kubernetes-release + Hash: "sha256:b07a27fd5bd2419c9c623de15c1dd339af84eb27e9276c81070071065db00036", InstallPath: constants.KubeletPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.29.15/bin/linux/amd64/kubeadm", // renovate:kubernetes-release - Hash: "sha256:d0744fbaa1e67fc65c4a3409f083e01a4ede58181c759b2feeb08b1ef10d6201", + Url: "https://dl.k8s.io/v1.28.15/bin/linux/amd64/kubeadm", // renovate:kubernetes-release + Hash: "sha256:0555b2c2fd30efcdb44b7fba5460c3dc3d3e39f2301e1eef7894a9f8976e1b4c", InstallPath: constants.KubeadmPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.29.15/bin/linux/amd64/kubectl", // renovate:kubernetes-release - Hash: "sha256:3473e14c7b024a6e5403c6401b273b3faff8e5b1fed022d633815eb3168e4516", + Url: "https://dl.k8s.io/v1.28.15/bin/linux/amd64/kubectl", // renovate:kubernetes-release + Hash: "sha256:1f7651ad0b50ef4561aa82e77f3ad06599b5e6b0b2a5fb6c4f474d95a77e41c5", InstallPath: constants.KubectlPath, Extract: false, }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI5LjE1QHNoYTI1NjpmZDgyYzc0ZTA3NzNhMTAzOTYwNTU5MDQ3NTMxMjY0MTFiM2E5NTg0Y2M0NTNlMWM3MTUyYzgxMDE4YTkzM2I2In1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI4LjE1QHNoYTI1Njo2ZGZhODRmNWQ2YmU3MTFhZTBkMTk3NTgyMDFkMzM3ZTgzNmFiN2RlNzMzMDZmZjE0NzI1Y2VhYTk3OGZlYThmIn1d", InstallPath: patchFilePath("kube-apiserver"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI5LjE1QHNoYTI1Njo0ZjA1YmUyYzA2NjdkOWY0OTc1YmNjNDNkNWUxMzZiMjQzNjk0NmY4NGM4ZjdkYzJkMmRhMTQzOTJlNzYxYTcxIn1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI4LjE1QHNoYTI1NjpkYWRkMmEzNzg0NzgzMDE4YTdlZTg1ODhkMTFmNzg3ZmVlNGQ1NDI0ZjJjZGQ2Y2U4OWQzYmExODQ0YTZjMTc1In1d", InstallPath: patchFilePath("kube-controller-manager"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI5LjE1QHNoYTI1NjoyNzYxMDhhNDU0MWE1MTg5NGEwMTA2MzMyMzBmN2I2ZDEwZTkyZTczMDI3NGYyNGJkMjFlODI3ZTY0MjQzZDY2In1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI4LjE1QHNoYTI1Njo4MmY0YTQyMzE3NDUwODU4ZDNkNzBmZGU1YjNjMGYyMjE1M2VhMTU1ZmQwNTNmMDk4NjU5OTlhNDY2MWYyZGNhIn1d", InstallPath: patchFilePath("kube-scheduler"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjIxLTBAc2hhMjU2OmQ1OGMwMzVkZjU1NzA4MGEyNzM4N2Q2ODcwOTJlM2ZjMmI2NGM2ZDBlMzE2MmRjNTE0NTNhMTE1Zjg0N2QxMjEifV0=", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjE1LTBAc2hhMjU2OmE2ZGM2M2U2ZThjZmEwMzA3ZDc4NTE3NjJmYTZiNjI5YWZiMThmMjhkOGFhM2ZhYjVhNmU5MWI0YWY2MDAyNmEifV0=", InstallPath: patchFilePath("etcd"), }, }, // CloudControllerManagerImageAWS is the CCM image used on AWS. // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. - CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.29.8@sha256:3f8e7be967f76b328123d53846c21dcd930b60094f9f4abd8bf5ab0fe108e6e4", // renovate:container + CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.9@sha256:168905b591796fbd07cb35cd0e3f206fdb7efb30e325c9bf7fa70d1b48989f73", // renovate:container // CloudControllerManagerImageAzure is the CCM image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.29.15@sha256:22e562ab13b52c8725add9cf87b5c91b2ca7da75bbf08529163890616ffe4ca7", // renovate:container + CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.28.13@sha256:8b853f4f54a09c363806714189435933a8575ac6dca27e991976bd685603113e", // renovate:container // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.29.15@sha256:049bf87e7df4653c191b31228b3868627ce2268328158ef39270ca25f3e55b39", // renovate:container + CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.28.13@sha256:525ca9c8a44bbdfa9acc0a417776bb822a1bbdaaf27d9776b8dcf5b3519c346a", // renovate:container + // CloudControllerManagerImageGCP is the CCM image used on GCP. + CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v28.10.0@sha256:f3b6fa7faea27b4a303c91b3bc7ee192b050e21e27579e9f3da90ae4ba38e626", // renovate:container + // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. + CloudControllerManagerImageOpenStack: "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.26.4@sha256:05e846fb13481b6dbe4a1e50491feb219e8f5101af6cf662a086115735624db0", // renovate:container + // External service image. Depends on k8s version. + // Check for new versions at https://github.com/kubernetes/autoscaler/releases. + ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.28.7@sha256:77906954da9171425c8c8d3286091818143b6dcf9039abd49b8f33f1502978a1", // renovate:container + }, + V1_29: { + ClusterVersion: "v1.29.11", // renovate:kubernetes-release + KubernetesComponents: components.Components{ + { + Url: "https://github.com/containernetworking/plugins/releases/download/v1.6.0/cni-plugins-linux-amd64-v1.6.0.tgz", // renovate:cni-plugins-release + Hash: "sha256:682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d", + InstallPath: constants.CniPluginsDir, + Extract: true, + }, + { + Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.31.1/crictl-v1.31.1-linux-amd64.tar.gz", // renovate:crictl-release + Hash: "sha256:0a03ba6b1e4c253d63627f8d210b2ea07675a8712587e697657b236d06d7d231", + InstallPath: constants.BinDir, + Extract: true, + }, + { + Url: "https://dl.k8s.io/v1.29.11/bin/linux/amd64/kubelet", // renovate:kubernetes-release + Hash: "sha256:1aaa9025cceac0c9a4df295a58aa79d8932a5b13a43c8910412c9ef970c42d21", + InstallPath: constants.KubeletPath, + Extract: false, + }, + { + Url: "https://dl.k8s.io/v1.29.11/bin/linux/amd64/kubeadm", // renovate:kubernetes-release + Hash: "sha256:6cf3567bd69a14859fb80fb39a09196dc2de1729ae72566e7e4819c5600e49c6", + InstallPath: constants.KubeadmPath, + Extract: false, + }, + { + Url: "https://dl.k8s.io/v1.29.11/bin/linux/amd64/kubectl", // renovate:kubernetes-release + Hash: "sha256:14d7ea4ada60ff15ef3b7734a83c4d05cff164d4843b6f4c081a50b86547c17d", + InstallPath: constants.KubectlPath, + Extract: false, + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI5LjExQHNoYTI1Njo2NTQ1ZjZmNjJjMWYwZjBhZmZmNTM0YzIyNzZiZDI0MmZmZGFjNTRlNzNiMjJjYzEwMzQzNTIyYzcyYjlmNzcxIn1d", + InstallPath: patchFilePath("kube-apiserver"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI5LjExQHNoYTI1Njo1OTU1NDgyZDg5NWFhNGE0MTNhNzBhZjUwNjcwNjA1OTIzOGIzNjM3ZmQ3MzA1OTRlNTljOTkwOTU0MjIxZjEzIn1d", + InstallPath: patchFilePath("kube-controller-manager"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI5LjExQHNoYTI1NjpmZTA3OGYyNmJmMTQzMDFmNzk0NjhkNzlhNWQyZDQzMWIzNDZhNGFiYjFjYWI0ZTliMWY5YmE4OTE0OTY0MTYxIn1d", + InstallPath: patchFilePath("kube-scheduler"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjE1LTBAc2hhMjU2OmE2ZGM2M2U2ZThjZmEwMzA3ZDc4NTE3NjJmYTZiNjI5YWZiMThmMjhkOGFhM2ZhYjVhNmU5MWI0YWY2MDAyNmEifV0=", + InstallPath: patchFilePath("etcd"), + }, + }, + // CloudControllerManagerImageAWS is the CCM image used on AWS. + // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. + CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.29.6@sha256:8074b8828a33fb273833e8fd374dda6a0ab10335ae8e19684fbd61eeff7d3594", // renovate:container + // CloudControllerManagerImageAzure is the CCM image used on Azure. + // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. + CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.29.11@sha256:2ecdca660c03b17110a4ee732230424ce0377c5b1756a4408666e40938ee976a", // renovate:container + // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. + // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. + CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.29.11@sha256:17888b0ebaec6735214b85d20bdcc8062f051bc27e835454e9ef89734d34aa4b", // renovate:container // CloudControllerManagerImageGCP is the CCM image used on GCP. CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v29.5.1@sha256:ebbc6f5755725b6c2c81ca1d1580e2feba83572c41608b739c50f85b2e5de936", // renovate:container // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. @@ -265,138 +332,71 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.29.5@sha256:76865740be7c965b35ee1524931bb4abfe4c27b5bfad280e84068cd6653ee7bb", // renovate:container }, V1_30: { - ClusterVersion: "v1.30.13", // renovate:kubernetes-release + ClusterVersion: "v1.30.7", // renovate:kubernetes-release KubernetesComponents: components.Components{ { - Url: "https://github.com/containernetworking/plugins/releases/download/v1.7.1/cni-plugins-linux-amd64-v1.7.1.tgz", // renovate:cni-plugins-release - Hash: "sha256:1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098", + Url: "https://github.com/containernetworking/plugins/releases/download/v1.6.0/cni-plugins-linux-amd64-v1.6.0.tgz", // renovate:cni-plugins-release + Hash: "sha256:682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d", InstallPath: constants.CniPluginsDir, Extract: true, }, { - Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.33.0/crictl-v1.33.0-linux-amd64.tar.gz", // renovate:crictl-release - Hash: "sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f", + Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.31.1/crictl-v1.31.1-linux-amd64.tar.gz", // renovate:crictl-release + Hash: "sha256:0a03ba6b1e4c253d63627f8d210b2ea07675a8712587e697657b236d06d7d231", InstallPath: constants.BinDir, Extract: true, }, { - Url: "https://dl.k8s.io/v1.30.13/bin/linux/amd64/kubelet", // renovate:kubernetes-release - Hash: "sha256:b8d8c3cc0c13b2e42c1d83ab6c03024825bc01887c923fd6f8568ebe066ec28e", + Url: "https://dl.k8s.io/v1.30.7/bin/linux/amd64/kubelet", // renovate:kubernetes-release + Hash: "sha256:4b2fb90661e2b7be8b34b5bd405652590f6351a9f55194430fa16d547a7c9d16", InstallPath: constants.KubeletPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.30.13/bin/linux/amd64/kubeadm", // renovate:kubernetes-release - Hash: "sha256:dbea796b7b716f7b30ea99e021c3730ef3debace4c8a62c88abfc266b3ab7a96", + Url: "https://dl.k8s.io/v1.30.7/bin/linux/amd64/kubeadm", // renovate:kubernetes-release + Hash: "sha256:3635901a3a6e5b0124547151de700a1dbd4571531327a32edbec43bb155b877b", InstallPath: constants.KubeadmPath, Extract: false, }, { - Url: "https://dl.k8s.io/v1.30.13/bin/linux/amd64/kubectl", // renovate:kubernetes-release - Hash: "sha256:b92bd89b27386b671841d5970b926b645c2ae44e5ca0663cff0f1c836a1530ee", + Url: "https://dl.k8s.io/v1.30.7/bin/linux/amd64/kubectl", // renovate:kubernetes-release + Hash: "sha256:3950ec7b81b9aa5a3856dd6155e42e1ad12a2fa8b050502f5a9652050f94a8ee", InstallPath: constants.KubectlPath, Extract: false, }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjMwLjEzQHNoYTI1NjpiZDY4ZDgxYzIwYWQ1NzgxYWRlYzlmNmVhZTI0YzgzZDZmNjZjM2FmYzBkNGJhYTMyZDNmMmQ4NjVjODJkNDM2In1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjMwLjdAc2hhMjU2OjEzZjRmMGY1ODUwYjM5NzQyMTAxYzY1NmIxYmJkNTA5MGVhY2YyNzA4NGFkODliNDg5ZmM4MjRlZjQ4MmVkOWMifV0=", InstallPath: patchFilePath("kube-apiserver"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjMwLjEzQHNoYTI1NjpiODVhNWQ3ODVjYzAwYjAzNjEzZjY3YTdhZmNhMWU5MWIyYTBjY2Y0Y2VkOGU2OWQzOGJkYTVmNjg2OTgwZjNmIn1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjMwLjdAc2hhMjU2OjViOGRjMjZjMDViMjczY2UxOThmYmFmNGViMTc5ZjNiNmQ2OTE5YzZlMjExNmQzNmRjN2Y4MjU1NTM3NGM2ODcifV0=", InstallPath: patchFilePath("kube-controller-manager"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjMwLjEzQHNoYTI1NjpiZmE1ZjEwZGMzZTE0MzE2Nzg1ZjIzZjhlMWY0ZTRkYmM1NTZiMDMzMjcwZDkxMTg1ZmNhMDU3NzM1M2NhZDMzIn1d", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjMwLjdAc2hhMjU2OjAwYjE2ZGI5OTExMDFiNzM2MWYyZjE4MDM1ZTFjNjUyNmMwY2U2YzlhOTU2ODUyNDgyNGI0YmNjZGYxYWZiZDYifV0=", InstallPath: patchFilePath("kube-scheduler"), }, { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjIxLTBAc2hhMjU2OmQ1OGMwMzVkZjU1NzA4MGEyNzM4N2Q2ODcwOTJlM2ZjMmI2NGM2ZDBlMzE2MmRjNTE0NTNhMTE1Zjg0N2QxMjEifV0=", + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjE1LTBAc2hhMjU2OmE2ZGM2M2U2ZThjZmEwMzA3ZDc4NTE3NjJmYTZiNjI5YWZiMThmMjhkOGFhM2ZhYjVhNmU5MWI0YWY2MDAyNmEifV0=", InstallPath: patchFilePath("etcd"), }, }, // CloudControllerManagerImageAWS is the CCM image used on AWS. // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. - CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.30.8@sha256:f4e82b924e967656d8df9f467c9c1915509e94e228b53840a7f9f2367e1ba9f5", // renovate:container + CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.30.3@sha256:30a1758dec30814178c787e2d50f46bb141e9f0bb2e16190ddd19df15f957874", // renovate:container // CloudControllerManagerImageAzure is the CCM image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.30.13@sha256:27de5a453a9ba64341c547f4be1dd1d114e56c858cdc00c36b9167e415a98baa", // renovate:container + CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.30.7@sha256:03b2876f481507781a27b56a6e66c1928b7b93774e787e52a5239aefa41191e4", // renovate:container // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.13@sha256:8a95c28ce40eab15b74d32ddc9959d9ec549e4d76014df6d19ab776e327a282f", // renovate:container + CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.7@sha256:f18feb78e36eef88f0e23d98d798476d2bf6837de11892fe118ab043afdcd497", // renovate:container // CloudControllerManagerImageGCP is the CCM image used on GCP. - CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v30.1.4@sha256:0c3695a18d3825492196facb092e5fe56e466fa8517cde5a206fe21630c1da13", // renovate:container + CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v30.1.0@sha256:64d2d5d4d2b5fb426c307c64ada9a61b64e797b56d9768363f145f2bd957998f", // renovate:container // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. CloudControllerManagerImageOpenStack: "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.26.4@sha256:05e846fb13481b6dbe4a1e50491feb219e8f5101af6cf662a086115735624db0", // renovate:container // External service image. Depends on k8s version. // Check for new versions at https://github.com/kubernetes/autoscaler/releases. - ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.30.4@sha256:f508cac11c8300f27529ed73f8d80f9b1949f819e8f8787f28afcb8e47ceb2b4", // renovate:container - }, - V1_31: { - ClusterVersion: "v1.31.9", // renovate:kubernetes-release - KubernetesComponents: components.Components{ - { - Url: "https://github.com/containernetworking/plugins/releases/download/v1.7.1/cni-plugins-linux-amd64-v1.7.1.tgz", // renovate:cni-plugins-release - Hash: "sha256:1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098", - InstallPath: constants.CniPluginsDir, - Extract: true, - }, - { - Url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.33.0/crictl-v1.33.0-linux-amd64.tar.gz", // renovate:crictl-release - Hash: "sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f", - InstallPath: constants.BinDir, - Extract: true, - }, - { - Url: "https://dl.k8s.io/v1.31.9/bin/linux/amd64/kubelet", // renovate:kubernetes-release - Hash: "sha256:4e5e2bce4e80575a253654877f0156393d79647a36afb784da27f3ddef446456", - InstallPath: constants.KubeletPath, - Extract: false, - }, - { - Url: "https://dl.k8s.io/v1.31.9/bin/linux/amd64/kubeadm", // renovate:kubernetes-release - Hash: "sha256:9653845e48754df94842cce1ef76874e7f4c1a32d782dd0c7e6cf12e3a718dde", - InstallPath: constants.KubeadmPath, - Extract: false, - }, - { - Url: "https://dl.k8s.io/v1.31.9/bin/linux/amd64/kubectl", // renovate:kubernetes-release - Hash: "sha256:720d31a15368ad56993c127a7d4fa2688a8520029c2e6be86b1a877ad6f92624", - InstallPath: constants.KubectlPath, - Extract: false, - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjMxLjlAc2hhMjU2OjViNjhmMGRmMjIwMTM0MjJkYzhmYjlkZGZjZmY1MTNlYjZmYzkyZjlkYmY4YWFlNDE1NTVjODk1ZWZlZjVhMjAifV0=", - InstallPath: patchFilePath("kube-apiserver"), - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjMxLjlAc2hhMjU2OmJlOWU3OTg3ZDMyM2IzOGExMmUyODQzNmNmZjZkNmVjNmZjMzFmZmRkM2VhMTFlYWE5ZDc0ODUyZTlkMzEyNDgifV0=", - InstallPath: patchFilePath("kube-controller-manager"), - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjMxLjlAc2hhMjU2OmViMzU4YzczNDZiYjE3YWIyYzYzOWMzZmY4YWI3NmExNDdkZWM3YWU2MDlmNWMwYzI4MDAyMzNlNDIyNTNlZDEifV0=", - InstallPath: patchFilePath("kube-scheduler"), - }, - { - Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2V0Y2Q6My41LjIxLTBAc2hhMjU2OmQ1OGMwMzVkZjU1NzA4MGEyNzM4N2Q2ODcwOTJlM2ZjMmI2NGM2ZDBlMzE2MmRjNTE0NTNhMTE1Zjg0N2QxMjEifV0=", - InstallPath: patchFilePath("etcd"), - }, - }, - // CloudControllerManagerImageAWS is the CCM image used on AWS. - // Check for newer versions at https://github.com/kubernetes/cloud-provider-aws/releases. - CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.31.5@sha256:6f94a695828de888c8efc57e3243db9e788709767f687a6a8cb07c2e42158862", // renovate:container - // CloudControllerManagerImageAzure is the CCM image used on Azure. - // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudControllerManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.31.7@sha256:5a63e332108ce766e75df5956387546c225877030bfaf1bf61f7dff57f59b69b", // renovate:container - // CloudNodeManagerImageAzure is the cloud-node-manager image used on Azure. - // Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md. - CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.31.7@sha256:3a7ce77b58bfed3c3ff6197c84fbb52630b600c600367a324df821b4ddb983f3", // renovate:container - // CloudControllerManagerImageGCP is the CCM image used on GCP. - CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v30.1.4@sha256:0c3695a18d3825492196facb092e5fe56e466fa8517cde5a206fe21630c1da13", // renovate:container - // CloudControllerManagerImageOpenStack is the CCM image used on OpenStack. - CloudControllerManagerImageOpenStack: "registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.32.0@sha256:25e0539888590240483b60dec84c2387fd3cc48bd81dc10a3f6b01fef2585548", // renovate:container - // External service image. Depends on k8s version. - // Check for new versions at https://github.com/kubernetes/autoscaler/releases. - ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.31.2@sha256:2f2ae9f88573d45d8c72d22abff97fb77fd8d9e55f40e57aa282957e56fd3a1a", // renovate:container + ClusterAutoscalerImage: "registry.k8s.io/autoscaling/cluster-autoscaler:v1.30.3@sha256:08fd86ee093760849ac4fd579eb90185b669fc20aa56c156aa34ea7b73dd5e34", // renovate:container }, } diff --git a/internal/versions/versions_test.go b/internal/versions/versions_test.go index 1e62d1091..34bc99859 100644 --- a/internal/versions/versions_test.go +++ b/internal/versions/versions_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package versions diff --git a/joinservice/cmd/main.go b/joinservice/cmd/main.go index 425c4c4ac..8aaab9654 100644 --- a/joinservice/cmd/main.go +++ b/joinservice/cmd/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main @@ -116,7 +116,6 @@ func main() { keyServiceClient, kubeClient, log.WithGroup("server"), - file.NewHandler(afero.NewOsFs()), ) if err != nil { log.With(slog.Any("error", err)).Error("Failed to create server") diff --git a/joinservice/internal/certcache/amdkds/amdkds.go b/joinservice/internal/certcache/amdkds/amdkds.go index 0f2d14468..8b1a9b131 100644 --- a/joinservice/internal/certcache/amdkds/amdkds.go +++ b/joinservice/internal/certcache/amdkds/amdkds.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // The AMDKDS package implements interaction with the AMD KDS (Key Distribution Service). diff --git a/joinservice/internal/certcache/amdkds/amdkds_test.go b/joinservice/internal/certcache/amdkds/amdkds_test.go index 08e0ba2cf..d7ede82f9 100644 --- a/joinservice/internal/certcache/amdkds/amdkds_test.go +++ b/joinservice/internal/certcache/amdkds/amdkds_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package amdkds diff --git a/joinservice/internal/certcache/amdkds/testdata/testdata.go b/joinservice/internal/certcache/amdkds/testdata/testdata.go index fea4953d3..4e4d4a40e 100644 --- a/joinservice/internal/certcache/amdkds/testdata/testdata.go +++ b/joinservice/internal/certcache/amdkds/testdata/testdata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package testdata contains testing data for an attestation process. diff --git a/joinservice/internal/certcache/certcache.go b/joinservice/internal/certcache/certcache.go index 632863d61..ba88b67b4 100644 --- a/joinservice/internal/certcache/certcache.go +++ b/joinservice/internal/certcache/certcache.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package certcache implements an in-cluster SEV-SNP certificate cache. diff --git a/joinservice/internal/certcache/certcache_test.go b/joinservice/internal/certcache/certcache_test.go index 34df8db13..a742d43c6 100644 --- a/joinservice/internal/certcache/certcache_test.go +++ b/joinservice/internal/certcache/certcache_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package certcache @@ -116,7 +116,7 @@ func TestCreateCertChainCache(t *testing.T) { assert := assert.New(t) require := require.New(t) - ctx := t.Context() + ctx := context.Background() c := &Client{ attVariant: variant.Dummy{}, @@ -204,7 +204,7 @@ func TestGetCertChainCache(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - ctx := t.Context() + ctx := context.Background() c := NewClient(logger.NewTest(t), tc.kubeClient, variant.Dummy{}) diff --git a/joinservice/internal/certcache/testdata/testdata.go b/joinservice/internal/certcache/testdata/testdata.go index a3b7ade1d..3830ccb16 100644 --- a/joinservice/internal/certcache/testdata/testdata.go +++ b/joinservice/internal/certcache/testdata/testdata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package testdata contains testing data for an attestation process. diff --git a/joinservice/internal/kms/kms.go b/joinservice/internal/kms/kms.go index 4b9c12aa9..b6115f803 100644 --- a/joinservice/internal/kms/kms.go +++ b/joinservice/internal/kms/kms.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package kms handles communication with Constellation's key service to request data encryption keys for new or rejoining nodes. diff --git a/joinservice/internal/kms/kms_test.go b/joinservice/internal/kms/kms_test.go index 974bce382..cd831ddc4 100644 --- a/joinservice/internal/kms/kms_test.go +++ b/joinservice/internal/kms/kms_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kms @@ -60,7 +60,7 @@ func TestGetDataKey(t *testing.T) { client.grpc = tc.client - res, err := client.GetDataKey(t.Context(), "disk-uuid", 32) + res, err := client.GetDataKey(context.Background(), "disk-uuid", 32) if tc.wantErr { assert.Error(err) } else { diff --git a/joinservice/internal/kubeadm/kubeadm.go b/joinservice/internal/kubeadm/kubeadm.go index 67a5f9475..28ac08740 100644 --- a/joinservice/internal/kubeadm/kubeadm.go +++ b/joinservice/internal/kubeadm/kubeadm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package kubeadm handles joining of new nodes by creating Kubernetes Join Tokens. diff --git a/joinservice/internal/kubeadm/kubeadm_test.go b/joinservice/internal/kubeadm/kubeadm_test.go index 92a2cff03..e78d1c0bb 100644 --- a/joinservice/internal/kubeadm/kubeadm_test.go +++ b/joinservice/internal/kubeadm/kubeadm_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubeadm diff --git a/joinservice/internal/kubernetes/kubernetes.go b/joinservice/internal/kubernetes/kubernetes.go index ac161aafc..c71e4a801 100644 --- a/joinservice/internal/kubernetes/kubernetes.go +++ b/joinservice/internal/kubernetes/kubernetes.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package kubernetes interacts with the Kubernetes API to update an fetch objects related to joining nodes. diff --git a/joinservice/internal/kubernetes/kubernetes_test.go b/joinservice/internal/kubernetes/kubernetes_test.go index bf7f97048..2d289a068 100644 --- a/joinservice/internal/kubernetes/kubernetes_test.go +++ b/joinservice/internal/kubernetes/kubernetes_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetes diff --git a/joinservice/internal/kubernetesca/kubernetesca.go b/joinservice/internal/kubernetesca/kubernetesca.go index 92d0d0ffc..f9173b2f6 100644 --- a/joinservice/internal/kubernetesca/kubernetesca.go +++ b/joinservice/internal/kubernetesca/kubernetesca.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // kubernetesca implements a certificate authority that uses the Kubernetes root CA to sign certificates. diff --git a/joinservice/internal/kubernetesca/kubernetesca_test.go b/joinservice/internal/kubernetesca/kubernetesca_test.go index 698551f7a..359ef7771 100644 --- a/joinservice/internal/kubernetesca/kubernetesca_test.go +++ b/joinservice/internal/kubernetesca/kubernetesca_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kubernetesca diff --git a/joinservice/internal/server/BUILD.bazel b/joinservice/internal/server/BUILD.bazel index c7835f7ef..7e29a733c 100644 --- a/joinservice/internal/server/BUILD.bazel +++ b/joinservice/internal/server/BUILD.bazel @@ -10,7 +10,6 @@ go_library( "//internal/attestation", "//internal/constants", "//internal/crypto", - "//internal/file", "//internal/grpc/grpclog", "//internal/logger", "//internal/versions/components", @@ -20,7 +19,6 @@ go_library( "@org_golang_google_grpc//codes", "@org_golang_google_grpc//credentials", "@org_golang_google_grpc//status", - "@org_golang_x_crypto//ssh", ], ) @@ -30,16 +28,12 @@ go_test( embed = [":server"], deps = [ "//internal/attestation", - "//internal/constants", - "//internal/file", "//internal/logger", "//internal/versions/components", "//joinservice/joinproto", - "@com_github_spf13_afero//:afero", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3", - "@org_golang_x_crypto//ssh", "@org_uber_go_goleak//:goleak", ], ) diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go index e3df8dc5d..21bb24d67 100644 --- a/joinservice/internal/server/server.go +++ b/joinservice/internal/server/server.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package server implements the gRPC endpoint of Constellation's node join service. @@ -9,22 +9,18 @@ package server import ( "context" - "crypto/ed25519" "fmt" "log/slog" "net" - "strings" "time" "github.com/edgelesssys/constellation/v2/internal/attestation" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/crypto" - "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/grpc/grpclog" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/versions/components" "github.com/edgelesssys/constellation/v2/joinservice/joinproto" - "golang.org/x/crypto/ssh" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials" @@ -42,7 +38,6 @@ type Server struct { dataKeyGetter dataKeyGetter ca certificateAuthority kubeClient kubeClient - fileHandler file.Handler joinproto.UnimplementedAPIServer } @@ -50,7 +45,6 @@ type Server struct { func New( measurementSalt []byte, ca certificateAuthority, joinTokenGetter joinTokenGetter, dataKeyGetter dataKeyGetter, kubeClient kubeClient, log *slog.Logger, - fileHandler file.Handler, ) (*Server, error) { return &Server{ measurementSalt: measurementSalt, @@ -59,7 +53,6 @@ func New( dataKeyGetter: dataKeyGetter, ca: ca, kubeClient: kubeClient, - fileHandler: fileHandler, }, nil } @@ -107,37 +100,6 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi return nil, status.Errorf(codes.Internal, "getting key for stateful disk: %s", err) } - log.Info("Requesting emergency SSH CA derivation key") - sshCAKeySeed, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize) - if err != nil { - log.With(slog.Any("error", err)).Error("Failed to get seed material to derive SSH CA key") - return nil, status.Errorf(codes.Internal, "getting emergency SSH CA seed material: %s", err) - } - ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed) - if err != nil { - log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from seed material") - return nil, status.Errorf(codes.Internal, "generating ssh emergency CA key: %s", err) - } - - principalList := req.HostCertificatePrincipals - additionalPrincipals, err := s.fileHandler.Read(constants.SSHAdditionalPrincipalsPath) - if err != nil { - log.With(slog.Any("error", err)).Error("Failed to read additional principals file") - return nil, status.Errorf(codes.Internal, "reading additional principals file: %s", err) - } - principalList = append(principalList, strings.Split(string(additionalPrincipals), ",")...) - - publicKey, err := ssh.ParsePublicKey(req.HostPublicKey) - if err != nil { - log.With(slog.Any("error", err)).Error("Failed to parse host public key") - return nil, status.Errorf(codes.Internal, "unmarshalling host public key: %s", err) - } - hostCertificate, err := crypto.GenerateSSHHostCertificate(principalList, publicKey, ca) - if err != nil { - log.With(slog.Any("error", err)).Error("Failed to generate and sign SSH host key") - return nil, status.Errorf(codes.Internal, "generating and signing SSH host key: %s", err) - } - log.Info("Creating Kubernetes join token") kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL) if err != nil { @@ -205,8 +167,6 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi KubeletCert: kubeletCert, ControlPlaneFiles: controlPlaneFiles, KubernetesComponents: components, - AuthorizedCaPublicKey: ssh.MarshalAuthorizedKey(ca.PublicKey()), - HostCertificate: ssh.MarshalAuthorizedKey(hostCertificate), }, nil } diff --git a/joinservice/internal/server/server_test.go b/joinservice/internal/server/server_test.go index 214acfefd..ff11c7b57 100644 --- a/joinservice/internal/server/server_test.go +++ b/joinservice/internal/server/server_test.go @@ -1,29 +1,24 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package server import ( "context" - "crypto/ed25519" "errors" "testing" "time" "github.com/edgelesssys/constellation/v2/internal/attestation" - "github.com/edgelesssys/constellation/v2/internal/constants" - "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/versions/components" "github.com/edgelesssys/constellation/v2/joinservice/joinproto" - "github.com/spf13/afero" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" - "golang.org/x/crypto/ssh" kubeadmv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" ) @@ -34,16 +29,10 @@ func TestMain(m *testing.M) { func TestIssueJoinTicket(t *testing.T) { someErr := errors.New("error") testKey := []byte{0x1, 0x2, 0x3} - testCaKey := make([]byte, ed25519.SeedSize) testCert := []byte{0x4, 0x5, 0x6} measurementSecret := []byte{0x7, 0x8, 0x9} uuid := "uuid" - pubkey, _, err := ed25519.GenerateKey(nil) - require.NoError(t, err) - hostSSHPubKey, err := ssh.NewPublicKey(pubkey) - require.NoError(t, err) - testJoinToken := &kubeadmv1.BootstrapTokenDiscovery{ APIServerEndpoint: "192.0.2.1", CACertHashes: []string{"hash"}, @@ -60,22 +49,19 @@ func TestIssueJoinTicket(t *testing.T) { } testCases := map[string]struct { - isControlPlane bool - kubeadm stubTokenGetter - kms stubKeyGetter - ca stubCA - kubeClient stubKubeClient - missingComponentsReferenceFile bool - missingAdditionalPrincipalsFile bool - missingSSHHostKey bool - wantErr bool + isControlPlane bool + kubeadm stubTokenGetter + kms stubKeyGetter + ca stubCA + kubeClient stubKubeClient + missingComponentsReferenceFile bool + wantErr bool }{ "worker node": { kubeadm: stubTokenGetter{token: testJoinToken}, kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -85,7 +71,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsErr: someErr}, @@ -96,7 +81,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node", getNameErr: someErr}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -107,7 +91,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, addNodeToJoiningNodesErr: someErr, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -125,7 +108,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -136,7 +118,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{getCertErr: someErr, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -151,7 +132,6 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, @@ -162,57 +142,11 @@ func TestIssueJoinTicket(t *testing.T) { kms: stubKeyGetter{dataKeys: map[string][]byte{ uuid: testKey, attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, }}, ca: stubCA{cert: testCert, nodeName: "node"}, kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, wantErr: true, }, - "CA data key to short": { - kubeadm: stubTokenGetter{token: testJoinToken}, - kms: stubKeyGetter{dataKeys: map[string][]byte{ - uuid: testKey, - attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testKey, - }}, - ca: stubCA{cert: testCert, nodeName: "node"}, - kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, - wantErr: true, - }, - "CA data key doesn't exist": { - kubeadm: stubTokenGetter{token: testJoinToken}, - kms: stubKeyGetter{dataKeys: map[string][]byte{ - uuid: testKey, - attestation.MeasurementSecretContext: measurementSecret, - }}, - ca: stubCA{cert: testCert, nodeName: "node"}, - kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, - wantErr: true, - }, - "Additional principals file is missing": { - kubeadm: stubTokenGetter{token: testJoinToken}, - kms: stubKeyGetter{dataKeys: map[string][]byte{ - uuid: testKey, - attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, - }}, - ca: stubCA{cert: testCert, nodeName: "node"}, - kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, - missingAdditionalPrincipalsFile: true, - wantErr: true, - }, - "Host pubkey is missing": { - kubeadm: stubTokenGetter{token: testJoinToken}, - kms: stubKeyGetter{dataKeys: map[string][]byte{ - uuid: testKey, - attestation.MeasurementSecretContext: measurementSecret, - constants.SSHCAKeySuffix: testCaKey, - }}, - ca: stubCA{cert: testCert, nodeName: "node"}, - kubeClient: stubKubeClient{getComponentsVal: clusterComponents, getK8sComponentsRefFromNodeVersionCRDVal: "k8s-components-ref"}, - missingSSHHostKey: true, - wantErr: true, - }, } for name, tc := range testCases { @@ -222,11 +156,6 @@ func TestIssueJoinTicket(t *testing.T) { salt := []byte{0xA, 0xB, 0xC} - fh := file.NewHandler(afero.NewMemMapFs()) - if !tc.missingAdditionalPrincipalsFile { - require.NoError(fh.Write(constants.SSHAdditionalPrincipalsPath, []byte("*"), file.OptMkdirAll)) - } - api := Server{ measurementSalt: salt, ca: tc.ca, @@ -234,22 +163,13 @@ func TestIssueJoinTicket(t *testing.T) { dataKeyGetter: tc.kms, kubeClient: &tc.kubeClient, log: logger.NewTest(t), - fileHandler: fh, - } - - var keyToSend []byte - if tc.missingSSHHostKey { - keyToSend = nil - } else { - keyToSend = hostSSHPubKey.Marshal() } req := &joinproto.IssueJoinTicketRequest{ DiskUuid: "uuid", IsControlPlane: tc.isControlPlane, - HostPublicKey: keyToSend, } - resp, err := api.IssueJoinTicket(t.Context(), req) + resp, err := api.IssueJoinTicket(context.Background(), req) if tc.wantErr { assert.Error(err) return @@ -308,13 +228,12 @@ func TestIssueRejoinTicker(t *testing.T) { joinTokenGetter: stubTokenGetter{}, dataKeyGetter: tc.keyGetter, log: logger.NewTest(t), - fileHandler: file.NewHandler(afero.NewMemMapFs()), } req := &joinproto.IssueRejoinTicketRequest{ DiskUuid: uuid, } - resp, err := api.IssueRejoinTicket(t.Context(), req) + resp, err := api.IssueRejoinTicket(context.Background(), req) if tc.wantErr { assert.Error(err) return diff --git a/joinservice/internal/watcher/validator.go b/joinservice/internal/watcher/validator.go index 01d1c6f1f..2d6a3bd3b 100644 --- a/joinservice/internal/watcher/validator.go +++ b/joinservice/internal/watcher/validator.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package watcher diff --git a/joinservice/internal/watcher/validator_test.go b/joinservice/internal/watcher/validator_test.go index daecea3a1..efada4028 100644 --- a/joinservice/internal/watcher/validator_test.go +++ b/joinservice/internal/watcher/validator_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package watcher @@ -147,7 +147,7 @@ func TestUpdate(t *testing.T) { // test connection to server clientOID := variant.Dummy{} - resp, err := testConnection(t.Context(), require, server.URL, clientOID) + resp, err := testConnection(require, server.URL, clientOID) require.NoError(err) defer resp.Body.Close() body, err := io.ReadAll(resp.Body) @@ -159,7 +159,7 @@ func TestUpdate(t *testing.T) { require.NoError(validator.Update()) // client connection should fail now, since the server's validator expects a different OID from the client - resp, err = testConnection(t.Context(), require, server.URL, clientOID) + resp, err = testConnection(require, server.URL, clientOID) if err == nil { defer resp.Body.Close() } @@ -230,12 +230,12 @@ func TestUpdateConcurrency(t *testing.T) { wg.Wait() } -func testConnection(ctx context.Context, require *require.Assertions, url string, oid variant.Getter) (*http.Response, error) { +func testConnection(require *require.Assertions, url string, oid variant.Getter) (*http.Response, error) { clientConfig, err := atls.CreateAttestationClientTLSConfig(fakeIssuer{oid}, nil) require.NoError(err) client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}} - req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody) require.NoError(err) return client.Do(req) } diff --git a/joinservice/internal/watcher/watcher.go b/joinservice/internal/watcher/watcher.go index 17b68ad21..3b0034edc 100644 --- a/joinservice/internal/watcher/watcher.go +++ b/joinservice/internal/watcher/watcher.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package watcher implements a file watcher to update an object on file changes. diff --git a/joinservice/internal/watcher/watcher_test.go b/joinservice/internal/watcher/watcher_test.go index 8c8b6dce4..b938ef95b 100644 --- a/joinservice/internal/watcher/watcher_test.go +++ b/joinservice/internal/watcher/watcher_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package watcher diff --git a/joinservice/joinproto/join.pb.go b/joinservice/joinproto/join.pb.go index a620ccbd5..bf5478c02 100644 --- a/joinservice/joinproto/join.pb.go +++ b/joinservice/joinproto/join.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: joinservice/joinproto/join.proto package joinproto @@ -16,7 +16,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -27,14 +26,13 @@ const ( ) type IssueJoinTicketRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` - CertificateRequest []byte `protobuf:"bytes,2,opt,name=certificate_request,json=certificateRequest,proto3" json:"certificate_request,omitempty"` - IsControlPlane bool `protobuf:"varint,3,opt,name=is_control_plane,json=isControlPlane,proto3" json:"is_control_plane,omitempty"` - HostPublicKey []byte `protobuf:"bytes,4,opt,name=host_public_key,json=hostPublicKey,proto3" json:"host_public_key,omitempty"` - HostCertificatePrincipals []string `protobuf:"bytes,5,rep,name=host_certificate_principals,json=hostCertificatePrincipals,proto3" json:"host_certificate_principals,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` + CertificateRequest []byte `protobuf:"bytes,2,opt,name=certificate_request,json=certificateRequest,proto3" json:"certificate_request,omitempty"` + IsControlPlane bool `protobuf:"varint,3,opt,name=is_control_plane,json=isControlPlane,proto3" json:"is_control_plane,omitempty"` } func (x *IssueJoinTicketRequest) Reset() { @@ -88,22 +86,11 @@ func (x *IssueJoinTicketRequest) GetIsControlPlane() bool { return false } -func (x *IssueJoinTicketRequest) GetHostPublicKey() []byte { - if x != nil { - return x.HostPublicKey - } - return nil -} - -func (x *IssueJoinTicketRequest) GetHostCertificatePrincipals() []string { - if x != nil { - return x.HostCertificatePrincipals - } - return nil -} - type IssueJoinTicketResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` MeasurementSalt []byte `protobuf:"bytes,2,opt,name=measurement_salt,json=measurementSalt,proto3" json:"measurement_salt,omitempty"` MeasurementSecret []byte `protobuf:"bytes,3,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"` @@ -114,10 +101,6 @@ type IssueJoinTicketResponse struct { ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,8,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"` KubernetesVersion string `protobuf:"bytes,9,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"` KubernetesComponents []*components.Component `protobuf:"bytes,10,rep,name=kubernetes_components,json=kubernetesComponents,proto3" json:"kubernetes_components,omitempty"` - AuthorizedCaPublicKey []byte `protobuf:"bytes,11,opt,name=authorized_ca_public_key,json=authorizedCaPublicKey,proto3" json:"authorized_ca_public_key,omitempty"` - HostCertificate []byte `protobuf:"bytes,12,opt,name=host_certificate,json=hostCertificate,proto3" json:"host_certificate,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache } func (x *IssueJoinTicketResponse) Reset() { @@ -220,26 +203,13 @@ func (x *IssueJoinTicketResponse) GetKubernetesComponents() []*components.Compon return nil } -func (x *IssueJoinTicketResponse) GetAuthorizedCaPublicKey() []byte { - if x != nil { - return x.AuthorizedCaPublicKey - } - return nil -} - -func (x *IssueJoinTicketResponse) GetHostCertificate() []byte { - if x != nil { - return x.HostCertificate - } - return nil -} - type ControlPlaneCertOrKey struct { - state protoimpl.MessageState `protogen:"open.v1"` - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` } func (x *ControlPlaneCertOrKey) Reset() { @@ -287,10 +257,11 @@ func (x *ControlPlaneCertOrKey) GetData() []byte { } type IssueRejoinTicketRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"` } func (x *IssueRejoinTicketRequest) Reset() { @@ -331,11 +302,12 @@ func (x *IssueRejoinTicketRequest) GetDiskUuid() string { } type IssueRejoinTicketResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` - MeasurementSecret []byte `protobuf:"bytes,2,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` + MeasurementSecret []byte `protobuf:"bytes,2,opt,name=measurement_secret,json=measurementSecret,proto3" json:"measurement_secret,omitempty"` } func (x *IssueRejoinTicketResponse) Reset() { @@ -384,49 +356,96 @@ func (x *IssueRejoinTicketResponse) GetMeasurementSecret() []byte { var File_joinservice_joinproto_join_proto protoreflect.FileDescriptor -const file_joinservice_joinproto_join_proto_rawDesc = "" + - "\n" + - " joinservice/joinproto/join.proto\x12\x04join\x1a-internal/versions/components/components.proto\"\xf8\x01\n" + - "\x16IssueJoinTicketRequest\x12\x1b\n" + - "\tdisk_uuid\x18\x01 \x01(\tR\bdiskUuid\x12/\n" + - "\x13certificate_request\x18\x02 \x01(\fR\x12certificateRequest\x12(\n" + - "\x10is_control_plane\x18\x03 \x01(\bR\x0eisControlPlane\x12&\n" + - "\x0fhost_public_key\x18\x04 \x01(\fR\rhostPublicKey\x12>\n" + - "\x1bhost_certificate_principals\x18\x05 \x03(\tR\x19hostCertificatePrincipals\"\xf2\x04\n" + - "\x17IssueJoinTicketResponse\x12$\n" + - "\x0estate_disk_key\x18\x01 \x01(\fR\fstateDiskKey\x12)\n" + - "\x10measurement_salt\x18\x02 \x01(\fR\x0fmeasurementSalt\x12-\n" + - "\x12measurement_secret\x18\x03 \x01(\fR\x11measurementSecret\x12!\n" + - "\fkubelet_cert\x18\x04 \x01(\fR\vkubeletCert\x12.\n" + - "\x13api_server_endpoint\x18\x05 \x01(\tR\x11apiServerEndpoint\x12\x14\n" + - "\x05token\x18\x06 \x01(\tR\x05token\x12>\n" + - "\x1cdiscovery_token_ca_cert_hash\x18\a \x01(\tR\x18discoveryTokenCaCertHash\x12O\n" + - "\x13control_plane_files\x18\b \x03(\v2\x1f.join.control_plane_cert_or_keyR\x11controlPlaneFiles\x12-\n" + - "\x12kubernetes_version\x18\t \x01(\tR\x11kubernetesVersion\x12J\n" + - "\x15kubernetes_components\x18\n" + - " \x03(\v2\x15.components.ComponentR\x14kubernetesComponents\x127\n" + - "\x18authorized_ca_public_key\x18\v \x01(\fR\x15authorizedCaPublicKey\x12)\n" + - "\x10host_certificate\x18\f \x01(\fR\x0fhostCertificate\"C\n" + - "\x19control_plane_cert_or_key\x12\x12\n" + - "\x04name\x18\x01 \x01(\tR\x04name\x12\x12\n" + - "\x04data\x18\x02 \x01(\fR\x04data\"7\n" + - "\x18IssueRejoinTicketRequest\x12\x1b\n" + - "\tdisk_uuid\x18\x01 \x01(\tR\bdiskUuid\"p\n" + - "\x19IssueRejoinTicketResponse\x12$\n" + - "\x0estate_disk_key\x18\x01 \x01(\fR\fstateDiskKey\x12-\n" + - "\x12measurement_secret\x18\x02 \x01(\fR\x11measurementSecret2\xab\x01\n" + - "\x03API\x12N\n" + - "\x0fIssueJoinTicket\x12\x1c.join.IssueJoinTicketRequest\x1a\x1d.join.IssueJoinTicketResponse\x12T\n" + - "\x11IssueRejoinTicket\x12\x1e.join.IssueRejoinTicketRequest\x1a\x1f.join.IssueRejoinTicketResponseB?Z=github.com/edgelesssys/constellation/v2/joinservice/joinprotob\x06proto3" +var file_joinservice_joinproto_join_proto_rawDesc = []byte{ + 0x0a, 0x20, 0x6a, 0x6f, 0x69, 0x6e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, + 0x69, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x04, 0x6a, 0x6f, 0x69, 0x6e, 0x1a, 0x2d, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, + 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, + 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, + 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x16, 0x49, 0x73, 0x73, 0x75, + 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x69, 0x73, 0x6b, 0x55, 0x75, 0x69, 0x64, 0x12, + 0x2f, 0x0a, 0x13, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x72, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x12, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, + 0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f, + 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x22, 0x8e, 0x04, 0x0a, 0x17, 0x49, + 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, + 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x10, + 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x61, 0x6c, 0x74, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x53, 0x61, 0x6c, 0x74, 0x12, 0x2d, 0x0a, 0x12, 0x6d, 0x65, 0x61, 0x73, 0x75, + 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0c, 0x52, 0x11, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, + 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x6b, 0x75, + 0x62, 0x65, 0x6c, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x12, 0x2e, 0x0a, 0x13, 0x61, 0x70, 0x69, + 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x61, 0x70, 0x69, 0x53, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, + 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, + 0x3e, 0x0a, 0x1c, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, + 0x65, 0x6e, 0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, + 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, + 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65, 0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, + 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, + 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6a, + 0x6f, 0x69, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, + 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x52, 0x11, 0x63, + 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, + 0x12, 0x2d, 0x0a, 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x76, + 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x75, + 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, + 0x4a, 0x0a, 0x15, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6f, + 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, + 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x43, 0x6f, 0x6d, 0x70, + 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x52, 0x14, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, + 0x73, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x43, 0x0a, 0x19, 0x63, + 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, + 0x74, 0x5f, 0x6f, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, + 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, + 0x22, 0x37, 0x0a, 0x18, 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, + 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, + 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x64, 0x69, 0x73, 0x6b, 0x55, 0x75, 0x69, 0x64, 0x22, 0x70, 0x0a, 0x19, 0x49, 0x73, 0x73, + 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, + 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b, 0x65, 0x79, 0x12, 0x2d, 0x0a, 0x12, + 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x32, 0xab, 0x01, 0x0a, 0x03, + 0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, + 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, + 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, 0x73, 0x75, + 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x54, 0x0a, 0x11, 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, + 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1e, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, + 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, + 0x49, 0x73, 0x73, 0x75, 0x65, 0x52, 0x65, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, + 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3f, 0x5a, 0x3d, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, + 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} var ( file_joinservice_joinproto_join_proto_rawDescOnce sync.Once - file_joinservice_joinproto_join_proto_rawDescData []byte + file_joinservice_joinproto_join_proto_rawDescData = file_joinservice_joinproto_join_proto_rawDesc ) func file_joinservice_joinproto_join_proto_rawDescGZIP() []byte { file_joinservice_joinproto_join_proto_rawDescOnce.Do(func() { - file_joinservice_joinproto_join_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_joinservice_joinproto_join_proto_rawDesc), len(file_joinservice_joinproto_join_proto_rawDesc))) + file_joinservice_joinproto_join_proto_rawDescData = protoimpl.X.CompressGZIP(file_joinservice_joinproto_join_proto_rawDescData) }) return file_joinservice_joinproto_join_proto_rawDescData } @@ -463,7 +482,7 @@ func file_joinservice_joinproto_join_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_joinservice_joinproto_join_proto_rawDesc), len(file_joinservice_joinproto_join_proto_rawDesc)), + RawDescriptor: file_joinservice_joinproto_join_proto_rawDesc, NumEnums: 0, NumMessages: 5, NumExtensions: 0, @@ -474,6 +493,7 @@ func file_joinservice_joinproto_join_proto_init() { MessageInfos: file_joinservice_joinproto_join_proto_msgTypes, }.Build() File_joinservice_joinproto_join_proto = out.File + file_joinservice_joinproto_join_proto_rawDesc = nil file_joinservice_joinproto_join_proto_goTypes = nil file_joinservice_joinproto_join_proto_depIdxs = nil } diff --git a/joinservice/joinproto/join.proto b/joinservice/joinproto/join.proto index eed1163a6..2a910a039 100644 --- a/joinservice/joinproto/join.proto +++ b/joinservice/joinproto/join.proto @@ -20,10 +20,6 @@ message IssueJoinTicketRequest { bytes certificate_request = 2; // is_control_plane indicates whether the node is a control-plane node. bool is_control_plane = 3; - // host_public_key is the public host key that should be signed. - bytes host_public_key = 4; - // host_certificate_principals are principals that should be added to the host certificate. - repeated string host_certificate_principals = 5; } message IssueJoinTicketResponse { @@ -49,10 +45,6 @@ message IssueJoinTicketResponse { string kubernetes_version = 9; // kubernetes_components is a list of components to install on the node. repeated components.Component kubernetes_components = 10; - // authorized_ca_public_key is an ssh ca key that can be used to connect to a node in case of an emergency. - bytes authorized_ca_public_key = 11; - // host_certificate is the certificate that can be used to verify a nodes host key. - bytes host_certificate = 12; } message control_plane_cert_or_key { diff --git a/keyservice/cmd/main.go b/keyservice/cmd/main.go index 0c3193b16..756509a93 100644 --- a/keyservice/cmd/main.go +++ b/keyservice/cmd/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/keyservice/internal/server/server.go b/keyservice/internal/server/server.go index 0391cd46b..8ff9bed8a 100644 --- a/keyservice/internal/server/server.go +++ b/keyservice/internal/server/server.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package server implements an API to manage encryption keys. diff --git a/keyservice/internal/server/server_test.go b/keyservice/internal/server/server_test.go index 505398e97..f5c2b2d3b 100644 --- a/keyservice/internal/server/server_test.go +++ b/keyservice/internal/server/server_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package server @@ -32,23 +32,23 @@ func TestGetDataKey(t *testing.T) { kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}} api := New(log, kms) - res, err := api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + res, err := api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) require.NoError(err) assert.Equal(kms.derivedKey, res.DataKey) // Test no data key id - res, err = api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{Length: 32}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{Length: 32}) require.Error(err) assert.Nil(res) // Test no / zero key length - res, err = api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"}) require.Error(err) assert.Nil(res) // Test derive key error api = New(log, &stubKMS{deriveKeyErr: errors.New("error")}) - res, err = api.GetDataKey(t.Context(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) assert.Error(err) assert.Nil(res) } diff --git a/keyservice/keyserviceproto/keyservice.pb.go b/keyservice/keyserviceproto/keyservice.pb.go index ee7a23ff2..c311c035a 100644 --- a/keyservice/keyserviceproto/keyservice.pb.go +++ b/keyservice/keyserviceproto/keyservice.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 -// protoc v5.29.1 +// protoc-gen-go v1.35.2 +// protoc v5.29.0--rc2 // source: keyservice/keyserviceproto/keyservice.proto package keyserviceproto @@ -15,7 +15,6 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" - unsafe "unsafe" ) const ( @@ -26,11 +25,12 @@ const ( ) type GetDataKeyRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - DataKeyId string `protobuf:"bytes,1,opt,name=data_key_id,json=dataKeyId,proto3" json:"data_key_id,omitempty"` - Length uint32 `protobuf:"varint,2,opt,name=length,proto3" json:"length,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DataKeyId string `protobuf:"bytes,1,opt,name=data_key_id,json=dataKeyId,proto3" json:"data_key_id,omitempty"` + Length uint32 `protobuf:"varint,2,opt,name=length,proto3" json:"length,omitempty"` } func (x *GetDataKeyRequest) Reset() { @@ -78,10 +78,11 @@ func (x *GetDataKeyRequest) GetLength() uint32 { } type GetDataKeyResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - DataKey []byte `protobuf:"bytes,1,opt,name=data_key,json=dataKey,proto3" json:"data_key,omitempty"` - unknownFields protoimpl.UnknownFields + state protoimpl.MessageState sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DataKey []byte `protobuf:"bytes,1,opt,name=data_key,json=dataKey,proto3" json:"data_key,omitempty"` } func (x *GetDataKeyResponse) Reset() { @@ -123,26 +124,38 @@ func (x *GetDataKeyResponse) GetDataKey() []byte { var File_keyservice_keyserviceproto_keyservice_proto protoreflect.FileDescriptor -const file_keyservice_keyserviceproto_keyservice_proto_rawDesc = "" + - "\n" + - "+keyservice/keyserviceproto/keyservice.proto\x12\x03kms\"K\n" + - "\x11GetDataKeyRequest\x12\x1e\n" + - "\vdata_key_id\x18\x01 \x01(\tR\tdataKeyId\x12\x16\n" + - "\x06length\x18\x02 \x01(\rR\x06length\"/\n" + - "\x12GetDataKeyResponse\x12\x19\n" + - "\bdata_key\x18\x01 \x01(\fR\adataKey2D\n" + - "\x03API\x12=\n" + - "\n" + - "GetDataKey\x12\x16.kms.GetDataKeyRequest\x1a\x17.kms.GetDataKeyResponseBDZBgithub.com/edgelesssys/constellation/v2/keyservice/keyserviceprotob\x06proto3" +var file_keyservice_keyserviceproto_keyservice_proto_rawDesc = []byte{ + 0x0a, 0x2b, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6b, 0x65, 0x79, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6b, 0x65, 0x79, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6b, + 0x6d, 0x73, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, + 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, + 0x74, 0x61, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, + 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, + 0x2f, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, + 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, + 0x32, 0x44, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, + 0x74, 0x61, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, + 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, + 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, + 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x32, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6b, 0x65, 0x79, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} var ( file_keyservice_keyserviceproto_keyservice_proto_rawDescOnce sync.Once - file_keyservice_keyserviceproto_keyservice_proto_rawDescData []byte + file_keyservice_keyserviceproto_keyservice_proto_rawDescData = file_keyservice_keyserviceproto_keyservice_proto_rawDesc ) func file_keyservice_keyserviceproto_keyservice_proto_rawDescGZIP() []byte { file_keyservice_keyserviceproto_keyservice_proto_rawDescOnce.Do(func() { - file_keyservice_keyserviceproto_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_keyservice_keyserviceproto_keyservice_proto_rawDesc), len(file_keyservice_keyserviceproto_keyservice_proto_rawDesc))) + file_keyservice_keyserviceproto_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_keyserviceproto_keyservice_proto_rawDescData) }) return file_keyservice_keyserviceproto_keyservice_proto_rawDescData } @@ -171,7 +184,7 @@ func file_keyservice_keyserviceproto_keyservice_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_keyservice_keyserviceproto_keyservice_proto_rawDesc), len(file_keyservice_keyserviceproto_keyservice_proto_rawDesc)), + RawDescriptor: file_keyservice_keyserviceproto_keyservice_proto_rawDesc, NumEnums: 0, NumMessages: 2, NumExtensions: 0, @@ -182,6 +195,7 @@ func file_keyservice_keyserviceproto_keyservice_proto_init() { MessageInfos: file_keyservice_keyserviceproto_keyservice_proto_msgTypes, }.Build() File_keyservice_keyserviceproto_keyservice_proto = out.File + file_keyservice_keyserviceproto_keyservice_proto_rawDesc = nil file_keyservice_keyserviceproto_keyservice_proto_goTypes = nil file_keyservice_keyserviceproto_keyservice_proto_depIdxs = nil } diff --git a/measurement-reader/cmd/main.go b/measurement-reader/cmd/main.go index 144babd6f..9bdc44332 100644 --- a/measurement-reader/cmd/main.go +++ b/measurement-reader/cmd/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/measurement-reader/internal/sorted/sorted.go b/measurement-reader/internal/sorted/sorted.go index 21970be9e..242aeff92 100644 --- a/measurement-reader/internal/sorted/sorted.go +++ b/measurement-reader/internal/sorted/sorted.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package sorted defines a type for print-friendly sorted measurements and allows sorting TPM and TDX measurements. diff --git a/measurement-reader/internal/sorted/sorted_test.go b/measurement-reader/internal/sorted/sorted_test.go index 2c5ee11bd..6f64fc418 100644 --- a/measurement-reader/internal/sorted/sorted_test.go +++ b/measurement-reader/internal/sorted/sorted_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sorted diff --git a/measurement-reader/internal/tdx/tdx.go b/measurement-reader/internal/tdx/tdx.go index 62b8ed5b9..9c90aa8df 100644 --- a/measurement-reader/internal/tdx/tdx.go +++ b/measurement-reader/internal/tdx/tdx.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package tdx reads measurements from an Intel TDX guest. diff --git a/measurement-reader/internal/tpm/tpm.go b/measurement-reader/internal/tpm/tpm.go index b5c68b85d..c9de69533 100644 --- a/measurement-reader/internal/tpm/tpm.go +++ b/measurement-reader/internal/tpm/tpm.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package tpm reads measurements from a TPM. diff --git a/nix/container/libvirtd_base.nix b/nix/container/libvirtd_base.nix index f58a2366a..5ebaf3e91 100644 --- a/nix/container/libvirtd_base.nix +++ b/nix/container/libvirtd_base.nix @@ -62,22 +62,12 @@ let ''; startScript = pkgsLinux.writeShellApplication { name = "start.sh"; - runtimeInputs = let nixpkgs24_11 = import "${pkgs.fetchFromGitHub { - # Pinned release which contains swtpm v0.8.2 - # Newer versions of NixOS package swtpm v0.10.0 with https://github.com/stefanberger/swtpm/pull/896 - # This release breaks MiniConstellation since either libvirt, or the Terraform libvirt provider - # tries to apply the TPM config twice, resulting in an error during the setup phase - owner = "NixOS"; - repo = "nixpkgs"; - tag = "24.11"; - hash = "sha256-CqCX4JG7UiHvkrBTpYC3wcEurvbtTADLbo3Ns2CEoL8="; - }}"{system = "x86_64-linux";}; in - with pkgsLinux; [ + runtimeInputs = with pkgsLinux; [ shadow coreutils libvirt qemu - nixpkgs24_11.swtpm + swtpm ]; text = '' set -euo pipefail diff --git a/nix/lib/by-name/constellationRepoRoot/package.nix b/nix/lib/by-name/constellationRepoRoot/package.nix deleted file mode 100644 index 38c9cdefa..000000000 --- a/nix/lib/by-name/constellationRepoRoot/package.nix +++ /dev/null @@ -1,3 +0,0 @@ -# Returns a reference to the root path of the Constellation repository. - -_: ../../../../. diff --git a/nix/lib/by-name/constellationRepoRootSrc/package.nix b/nix/lib/by-name/constellationRepoRootSrc/package.nix deleted file mode 100644 index 462df7ab1..000000000 --- a/nix/lib/by-name/constellationRepoRootSrc/package.nix +++ /dev/null @@ -1,12 +0,0 @@ -# Returns a package set originating from the root of the Constellation repository. -# The `files` attribute is a list of paths relative to the root of the repository. - -{ lib }: -files: -let - filteredFiles = lib.map (subpath: lib.path.append lib.constellationRepoRoot subpath) files; -in -lib.fileset.toSource { - root = lib.constellationRepoRoot; - fileset = lib.fileset.unions filteredFiles; -} diff --git a/nix/lib/by-name/constellationVersion/package.nix b/nix/lib/by-name/constellationVersion/package.nix deleted file mode 100644 index b65ebe85e..000000000 --- a/nix/lib/by-name/constellationVersion/package.nix +++ /dev/null @@ -1,3 +0,0 @@ -# Returns the current Continuum version, as defined in `version.txt`. - -{ lib }: builtins.readFile (lib.path.append lib.constellationRepoRoot "version.txt") diff --git a/nix/lib/default.nix b/nix/lib/default.nix deleted file mode 100644 index bd731cbf3..000000000 --- a/nix/lib/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - callPackage, -}: -lib.packagesFromDirectoryRecursive { - inherit callPackage; - directory = ./by-name; -} diff --git a/nix/packages/by-name/buildConstellationGoModule/package.nix b/nix/packages/by-name/buildConstellationGoModule/package.nix deleted file mode 100644 index b58d020e0..000000000 --- a/nix/packages/by-name/buildConstellationGoModule/package.nix +++ /dev/null @@ -1,26 +0,0 @@ -# A 'wrapped' Go builder for Constellation, which doesn't require a `vendorHash` to be set in each package. -# Instead, one central vendor hash is set here, and all packages inherit it. - -{ - buildGo124Module, - constellation-canonical-go-package, -}: -args: -(buildGo124Module ( - { - # We run tests in CI, so don't run them at build time. - doCheck = false; - - # Disable CGO by default. - env.CGO_ENABLED = "0"; - } - // args -)).overrideAttrs - (_oldAttrs: { - inherit (constellation-canonical-go-package) - goModules - vendorHash - proxyVendor - deleteVendor - ; - }) diff --git a/nix/packages/by-name/constellation-canonical-go-package/package.nix b/nix/packages/by-name/constellation-canonical-go-package/package.nix deleted file mode 100644 index 0fd299ffd..000000000 --- a/nix/packages/by-name/constellation-canonical-go-package/package.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - lib, - buildGo124Module, -}: -buildGo124Module { - pname = "constellation-canonical-go-package"; - version = lib.constellationVersion; - - src = lib.constellationRepoRootSrc [ - "go.mod" - "go.sum" - ]; - - vendorHash = "sha256-McWiTTz1HTdG3x0LI87CF6oTRFtxSiV3LCCBJb9YG4U="; - - doCheck = false; - - proxyVendor = true; -} diff --git a/nix/packages/default.nix b/nix/packages/default.nix deleted file mode 100644 index bd731cbf3..000000000 --- a/nix/packages/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - callPackage, -}: -lib.packagesFromDirectoryRecursive { - inherit callPackage; - directory = ./by-name; -} diff --git a/operators/constellation-node-operator/Makefile b/operators/constellation-node-operator/Makefile index 777b1ecb1..ca2bd0906 100644 --- a/operators/constellation-node-operator/Makefile +++ b/operators/constellation-node-operator/Makefile @@ -86,11 +86,11 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./" output:crd:artifacts:config=config/crd/bases .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. - $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." + $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./" .PHONY: fmt fmt: ## Run go fmt against code. @@ -162,7 +162,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ## Tool Versions KUSTOMIZE_VERSION ?= v3.8.7 -CONTROLLER_TOOLS_VERSION ?= v0.16.4 +CONTROLLER_TOOLS_VERSION ?= v0.9.0 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize diff --git a/operators/constellation-node-operator/api/LICENSE b/operators/constellation-node-operator/api/LICENSE new file mode 100644 index 000000000..be3f7b28e --- /dev/null +++ b/operators/constellation-node-operator/api/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/operators/constellation-node-operator/api/api.go b/operators/constellation-node-operator/api/api.go index 3fb0031d6..83a9f7547 100644 --- a/operators/constellation-node-operator/api/api.go +++ b/operators/constellation-node-operator/api/api.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/operators/constellation-node-operator/api/v1alpha1/autoscalingstrategy_types.go b/operators/constellation-node-operator/api/v1alpha1/autoscalingstrategy_types.go index 5e1a72430..590450583 100644 --- a/operators/constellation-node-operator/api/v1alpha1/autoscalingstrategy_types.go +++ b/operators/constellation-node-operator/api/v1alpha1/autoscalingstrategy_types.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package v1alpha1 diff --git a/operators/constellation-node-operator/api/v1alpha1/groupversion_info.go b/operators/constellation-node-operator/api/v1alpha1/groupversion_info.go index e6a051566..a38fbef44 100644 --- a/operators/constellation-node-operator/api/v1alpha1/groupversion_info.go +++ b/operators/constellation-node-operator/api/v1alpha1/groupversion_info.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package v1alpha1 contains API Schema definitions for the update v1alpha1 API group diff --git a/operators/constellation-node-operator/api/v1alpha1/joiningnodes_types.go b/operators/constellation-node-operator/api/v1alpha1/joiningnodes_types.go index e3e3a2cc9..0eed07a7d 100644 --- a/operators/constellation-node-operator/api/v1alpha1/joiningnodes_types.go +++ b/operators/constellation-node-operator/api/v1alpha1/joiningnodes_types.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package v1alpha1 diff --git a/operators/constellation-node-operator/api/v1alpha1/nodeversion_types.go b/operators/constellation-node-operator/api/v1alpha1/nodeversion_types.go index 33d358674..f5d81dfed 100644 --- a/operators/constellation-node-operator/api/v1alpha1/nodeversion_types.go +++ b/operators/constellation-node-operator/api/v1alpha1/nodeversion_types.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package v1alpha1 diff --git a/operators/constellation-node-operator/api/v1alpha1/pendingnode_types.go b/operators/constellation-node-operator/api/v1alpha1/pendingnode_types.go index 720bd6f5a..62261b984 100644 --- a/operators/constellation-node-operator/api/v1alpha1/pendingnode_types.go +++ b/operators/constellation-node-operator/api/v1alpha1/pendingnode_types.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package v1alpha1 diff --git a/operators/constellation-node-operator/api/v1alpha1/scalinggroup_types.go b/operators/constellation-node-operator/api/v1alpha1/scalinggroup_types.go index 3c58bcff0..a2c50a453 100644 --- a/operators/constellation-node-operator/api/v1alpha1/scalinggroup_types.go +++ b/operators/constellation-node-operator/api/v1alpha1/scalinggroup_types.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package v1alpha1 diff --git a/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go b/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go index b25cfc280..198fc055c 100644 --- a/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go +++ b/operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go @@ -1,4 +1,5 @@ //go:build !ignore_autogenerated +// +build !ignore_autogenerated // Code generated by controller-gen. DO NOT EDIT. diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml index 9156e3e71..6a014a394 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_autoscalingstrategies.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: autoscalingstrategies.update.edgeless.systems spec: group: update.edgeless.systems @@ -21,19 +22,14 @@ spec: API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml index 1beca7221..9c8e9e5a2 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: joiningnodes.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: JoiningNode is the Schema for the joiningnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml index 4b7f7b7e0..e4c435ec1 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_nodeversions.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: nodeversions.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: NodeVersion is the Schema for the nodeversions API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -66,49 +62,65 @@ spec: description: AwaitingAnnotation is a list of nodes that are waiting for the operator to annotate them. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array budget: description: Budget is the amount of extra nodes that can be created @@ -119,35 +131,43 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -162,6 +182,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -177,386 +201,514 @@ spec: description: Donors is a list of outdated nodes that donate labels to heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array heirs: description: Heirs is a list of nodes using the latest image that still need to inherit labels from donors. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array invalid: description: Invalid is a list of invalid nodes (nodes that cannot be processed by the operator due to missing information or transient faults). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array mints: description: Mints is a list of up to date nodes that will become heirs. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array obsolete: description: Obsolete is a list of obsolete nodes (nodes that have been created by the operator but are no longer needed). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array outdated: description: Outdated is a list of nodes that are using an outdated image. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array pending: description: Pending is a list of pending nodes (joining or leaving the cluster). items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array upToDate: description: UpToDate is a list of nodes that are using the latest image and labels. items: - description: ObjectReference contains enough information to let - you inspect or modify the referred object. + description: "ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. Invalid + usage help. It is impossible to add specific help for individual + usage. In most embedded usages, there are particular restrictions + like, \"must refer only to types A and B\" or \"UID not honored\" + or \"name must be restricted\". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don't make new APIs embed an underspecified + API type they do not control. \n Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object - x-kubernetes-map-type: atomic type: array required: - activeclusterversionupgrade diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml index c6cd2db6a..7c5b5618b 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_pendingnodes.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: pendingnodes.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: PendingNode is the Schema for the pendingnodes API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -40,11 +36,10 @@ spec: description: PendingNodeSpec defines the desired state of PendingNode. properties: deadline: - description: |- - Deadline is the deadline for reaching the goal state. - Joining nodes will be terminated if the deadline is exceeded. - Leaving nodes will remain as unschedulable to prevent data loss. - If not specified, the node may remain in the pending state indefinitely. + description: Deadline is the deadline for reaching the goal state. + Joining nodes will be terminated if the deadline is exceeded. Leaving + nodes will remain as unschedulable to prevent data loss. If not + specified, the node may remain in the pending state indefinitely. format: date-time type: string goal: diff --git a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml index 5eed4ebc8..0f87fbab1 100644 --- a/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml +++ b/operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_scalinggroups.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: scalinggroups.update.edgeless.systems spec: group: update.edgeless.systems @@ -20,19 +21,14 @@ spec: description: ScalingGroup is the Schema for the scalinggroups API. properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -61,8 +57,8 @@ spec: format: int32 type: integer nodeGroupName: - description: NodeGroupName is the human friendly name of the node - group as defined in the Constellation configuration. + description: NodeGroupName is the human friendly name of the node group + as defined in the Constellation configuration. type: string nodeImage: description: NodeVersion is the name of the NodeVersion resource. @@ -81,35 +77,43 @@ spec: description: Conditions represent the latest available observations of an object's state. items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -124,6 +128,10 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/operators/constellation-node-operator/config/manager/manager.yaml b/operators/constellation-node-operator/config/manager/manager.yaml index 314209305..32b39e301 100644 --- a/operators/constellation-node-operator/config/manager/manager.yaml +++ b/operators/constellation-node-operator/config/manager/manager.yaml @@ -31,9 +31,6 @@ spec: - /manager args: - --leader-elect - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json image: controller:latest name: manager securityContext: @@ -63,9 +60,6 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true - - mountPath: /var/secrets/google - name: gcekey - readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -97,10 +91,6 @@ spec: configMap: name: gceconf optional: true - - name: gcekey - secret: - secretName: gcekey - optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/operators/constellation-node-operator/config/rbac/role.yaml b/operators/constellation-node-operator/config/rbac/role.yaml index a1f60ee8f..8700132c4 100644 --- a/operators/constellation-node-operator/config/rbac/role.yaml +++ b/operators/constellation-node-operator/config/rbac/role.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + creationTimestamp: null name: manager-role rules: - apiGroups: @@ -11,7 +12,6 @@ rules: verbs: - get - list - - watch - apiGroups: - "" resources: @@ -57,10 +57,6 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies - - joiningnodes - - nodeversions - - pendingnodes - - scalinggroups verbs: - create - delete @@ -73,20 +69,38 @@ rules: - update.edgeless.systems resources: - autoscalingstrategies/finalizers - - joiningnodes/finalizers - - nodeversions/finalizers - - pendingnodes/finalizers - - scalinggroups/finalizers verbs: - update - apiGroups: - update.edgeless.systems resources: - autoscalingstrategies/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - joiningnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: - joiningnodes/status - - nodeversions/status - - pendingnodes/status - - scalinggroups/status verbs: - get - patch @@ -105,3 +119,81 @@ rules: - nodeversion/status verbs: - get +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - nodeversions/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - pendingnodes/status + verbs: + - get + - patch + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/finalizers + verbs: + - update +- apiGroups: + - update.edgeless.systems + resources: + - scalinggroups/status + verbs: + - get + - patch + - update diff --git a/operators/constellation-node-operator/controllers/autoscalingstrategy_controller.go b/operators/constellation-node-operator/controllers/autoscalingstrategy_controller.go index de6bba9cf..9fa73ff24 100644 --- a/operators/constellation-node-operator/controllers/autoscalingstrategy_controller.go +++ b/operators/constellation-node-operator/controllers/autoscalingstrategy_controller.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/autoscalingstrategy_controller_env_test.go b/operators/constellation-node-operator/controllers/autoscalingstrategy_controller_env_test.go index 07fa0460d..03a14b6dc 100644 --- a/operators/constellation-node-operator/controllers/autoscalingstrategy_controller_env_test.go +++ b/operators/constellation-node-operator/controllers/autoscalingstrategy_controller_env_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/client_test.go b/operators/constellation-node-operator/controllers/client_test.go index 9dc1f6999..d4ea516d1 100644 --- a/operators/constellation-node-operator/controllers/client_test.go +++ b/operators/constellation-node-operator/controllers/client_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/joiningnode_controller.go b/operators/constellation-node-operator/controllers/joiningnode_controller.go index f475e92c8..8ab45d54f 100644 --- a/operators/constellation-node-operator/controllers/joiningnode_controller.go +++ b/operators/constellation-node-operator/controllers/joiningnode_controller.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/joiningnode_controller_env_test.go b/operators/constellation-node-operator/controllers/joiningnode_controller_env_test.go index 7b5fd2a7d..2662dff28 100644 --- a/operators/constellation-node-operator/controllers/joiningnode_controller_env_test.go +++ b/operators/constellation-node-operator/controllers/joiningnode_controller_env_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/nodeversion_controller.go b/operators/constellation-node-operator/controllers/nodeversion_controller.go index 5a94591d1..ff706c702 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_controller.go +++ b/operators/constellation-node-operator/controllers/nodeversion_controller.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers @@ -83,7 +83,7 @@ func NewNodeVersionReconciler(nodeReplacer nodeReplacer, etcdRemover etcdRemover //+kubebuilder:rbac:groups=nodemaintenance.medik8s.io,resources=nodemaintenances,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=nodes/status,verbs=get -//+kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get;watch +//+kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get // Reconcile replaces outdated nodes with new nodes as specified in the NodeVersion spec. func (r *NodeVersionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { @@ -214,7 +214,7 @@ func (r *NodeVersionReconciler) Reconcile(ctx context.Context, req ctrl.Request) return ctrl.Result{Requeue: shouldRequeue}, nil } - newNodeConfig := newNodeConfig{desiredNodeVersion, groups.Outdated, groups.Donors, pendingNodeList.Items, scalingGroupByID, newNodesBudget} + newNodeConfig := newNodeConfig{desiredNodeVersion, groups.Outdated, pendingNodeList.Items, scalingGroupByID, newNodesBudget} if err := r.createNewNodes(ctx, newNodeConfig); err != nil { logr.Error(err, "Creating new nodes") return ctrl.Result{Requeue: shouldRequeue}, nil @@ -614,15 +614,6 @@ func (r *NodeVersionReconciler) createNewNodes(ctx context.Context, config newNo if config.newNodesBudget < 1 || len(config.outdatedNodes) == 0 { return nil } - // We need to look at both the outdated nodes *and* the nodes that have already - // been moved to the donors here because even if a CP node has already been moved to - // the donors, we still want to defer worker upgrades until the new CP node is actually joined. - hasOutdatedControlPlanes := false - for _, entry := range append(config.outdatedNodes, config.donors...) { - if nodeutil.IsControlPlaneNode(&entry) { - hasOutdatedControlPlanes = true - } - } outdatedNodesPerScalingGroup := make(map[string]int) for _, node := range config.outdatedNodes { // skip outdated nodes that got assigned an heir in this Reconcile call @@ -657,12 +648,6 @@ func (r *NodeVersionReconciler) createNewNodes(ctx context.Context, config newNo continue } if requiredNodesPerScalingGroup[scalingGroupID] == 0 { - logr.Info("No new nodes needed for scaling group", "scalingGroup", scalingGroupID) - continue - } - // if we are a worker group and still have outdated control planes, we must wait for them to be upgraded. - if hasOutdatedControlPlanes && scalingGroup.Spec.Role != updatev1alpha1.ControlPlaneRole { - logr.Info("There are still outdated control plane nodes which must be replaced first before this worker scaling group is upgraded", "scalingGroup", scalingGroupID) continue } for { @@ -694,7 +679,7 @@ func (r *NodeVersionReconciler) createNewNodes(ctx context.Context, config newNo if err := r.Create(ctx, pendingNode); err != nil { return err } - logr.Info("Created new node", "createdNode", nodeName, "scalingGroup", scalingGroupID, "requiredNodes", requiredNodesPerScalingGroup[scalingGroupID]) + logr.Info("Created new node", "createdNode", nodeName, "scalingGroup", scalingGroupID) requiredNodesPerScalingGroup[scalingGroupID]-- config.newNodesBudget-- } @@ -954,7 +939,6 @@ type kubernetesServerVersionGetter interface { type newNodeConfig struct { desiredNodeVersion updatev1alpha1.NodeVersion outdatedNodes []corev1.Node - donors []corev1.Node pendingNodes []updatev1alpha1.PendingNode scalingGroupByID map[string]updatev1alpha1.ScalingGroup newNodesBudget int diff --git a/operators/constellation-node-operator/controllers/nodeversion_controller_env_test.go b/operators/constellation-node-operator/controllers/nodeversion_controller_env_test.go index 2e093323b..7fa62ce3a 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_controller_env_test.go +++ b/operators/constellation-node-operator/controllers/nodeversion_controller_env_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/nodeversion_controller_test.go b/operators/constellation-node-operator/controllers/nodeversion_controller_test.go index fcc67a529..c9ae88042 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_controller_test.go +++ b/operators/constellation-node-operator/controllers/nodeversion_controller_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers @@ -123,7 +123,7 @@ func TestAnnotateNodes(t *testing.T) { }, }, } - annotated, invalid := reconciler.annotateNodes(t.Context(), []corev1.Node{tc.node}) + annotated, invalid := reconciler.annotateNodes(context.Background(), []corev1.Node{tc.node}) if tc.wantAnnotated == nil { assert.Len(annotated, 0) assert.Len(invalid, 1) @@ -226,7 +226,7 @@ func TestPairDonorsAndHeirs(t *testing.T) { }, } nodeImage := updatev1alpha1.NodeVersion{} - pairs := reconciler.pairDonorsAndHeirs(t.Context(), &nodeImage, []corev1.Node{tc.outdatedNode}, []mintNode{tc.mintNode}) + pairs := reconciler.pairDonorsAndHeirs(context.Background(), &nodeImage, []corev1.Node{tc.outdatedNode}, []mintNode{tc.mintNode}) if tc.wantPair == nil { assert.Len(pairs, 0) return @@ -315,7 +315,7 @@ func TestMatchDonorsAndHeirs(t *testing.T) { stubReaderClient: *newStubReaderClient(t, []runtime.Object{&tc.donor, &tc.heir}, nil, nil), }, } - pairs := reconciler.matchDonorsAndHeirs(t.Context(), nil, []corev1.Node{tc.donor}, []corev1.Node{tc.heir}) + pairs := reconciler.matchDonorsAndHeirs(context.Background(), nil, []corev1.Node{tc.donor}, []corev1.Node{tc.heir}) if tc.wantPair == nil { assert.Len(pairs, 0) return @@ -330,7 +330,6 @@ func TestMatchDonorsAndHeirs(t *testing.T) { func TestCreateNewNodes(t *testing.T) { testCases := map[string]struct { outdatedNodes []corev1.Node - donors []corev1.Node pendingNodes []updatev1alpha1.PendingNode scalingGroupByID map[string]updatev1alpha1.ScalingGroup budget int @@ -574,105 +573,6 @@ func TestCreateNewNodes(t *testing.T) { }, budget: 1, }, - "control plane node upgraded first": { - outdatedNodes: []corev1.Node{ - // CP node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "control-plane-node", - Annotations: map[string]string{ - scalingGroupAnnotation: "control-plane-scaling-group", - }, - Labels: map[string]string{ - // Mark this as a CP node as per - // https://kubernetes.io/docs/reference/labels-annotations-taints/#node-role-kubernetes-io-control-plane - "node-role.kubernetes.io/control-plane": "", - }, - }, - }, - // Worker node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "node", - Annotations: map[string]string{ - scalingGroupAnnotation: "scaling-group", - }, - }, - }, - }, - scalingGroupByID: map[string]updatev1alpha1.ScalingGroup{ - "scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "scaling-group", - Role: updatev1alpha1.WorkerRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - "control-plane-scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "control-plane-scaling-group", - Role: updatev1alpha1.ControlPlaneRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - }, - budget: 2, - wantCreateCalls: []string{"control-plane-scaling-group"}, - }, - "worker not upgraded while cp is in donors": { - donors: []corev1.Node{ - // CP node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "control-plane-node", - Annotations: map[string]string{ - scalingGroupAnnotation: "control-plane-scaling-group", - }, - Labels: map[string]string{ - // Mark this as a CP node as per - // https://kubernetes.io/docs/reference/labels-annotations-taints/#node-role-kubernetes-io-control-plane - "node-role.kubernetes.io/control-plane": "", - }, - }, - }, - }, - outdatedNodes: []corev1.Node{ - // Worker node - { - ObjectMeta: metav1.ObjectMeta{ - Name: "node", - Annotations: map[string]string{ - scalingGroupAnnotation: "scaling-group", - }, - }, - }, - }, - scalingGroupByID: map[string]updatev1alpha1.ScalingGroup{ - "scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "scaling-group", - Role: updatev1alpha1.WorkerRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - "control-plane-scaling-group": { - Spec: updatev1alpha1.ScalingGroupSpec{ - GroupID: "control-plane-scaling-group", - Role: updatev1alpha1.ControlPlaneRole, - }, - Status: updatev1alpha1.ScalingGroupStatus{ - ImageReference: "image", - }, - }, - }, - budget: 1, - }, } for name, tc := range testCases { @@ -692,8 +592,8 @@ func TestCreateNewNodes(t *testing.T) { }, Scheme: getScheme(t), } - newNodeConfig := newNodeConfig{desiredNodeImage, tc.outdatedNodes, tc.donors, tc.pendingNodes, tc.scalingGroupByID, tc.budget} - err := reconciler.createNewNodes(t.Context(), newNodeConfig) + newNodeConfig := newNodeConfig{desiredNodeImage, tc.outdatedNodes, tc.pendingNodes, tc.scalingGroupByID, tc.budget} + err := reconciler.createNewNodes(context.Background(), newNodeConfig) require.NoError(err) assert.Equal(tc.wantCreateCalls, reconciler.nodeReplacer.(*stubNodeReplacerWriter).createCalls) }) diff --git a/operators/constellation-node-operator/controllers/nodeversion_watches.go b/operators/constellation-node-operator/controllers/nodeversion_watches.go index 16f715bd3..3977a7c64 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_watches.go +++ b/operators/constellation-node-operator/controllers/nodeversion_watches.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/nodeversion_watches_test.go b/operators/constellation-node-operator/controllers/nodeversion_watches_test.go index b464419eb..690c1d2c4 100644 --- a/operators/constellation-node-operator/controllers/nodeversion_watches_test.go +++ b/operators/constellation-node-operator/controllers/nodeversion_watches_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers import ( + "context" "errors" "testing" @@ -249,7 +250,7 @@ func TestFindObjectsForScalingGroup(t *testing.T) { } assert := assert.New(t) reconciler := NodeVersionReconciler{} - requests := reconciler.findObjectsForScalingGroup(t.Context(), &scalingGroup) + requests := reconciler.findObjectsForScalingGroup(context.TODO(), &scalingGroup) assert.ElementsMatch(wantRequests, requests) } @@ -283,7 +284,7 @@ func TestFindAllNodeVersions(t *testing.T) { reconciler := NodeVersionReconciler{ Client: newStubReaderClient(t, []runtime.Object{tc.nodeVersion}, nil, tc.listNodeVersionsErr), } - requests := reconciler.findAllNodeVersions(t.Context(), nil) + requests := reconciler.findAllNodeVersions(context.TODO(), nil) assert.ElementsMatch(tc.wantRequests, requests) }) } diff --git a/operators/constellation-node-operator/controllers/pendingnode_controller.go b/operators/constellation-node-operator/controllers/pendingnode_controller.go index fe274a0ce..1bd5b97df 100644 --- a/operators/constellation-node-operator/controllers/pendingnode_controller.go +++ b/operators/constellation-node-operator/controllers/pendingnode_controller.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/pendingnode_controller_env_test.go b/operators/constellation-node-operator/controllers/pendingnode_controller_env_test.go index 427199b7b..05e5de4ee 100644 --- a/operators/constellation-node-operator/controllers/pendingnode_controller_env_test.go +++ b/operators/constellation-node-operator/controllers/pendingnode_controller_env_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/pendingnode_controller_test.go b/operators/constellation-node-operator/controllers/pendingnode_controller_test.go index c77e0eb99..1a564af76 100644 --- a/operators/constellation-node-operator/controllers/pendingnode_controller_test.go +++ b/operators/constellation-node-operator/controllers/pendingnode_controller_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers @@ -137,7 +137,7 @@ func TestFindObjectsForNode(t *testing.T) { reconciler := PendingNodeReconciler{ Client: newStubReaderClient(t, []runtime.Object{tc.pendingNode}, nil, tc.listPendingNodesErr), } - requests := reconciler.findObjectsForNode(t.Context(), &corev1.Node{ + requests := reconciler.findObjectsForNode(context.TODO(), &corev1.Node{ ObjectMeta: metav1.ObjectMeta{ Name: "pending-node", }, @@ -218,7 +218,7 @@ func TestReachedGoal(t *testing.T) { reconciler := PendingNodeReconciler{ Client: newStubReaderClient(t, []runtime.Object{&tc.pendingNode}, tc.getPendingNodeErr, nil), } - reachedGoal, err := reconciler.reachedGoal(t.Context(), tc.pendingNode, tc.nodeState) + reachedGoal, err := reconciler.reachedGoal(context.Background(), tc.pendingNode, tc.nodeState) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/controllers/scalinggroup_controller.go b/operators/constellation-node-operator/controllers/scalinggroup_controller.go index c01693b70..7336467c0 100644 --- a/operators/constellation-node-operator/controllers/scalinggroup_controller.go +++ b/operators/constellation-node-operator/controllers/scalinggroup_controller.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/scalinggroup_controller_env_test.go b/operators/constellation-node-operator/controllers/scalinggroup_controller_env_test.go index 0f9661c6c..8101f7174 100644 --- a/operators/constellation-node-operator/controllers/scalinggroup_controller_env_test.go +++ b/operators/constellation-node-operator/controllers/scalinggroup_controller_env_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/scalinggroup_controller_test.go b/operators/constellation-node-operator/controllers/scalinggroup_controller_test.go index b791183b2..9769722bd 100644 --- a/operators/constellation-node-operator/controllers/scalinggroup_controller_test.go +++ b/operators/constellation-node-operator/controllers/scalinggroup_controller_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/schemes_test.go b/operators/constellation-node-operator/controllers/schemes_test.go index df108b049..ed19215ab 100644 --- a/operators/constellation-node-operator/controllers/schemes_test.go +++ b/operators/constellation-node-operator/controllers/schemes_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/controllers/suite_test.go b/operators/constellation-node-operator/controllers/suite_test.go index ac3dedcb9..dd2df3407 100644 --- a/operators/constellation-node-operator/controllers/suite_test.go +++ b/operators/constellation-node-operator/controllers/suite_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controllers diff --git a/operators/constellation-node-operator/internal/cloud/api/scalinggroup.go b/operators/constellation-node-operator/internal/cloud/api/scalinggroup.go index d439c913b..ab08f07b9 100644 --- a/operators/constellation-node-operator/internal/cloud/api/scalinggroup.go +++ b/operators/constellation-node-operator/internal/cloud/api/scalinggroup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package api diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/api.go b/operators/constellation-node-operator/internal/cloud/aws/client/api.go index 98ab180f6..53316583b 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/api.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/api.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/autoscaler.go b/operators/constellation-node-operator/internal/cloud/aws/client/autoscaler.go index 73860311b..e74ef3b9b 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/autoscaler.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/autoscaler.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/client.go b/operators/constellation-node-operator/internal/cloud/aws/client/client.go index f853d5e06..b477e76ef 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/client.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/client.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/client_test.go b/operators/constellation-node-operator/internal/cloud/aws/client/client_test.go index 6643803da..a2e81cc28 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/client_test.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/client_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage.go b/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage.go index f7a94e239..78c37601e 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go b/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go index 8f0296da6..d939f2029 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/nodeimage_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client @@ -91,7 +91,7 @@ func TestGetNodeImage(t *testing.T) { describeInstancesErr: tc.describeInstancesErr, }, } - gotImage, err := client.GetNodeImage(t.Context(), tc.providerID) + gotImage, err := client.GetNodeImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -199,7 +199,7 @@ func TestGetScalingGroupID(t *testing.T) { describeInstancesErr: tc.describeInstancesErr, }, } - gotScalingID, err := client.GetScalingGroupID(t.Context(), tc.providerID) + gotScalingID, err := client.GetScalingGroupID(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -357,7 +357,7 @@ func TestCreateNode(t *testing.T) { setDesiredCapacityErr: tc.setDesiredCapacityErr, }, } - nodeName, providerID, err := client.CreateNode(t.Context(), tc.providerID) + nodeName, providerID, err := client.CreateNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -398,7 +398,7 @@ func TestDeleteNode(t *testing.T) { terminateInstanceErr: tc.terminateInstanceErr, }, } - err := client.DeleteNode(t.Context(), tc.providerID) + err := client.DeleteNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode.go b/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode.go index c559a61cc..6121ce682 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go b/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go index 7f43ee6ba..b2745358f 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/pendingnode_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "errors" "testing" @@ -160,7 +161,7 @@ func TestGetNodeState(t *testing.T) { describeInstanceStatusErr: tc.describeInstanceStatusErr, }, } - nodeState, err := client.GetNodeState(t.Context(), tc.providerID) + nodeState, err := client.GetNodeState(context.Background(), tc.providerID) assert.Equal(tc.wantState, nodeState) if tc.wantErr { assert.Error(err) diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup.go b/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup.go index 50673ea67..6eee2c5e2 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go b/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go index b286e182d..b5e4f60ce 100644 --- a/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go +++ b/operators/constellation-node-operator/internal/cloud/aws/client/scalinggroup_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "testing" "github.com/aws/aws-sdk-go-v2/service/autoscaling" @@ -90,7 +91,7 @@ func TestGetScalingGroupImage(t *testing.T) { }, }, } - scalingGroupImage, err := client.GetScalingGroupImage(t.Context(), tc.providerID) + scalingGroupImage, err := client.GetScalingGroupImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -215,7 +216,7 @@ func TestSetScalingGroupImage(t *testing.T) { }, }, } - err := client.SetScalingGroupImage(t.Context(), tc.providerID, tc.imageURI) + err := client.SetScalingGroupImage(context.Background(), tc.providerID, tc.imageURI) if tc.wantErr { assert.Error(err) return @@ -318,7 +319,7 @@ func TestListScalingGroups(t *testing.T) { describeAutoScalingGroupsErr: tc.describeAutoScalingGroupsErr, }, } - gotGroups, err := client.ListScalingGroups(t.Context(), tc.providerID) + gotGroups, err := client.ListScalingGroups(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/api.go b/operators/constellation-node-operator/internal/cloud/azure/client/api.go index 535939148..33a4369a7 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/api.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/api.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/autoscaler.go b/operators/constellation-node-operator/internal/cloud/azure/client/autoscaler.go index a946810db..d3c268f93 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/autoscaler.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/autoscaler.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/client.go b/operators/constellation-node-operator/internal/cloud/azure/client/client.go index 4e31cb0b9..2e767a9f7 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/client.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/client.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/client_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/client_test.go index 6daf70bb8..e63904b2c 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/client_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/client_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/config.go b/operators/constellation-node-operator/internal/cloud/azure/client/config.go index 52f0091b1..4a26734f8 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/config.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/config.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/config_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/config_test.go index 82da00082..482221e36 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/config_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/config_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/instanceview.go b/operators/constellation-node-operator/internal/cloud/azure/client/instanceview.go index 98dfa74e3..da38b1aef 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/instanceview.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/instanceview.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/instanceview_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/instanceview_test.go index c47829de7..16ece38f7 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/instanceview_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/instanceview_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage.go b/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage.go index d36b8a97c..8b4d438a1 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go index 86bfd55ed..866cf535f 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client @@ -98,7 +98,7 @@ func TestGetNodeImage(t *testing.T) { getErr: tc.getScaleSetVMErr, }, } - gotImage, err := client.GetNodeImage(t.Context(), tc.providerID) + gotImage, err := client.GetNodeImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -131,7 +131,7 @@ func TestGetScalingGroupID(t *testing.T) { require := require.New(t) client := Client{} - gotScalingGroupID, err := client.GetScalingGroupID(t.Context(), tc.providerID) + gotScalingGroupID, err := client.GetScalingGroupID(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -262,7 +262,7 @@ func TestCreateNode(t *testing.T) { var createErr error go func() { defer wg.Done() - gotNodeName, gotProviderID, createErr = client.CreateNode(t.Context(), tc.scalingGroupID) + gotNodeName, gotProviderID, createErr = client.CreateNode(context.Background(), tc.scalingGroupID) }() // want error before PollUntilDone is called @@ -319,7 +319,7 @@ func TestDeleteNode(t *testing.T) { client := Client{ scaleSetsAPI: &stubScaleSetsAPI{deleteErr: tc.deleteErr}, } - err := client.DeleteNode(t.Context(), tc.providerID) + err := client.DeleteNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -343,25 +343,25 @@ func TestCapacityPollingHandler(t *testing.T) { }, wantedCapacity: wantCapacity, } - assert.NoError(handler.Poll(t.Context())) + assert.NoError(handler.Poll(context.Background())) assert.False(handler.Done()) // Calling Result early should error - assert.Error(handler.Result(t.Context(), &gotCapacity)) + assert.Error(handler.Result(context.Background(), &gotCapacity)) // let scaleSet API error handler.scaleSetsAPI.(*stubScaleSetsAPI).getErr = errors.New("get error") - assert.Error(handler.Poll(t.Context())) + assert.Error(handler.Poll(context.Background())) handler.scaleSetsAPI.(*stubScaleSetsAPI).getErr = nil // let scaleSet API return invalid SKU handler.scaleSetsAPI.(*stubScaleSetsAPI).scaleSet.SKU = nil - assert.Error(handler.Poll(t.Context())) + assert.Error(handler.Poll(context.Background())) // let Poll finish handler.scaleSetsAPI.(*stubScaleSetsAPI).scaleSet.SKU = &armcompute.SKU{Capacity: to.Ptr(wantCapacity)} - assert.NoError(handler.Poll(t.Context())) + assert.NoError(handler.Poll(context.Background())) assert.True(handler.Done()) - assert.NoError(handler.Result(t.Context(), &gotCapacity)) + assert.NoError(handler.Result(context.Background(), &gotCapacity)) assert.Equal(wantCapacity, gotCapacity) } diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode.go b/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode.go index 9bd14e0f8..99f6bedd9 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go index 9977b1fd2..7c12ed749 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/pendingnode_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "errors" "net/http" "testing" @@ -66,7 +67,7 @@ func TestGetNodeState(t *testing.T) { instanceViewErr: tc.getInstanceViewErr, }, } - gotState, err := client.GetNodeState(t.Context(), tc.providerID) + gotState, err := client.GetNodeState(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/providerid.go b/operators/constellation-node-operator/internal/cloud/azure/client/providerid.go index 8ef8e38f8..a31637fb0 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/providerid.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/providerid.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/providerid_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/providerid_test.go index 2376c618e..64b14badf 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/providerid_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/providerid_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup.go b/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup.go index 285f90986..470bb2d90 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go index 7915e66ad..1f9e1516d 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/scalinggroup_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "errors" "testing" @@ -102,7 +103,7 @@ func TestGetScalingGroupImage(t *testing.T) { getErr: tc.getScaleSetErr, }, } - gotImage, err := client.GetScalingGroupImage(t.Context(), tc.scalingGroupID) + gotImage, err := client.GetScalingGroupImage(context.Background(), tc.scalingGroupID) if tc.wantErr { assert.Error(err) return @@ -154,7 +155,7 @@ func TestSetScalingGroupImage(t *testing.T) { resultErr: tc.resultErr, }, } - err := client.SetScalingGroupImage(t.Context(), tc.scalingGroupID, tc.imageURI) + err := client.SetScalingGroupImage(context.Background(), tc.scalingGroupID, tc.imageURI) if tc.wantErr { assert.Error(err) return @@ -290,7 +291,7 @@ func TestListScalingGroups(t *testing.T) { }, }, } - gotGroups, err := client.ListScalingGroups(t.Context(), "uid") + gotGroups, err := client.ListScalingGroups(context.Background(), "uid") if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/vmss.go b/operators/constellation-node-operator/internal/cloud/azure/client/vmss.go index b65ce59df..b989f9a99 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/vmss.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/vmss.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/azure/client/vmss_test.go b/operators/constellation-node-operator/internal/cloud/azure/client/vmss_test.go index b4767239b..2588941e5 100644 --- a/operators/constellation-node-operator/internal/cloud/azure/client/vmss_test.go +++ b/operators/constellation-node-operator/internal/cloud/azure/client/vmss_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/fake/client/client.go b/operators/constellation-node-operator/internal/cloud/fake/client/client.go index adcfc27aa..56e97e01d 100644 --- a/operators/constellation-node-operator/internal/cloud/fake/client/client.go +++ b/operators/constellation-node-operator/internal/cloud/fake/client/client.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel b/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel index 72548055d..54100de98 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/BUILD.bazel @@ -29,6 +29,7 @@ go_library( "@com_github_spf13_afero//:afero", "@com_google_cloud_go_compute//apiv1", "@com_google_cloud_go_compute//apiv1/computepb", + "@org_golang_google_api//compute/v1:compute", "@org_golang_google_api//googleapi", "@org_golang_google_api//iterator", "@org_golang_google_protobuf//proto", @@ -61,6 +62,7 @@ go_test( "@com_github_stretchr_testify//require", "@com_google_cloud_go_compute//apiv1", "@com_google_cloud_go_compute//apiv1/computepb", + "@org_golang_google_api//compute/v1:compute", "@org_golang_google_api//googleapi", "@org_golang_google_api//iterator", "@org_golang_google_protobuf//proto", diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/api.go b/operators/constellation-node-operator/internal/cloud/gcp/client/api.go index 20b6b0e06..15c56ece5 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/api.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/api.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client @@ -12,6 +12,7 @@ import ( compute "cloud.google.com/go/compute/apiv1" "cloud.google.com/go/compute/apiv1/computepb" "github.com/googleapis/gax-go/v2" + computeREST "google.golang.org/api/compute/v1" ) type projectAPI interface { @@ -27,13 +28,9 @@ type instanceAPI interface { } type instanceTemplateAPI interface { - Close() error - Get(ctx context.Context, req *computepb.GetInstanceTemplateRequest, - opts ...gax.CallOption) (*computepb.InstanceTemplate, error) - Delete(ctx context.Context, req *computepb.DeleteInstanceTemplateRequest, - opts ...gax.CallOption) (Operation, error) - Insert(ctx context.Context, req *computepb.InsertInstanceTemplateRequest, - opts ...gax.CallOption) (Operation, error) + Get(projectID, template string) (*computeREST.InstanceTemplate, error) + Delete(projectID, template string) (*computeREST.Operation, error) + Insert(projectID string, template *computeREST.InstanceTemplate) (*computeREST.Operation, error) } type instanceGroupManagersAPI interface { diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/autocaler.go b/operators/constellation-node-operator/internal/cloud/gcp/client/autocaler.go index ba6bb4851..6ac106353 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/autocaler.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/autocaler.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/client.go b/operators/constellation-node-operator/internal/cloud/gcp/client/client.go index b7a221dda..e9dbc3a4e 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/client.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/client.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client @@ -14,6 +14,7 @@ import ( compute "cloud.google.com/go/compute/apiv1" "github.com/spf13/afero" + computeREST "google.golang.org/api/compute/v1" ) // Client is a client for the Google Compute Engine. @@ -48,12 +49,17 @@ func New(ctx context.Context, configPath string) (*Client, error) { return nil, err } closers = append(closers, insAPI) - templAPI, err := compute.NewInstanceTemplatesRESTClient(ctx) + + // TODO(msanft): Go back to protobuf-based API when it supports setting + // a confidential instance type. + // See https://github.com/googleapis/google-cloud-go/issues/10873 for the current status. + restClient, err := computeREST.NewService(ctx) if err != nil { _ = closeAll(closers) return nil, err } - closers = append(closers, templAPI) + templAPI := computeREST.NewInstanceTemplatesService(restClient) + groupAPI, err := compute.NewInstanceGroupManagersRESTClient(ctx) if err != nil { _ = closeAll(closers) @@ -81,7 +87,6 @@ func (c *Client) Close() error { closers := []closer{ c.projectAPI, c.instanceAPI, - c.instanceTemplateAPI, c.instanceGroupManagersAPI, c.diskAPI, } diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go index 184c16cde..58816c561 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/client_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client @@ -12,6 +12,7 @@ import ( compute "cloud.google.com/go/compute/apiv1" "cloud.google.com/go/compute/apiv1/computepb" "github.com/googleapis/gax-go/v2" + computeREST "google.golang.org/api/compute/v1" "google.golang.org/api/iterator" "google.golang.org/protobuf/proto" ) @@ -47,7 +48,7 @@ func (a stubInstanceAPI) Get(_ context.Context, _ *computepb.GetInstanceRequest, } type stubInstanceTemplateAPI struct { - template *computepb.InstanceTemplate + template *computeREST.InstanceTemplate getErr error deleteErr error insertErr error @@ -57,30 +58,16 @@ func (a stubInstanceTemplateAPI) Close() error { return nil } -func (a stubInstanceTemplateAPI) Get(_ context.Context, _ *computepb.GetInstanceTemplateRequest, - _ ...gax.CallOption, -) (*computepb.InstanceTemplate, error) { +func (a stubInstanceTemplateAPI) Get(_, _ string) (*computeREST.InstanceTemplate, error) { return a.template, a.getErr } -func (a stubInstanceTemplateAPI) Delete(_ context.Context, _ *computepb.DeleteInstanceTemplateRequest, - _ ...gax.CallOption, -) (Operation, error) { - return &stubOperation{ - &computepb.Operation{ - Name: proto.String("name"), - }, - }, a.deleteErr +func (a stubInstanceTemplateAPI) Delete(_, _ string) (*computeREST.Operation, error) { + return &computeREST.Operation{}, a.deleteErr } -func (a stubInstanceTemplateAPI) Insert(_ context.Context, _ *computepb.InsertInstanceTemplateRequest, - _ ...gax.CallOption, -) (Operation, error) { - return &stubOperation{ - &computepb.Operation{ - Name: proto.String("name"), - }, - }, a.insertErr +func (a stubInstanceTemplateAPI) Insert(_ string, _ *computeREST.InstanceTemplate) (*computeREST.Operation, error) { + return &computeREST.Operation{}, a.insertErr } type stubInstanceGroupManagersAPI struct { diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/config.go b/operators/constellation-node-operator/internal/cloud/gcp/client/config.go index 905089afe..a3fa313e8 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/config.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/config.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/config_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/config_test.go index da389081c..cf438fe90 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/config_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/config_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/disks.go b/operators/constellation-node-operator/internal/cloud/gcp/client/disks.go index d26b4c626..862de3f15 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/disks.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/disks.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/disks_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/disks_test.go index 473c4b768..fd2d6e8be 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/disks_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/disks_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go b/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go index f7c7313af..da87f596c 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/gcpwrappers.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client @@ -12,26 +12,27 @@ import ( compute "cloud.google.com/go/compute/apiv1" "cloud.google.com/go/compute/apiv1/computepb" "github.com/googleapis/gax-go/v2" + computeREST "google.golang.org/api/compute/v1" ) type instanceTemplateClient struct { - *compute.InstanceTemplatesClient + *computeREST.InstanceTemplatesService } func (c *instanceTemplateClient) Close() error { - return c.InstanceTemplatesClient.Close() + return nil // no-op } -func (c *instanceTemplateClient) Delete(ctx context.Context, req *computepb.DeleteInstanceTemplateRequest, - opts ...gax.CallOption, -) (Operation, error) { - return c.InstanceTemplatesClient.Delete(ctx, req, opts...) +func (c *instanceTemplateClient) Get(project, template string) (*computeREST.InstanceTemplate, error) { + return c.InstanceTemplatesService.Get(project, template).Do() } -func (c *instanceTemplateClient) Insert(ctx context.Context, req *computepb.InsertInstanceTemplateRequest, - opts ...gax.CallOption, -) (Operation, error) { - return c.InstanceTemplatesClient.Insert(ctx, req, opts...) +func (c *instanceTemplateClient) Delete(project, template string) (*computeREST.Operation, error) { + return c.InstanceTemplatesService.Delete(project, template).Do() +} + +func (c *instanceTemplateClient) Insert(projectID string, template *computeREST.InstanceTemplate) (*computeREST.Operation, error) { + return c.InstanceTemplatesService.Insert(projectID, template).Do() } type instanceGroupManagersClient struct { diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers.go b/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers.go index ff3e10564..0b6de00d0 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers_test.go index 365d61a62..23cce1ab2 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/instancegroupmanagers_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate.go b/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate.go index e7c5c7a88..85c1f6979 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate_test.go index 67e36b7f8..242fa09be 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/instancetemplate_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/metadata.go b/operators/constellation-node-operator/internal/cloud/gcp/client/metadata.go index ce11c214f..a8a89345a 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/metadata.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/metadata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/metadata_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/metadata_test.go index 8c262e9e6..c4dff26bc 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/metadata_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/metadata_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage.go b/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage.go index 03182ad8b..e69750321 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go index 5fe9abd92..8ce178dca 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/nodeimage_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "errors" "math/rand" "testing" @@ -100,7 +101,7 @@ func TestGetNodeImage(t *testing.T) { disk: tc.disk, }, } - gotImage, err := client.GetNodeImage(t.Context(), tc.providerID) + gotImage, err := client.GetNodeImage(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -161,7 +162,7 @@ func TestGetScalingGroupID(t *testing.T) { instance: &instance, }, } - gotScalingGroupID, err := client.GetScalingGroupID(t.Context(), tc.providerID) + gotScalingGroupID, err := client.GetScalingGroupID(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return @@ -220,7 +221,7 @@ func TestCreateNode(t *testing.T) { }, prng: rand.New(rand.NewSource(int64(time.Now().Nanosecond()))), } - instanceName, providerID, err := client.CreateNode(t.Context(), tc.scalingGroupID) + instanceName, providerID, err := client.CreateNode(context.Background(), tc.scalingGroupID) if tc.wantErr { assert.Error(err) return @@ -286,7 +287,7 @@ func TestDeleteNode(t *testing.T) { }, }, } - err := client.DeleteNode(t.Context(), tc.providerID) + err := client.DeleteNode(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode.go b/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode.go index 4bacead00..d2c401433 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go index d4a03405a..5791d7fd4 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/pendingnode_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "errors" "net/http" "testing" @@ -107,7 +108,7 @@ func TestGetNodeState(t *testing.T) { }, }, } - nodeState, err := client.GetNodeState(t.Context(), tc.providerID) + nodeState, err := client.GetNodeState(context.Background(), tc.providerID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/project.go b/operators/constellation-node-operator/internal/cloud/gcp/client/project.go index 269f2a5fb..edd131b5d 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/project.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/project.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go index 357fb5ca6..cd0c90326 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/project_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "errors" "testing" @@ -56,7 +57,7 @@ func TestCanonicalProjectID(t *testing.T) { getErr: tc.getProjectErr, }, } - gotID, err := client.canonicalProjectID(t.Context(), tc.projectID) + gotID, err := client.canonicalProjectID(context.Background(), tc.projectID) if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/providerid.go b/operators/constellation-node-operator/internal/cloud/gcp/client/providerid.go index 847a9167a..6fd197e8a 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/providerid.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/providerid.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/providerid_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/providerid_test.go index 2d9b61894..356d73eb7 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/providerid_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/providerid_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go index 991d9ad07..3f10af753 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client @@ -16,6 +16,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/constants" updatev1alpha1 "github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api/v1alpha1" cspapi "github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/internal/cloud/api" + computeREST "google.golang.org/api/compute/v1" "google.golang.org/api/iterator" ) @@ -49,29 +50,22 @@ func (c *Client) SetScalingGroupImage(ctx context.Context, scalingGroupID, image } // clone template with desired image - if instanceTemplate.Name == nil { + if instanceTemplate.Name == "" { return fmt.Errorf("instance template of scaling group %q has no name", scalingGroupID) } - instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage = &imageURI - newTemplateName, err := generateInstanceTemplateName(*instanceTemplate.Name) + instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage = imageURI + newTemplateName, err := generateInstanceTemplateName(instanceTemplate.Name) if err != nil { return err } - instanceTemplate.Name = &newTemplateName - op, err := c.instanceTemplateAPI.Insert(ctx, &computepb.InsertInstanceTemplateRequest{ - Project: project, - InstanceTemplateResource: instanceTemplate, - }) - if err != nil { + instanceTemplate.Name = newTemplateName + if _, err := c.instanceTemplateAPI.Insert(project, instanceTemplate); err != nil { return fmt.Errorf("cloning instance template: %w", err) } - if err := op.Wait(ctx); err != nil { - return fmt.Errorf("waiting for cloned instance template: %w", err) - } newTemplateURI := joinInstanceTemplateURI(project, newTemplateName) // update instance group manager to use new template - op, err = c.instanceGroupManagersAPI.SetInstanceTemplate(ctx, &computepb.SetInstanceTemplateInstanceGroupManagerRequest{ + op, err := c.instanceGroupManagersAPI.SetInstanceTemplate(ctx, &computepb.SetInstanceTemplateInstanceGroupManagerRequest{ InstanceGroupManager: instanceGroupName, Project: project, Zone: zone, @@ -135,10 +129,7 @@ func (c *Client) ListScalingGroups(ctx context.Context, uid string) ([]cspapi.Sc if len(templateURI) < 1 { continue // invalid template URI } - template, err := c.instanceTemplateAPI.Get(ctx, &computepb.GetInstanceTemplateRequest{ - Project: c.projectID, - InstanceTemplate: templateURI[len(templateURI)-1], - }) + template, err := c.instanceTemplateAPI.Get(c.projectID, templateURI[len(templateURI)-1]) if err != nil { retErr = errors.Join(retErr, fmt.Errorf("getting instance template %q: %w", templateURI[len(templateURI)-1], err)) continue @@ -199,7 +190,7 @@ func (c *Client) ListScalingGroups(ctx context.Context, uid string) ([]cspapi.Sc return results, nil } -func (c *Client) getScalingGroupTemplate(ctx context.Context, scalingGroupID string) (*computepb.InstanceTemplate, error) { +func (c *Client) getScalingGroupTemplate(ctx context.Context, scalingGroupID string) (*computeREST.InstanceTemplate, error) { project, zone, instanceGroupName, err := splitInstanceGroupID(scalingGroupID) if err != nil { return nil, err @@ -219,22 +210,19 @@ func (c *Client) getScalingGroupTemplate(ctx context.Context, scalingGroupID str if err != nil { return nil, fmt.Errorf("splitting instance template name: %w", err) } - instanceTemplate, err := c.instanceTemplateAPI.Get(ctx, &computepb.GetInstanceTemplateRequest{ - InstanceTemplate: instanceTemplateName, - Project: instanceTemplateProject, - }) + instanceTemplate, err := c.instanceTemplateAPI.Get(instanceTemplateProject, instanceTemplateName) if err != nil { return nil, fmt.Errorf("getting instance template %q: %w", instanceTemplateName, err) } return instanceTemplate, nil } -func instanceTemplateSourceImage(instanceTemplate *computepb.InstanceTemplate) (string, error) { +func instanceTemplateSourceImage(instanceTemplate *computeREST.InstanceTemplate) (string, error) { if instanceTemplate.Properties == nil || len(instanceTemplate.Properties.Disks) == 0 || instanceTemplate.Properties.Disks[0].InitializeParams == nil || - instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage == nil { + instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage == "" { return "", errors.New("instance template has no source image") } - return uriNormalize(*instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage), nil + return uriNormalize(instanceTemplate.Properties.Disks[0].InitializeParams.SourceImage), nil } diff --git a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go index 69faf062e..01629951d 100644 --- a/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go +++ b/operators/constellation-node-operator/internal/cloud/gcp/client/scalinggroup_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package client import ( + "context" "errors" "testing" @@ -15,6 +16,7 @@ import ( cspapi "github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/internal/cloud/api" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + computeREST "google.golang.org/api/compute/v1" "google.golang.org/protobuf/proto" ) @@ -22,7 +24,7 @@ func TestGetScalingGroupImage(t *testing.T) { testCases := map[string]struct { scalingGroupID string instanceGroupManagerTemplateID *string - instanceTemplate *computepb.InstanceTemplate + instanceTemplate *computeREST.InstanceTemplate getInstanceGroupManagerErr error getInstanceTemplateErr error wantImage string @@ -31,12 +33,12 @@ func TestGetScalingGroupImage(t *testing.T) { "getting image works": { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image", }, }, }, @@ -71,8 +73,8 @@ func TestGetScalingGroupImage(t *testing.T) { "instance template has no disks": { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{}, + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{}, }, wantErr: true, }, @@ -95,7 +97,7 @@ func TestGetScalingGroupImage(t *testing.T) { template: tc.instanceTemplate, }, } - gotImage, err := client.GetScalingGroupImage(t.Context(), tc.scalingGroupID) + gotImage, err := client.GetScalingGroupImage(context.Background(), tc.scalingGroupID) if tc.wantErr { assert.Error(err) return @@ -111,7 +113,7 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID string imageURI string instanceGroupManagerTemplateID *string - instanceTemplate *computepb.InstanceTemplate + instanceTemplate *computeREST.InstanceTemplate getInstanceGroupManagerErr error getInstanceTemplateErr error setInstanceTemplateErr error @@ -122,13 +124,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -139,13 +141,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image", }, }, }, @@ -181,8 +183,8 @@ func TestSetScalingGroupImage(t *testing.T) { "instance template has no disks": { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{}, + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{}, }, wantErr: true, }, @@ -190,12 +192,12 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -207,13 +209,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template-999999999999999999999"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template-999999999999999999999", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -225,13 +227,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -244,13 +246,13 @@ func TestSetScalingGroupImage(t *testing.T) { scalingGroupID: "projects/project/zones/zone/instanceGroupManagers/instance-group", imageURI: "projects/project/global/images/image-2", instanceGroupManagerTemplateID: proto.String("projects/project/global/instanceTemplates/instance-template"), - instanceTemplate: &computepb.InstanceTemplate{ - Name: proto.String("instance-template"), - Properties: &computepb.InstanceProperties{ - Disks: []*computepb.AttachedDisk{ + instanceTemplate: &computeREST.InstanceTemplate{ + Name: "instance-template", + Properties: &computeREST.InstanceProperties{ + Disks: []*computeREST.AttachedDisk{ { - InitializeParams: &computepb.AttachedDiskInitializeParams{ - SourceImage: proto.String("https://www.googleapis.com/compute/v1/projects/project/global/images/image-1"), + InitializeParams: &computeREST.AttachedDiskInitializeParams{ + SourceImage: "https://www.googleapis.com/compute/v1/projects/project/global/images/image-1", }, }, }, @@ -280,7 +282,7 @@ func TestSetScalingGroupImage(t *testing.T) { template: tc.instanceTemplate, }, } - err := client.SetScalingGroupImage(t.Context(), tc.scalingGroupID, tc.imageURI) + err := client.SetScalingGroupImage(context.Background(), tc.scalingGroupID, tc.imageURI) if tc.wantErr { assert.Error(err) return @@ -447,15 +449,15 @@ func TestListScalingGroups(t *testing.T) { }, }, instanceTemplateAPI: &stubInstanceTemplateAPI{ - template: &computepb.InstanceTemplate{ - Properties: &computepb.InstanceProperties{ + template: &computeREST.InstanceTemplate{ + Properties: &computeREST.InstanceProperties{ Labels: tc.templateLabels, }, }, getErr: tc.templateGetErr, }, } - gotGroups, err := client.ListScalingGroups(t.Context(), "uid") + gotGroups, err := client.ListScalingGroups(context.Background(), "uid") if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/constants/constants.go b/operators/constellation-node-operator/internal/constants/constants.go index df85aed00..b057df59c 100644 --- a/operators/constellation-node-operator/internal/constants/constants.go +++ b/operators/constellation-node-operator/internal/constants/constants.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package constants diff --git a/operators/constellation-node-operator/internal/controlplane/controlplane.go b/operators/constellation-node-operator/internal/controlplane/controlplane.go index 61a7d73e1..59f77ad8d 100644 --- a/operators/constellation-node-operator/internal/controlplane/controlplane.go +++ b/operators/constellation-node-operator/internal/controlplane/controlplane.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controlplane diff --git a/operators/constellation-node-operator/internal/controlplane/controlplane_test.go b/operators/constellation-node-operator/internal/controlplane/controlplane_test.go index facae56d5..a089f02b3 100644 --- a/operators/constellation-node-operator/internal/controlplane/controlplane_test.go +++ b/operators/constellation-node-operator/internal/controlplane/controlplane_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package controlplane diff --git a/operators/constellation-node-operator/internal/deploy/deploy.go b/operators/constellation-node-operator/internal/deploy/deploy.go index 812ca23c8..fcd79be44 100644 --- a/operators/constellation-node-operator/internal/deploy/deploy.go +++ b/operators/constellation-node-operator/internal/deploy/deploy.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package deploy provides functions to deploy initial resources for the node operator. diff --git a/operators/constellation-node-operator/internal/deploy/deploy_test.go b/operators/constellation-node-operator/internal/deploy/deploy_test.go index 9906e7d45..d091714ae 100644 --- a/operators/constellation-node-operator/internal/deploy/deploy_test.go +++ b/operators/constellation-node-operator/internal/deploy/deploy_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy @@ -86,7 +86,7 @@ func TestInitialResources(t *testing.T) { }, } scalingGroupGetter := newScalingGroupGetter(tc.items, tc.imageErr, tc.nameErr, tc.listErr) - err := InitialResources(t.Context(), k8sClient, &stubImageInfo{}, scalingGroupGetter, "uid") + err := InitialResources(context.Background(), k8sClient, &stubImageInfo{}, scalingGroupGetter, "uid") if tc.wantErr { assert.Error(err) return @@ -156,7 +156,7 @@ func TestCreateAutoscalingStrategy(t *testing.T) { require := require.New(t) k8sClient := &fakeK8sClient{createErr: tc.createErr} - err := createAutoscalingStrategy(t.Context(), k8sClient, "stub") + err := createAutoscalingStrategy(context.Background(), k8sClient, "stub") if tc.wantErr { assert.Error(err) return @@ -246,7 +246,7 @@ func TestCreateNodeVersion(t *testing.T) { if tc.existingNodeVersion != nil { k8sClient.createdObjects = append(k8sClient.createdObjects, tc.existingNodeVersion) } - err := createNodeVersion(t.Context(), k8sClient, "image-reference", "image-version") + err := createNodeVersion(context.Background(), k8sClient, "image-reference", "image-version") if tc.wantErr { assert.Error(err) return diff --git a/operators/constellation-node-operator/internal/deploy/imageinfo.go b/operators/constellation-node-operator/internal/deploy/imageinfo.go index 36b14fa95..bcfd5e912 100644 --- a/operators/constellation-node-operator/internal/deploy/imageinfo.go +++ b/operators/constellation-node-operator/internal/deploy/imageinfo.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy diff --git a/operators/constellation-node-operator/internal/deploy/imageinfo_test.go b/operators/constellation-node-operator/internal/deploy/imageinfo_test.go index 949d9d9a6..e5a98b292 100644 --- a/operators/constellation-node-operator/internal/deploy/imageinfo_test.go +++ b/operators/constellation-node-operator/internal/deploy/imageinfo_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package deploy diff --git a/operators/constellation-node-operator/internal/etcd/etcd.go b/operators/constellation-node-operator/internal/etcd/etcd.go index 706e6039e..5f4e33c89 100644 --- a/operators/constellation-node-operator/internal/etcd/etcd.go +++ b/operators/constellation-node-operator/internal/etcd/etcd.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package etcd @@ -127,7 +127,7 @@ func getInitialEndpoints(k8sClient client.Client) ([]string, error) { } type etcdClient interface { - MemberList(ctx context.Context, opts ...clientv3.OpOption) (*clientv3.MemberListResponse, error) + MemberList(ctx context.Context) (*clientv3.MemberListResponse, error) MemberRemove(ctx context.Context, memberID uint64) (*clientv3.MemberRemoveResponse, error) Sync(ctx context.Context) error Close() error diff --git a/operators/constellation-node-operator/internal/etcd/etcd_test.go b/operators/constellation-node-operator/internal/etcd/etcd_test.go index 5b9938079..5775140cb 100644 --- a/operators/constellation-node-operator/internal/etcd/etcd_test.go +++ b/operators/constellation-node-operator/internal/etcd/etcd_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package etcd @@ -54,7 +54,7 @@ func TestRemoveEtcdMemberFromCluster(t *testing.T) { }, listErr: tc.memberListErr, }} - err := client.RemoveEtcdMemberFromCluster(t.Context(), tc.vpcIP) + err := client.RemoveEtcdMemberFromCluster(context.Background(), tc.vpcIP) if tc.wantErr { assert.Error(err) return @@ -98,7 +98,7 @@ func TestGetMemberID(t *testing.T) { members: tc.members, listErr: tc.memberListErr, }} - gotMemberID, err := client.getMemberID(t.Context(), "192.0.2.1") + gotMemberID, err := client.getMemberID(context.Background(), "192.0.2.1") if tc.wantErr { assert.Error(err) return @@ -185,7 +185,7 @@ type stubEtcdClient struct { closeErr error } -func (c *stubEtcdClient) MemberList(_ context.Context, _ ...clientv3.OpOption) (*clientv3.MemberListResponse, error) { +func (c *stubEtcdClient) MemberList(_ context.Context) (*clientv3.MemberListResponse, error) { return &clientv3.MemberListResponse{ Members: c.members, }, c.listErr diff --git a/operators/constellation-node-operator/internal/executor/executor.go b/operators/constellation-node-operator/internal/executor/executor.go index ae8f54883..10492f88c 100644 --- a/operators/constellation-node-operator/internal/executor/executor.go +++ b/operators/constellation-node-operator/internal/executor/executor.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package executor contains a task executor / scheduler for the constellation node operator. diff --git a/operators/constellation-node-operator/internal/executor/executor_test.go b/operators/constellation-node-operator/internal/executor/executor_test.go index 945adfdc1..328425f26 100644 --- a/operators/constellation-node-operator/internal/executor/executor_test.go +++ b/operators/constellation-node-operator/internal/executor/executor_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package executor @@ -29,7 +29,7 @@ func TestStartTriggersImmediateReconciliation(t *testing.T) { } exec := New(ctrl, cfg) // on start, the executor should trigger a reconciliation - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called ctrl.stop <- struct{}{} @@ -48,10 +48,10 @@ func TestStartMultipleTimesIsCoalesced(t *testing.T) { } exec := New(ctrl, cfg) // start once - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) // start again multiple times for i := 0; i < 10; i++ { - _ = exec.Start(t.Context()) + _ = exec.Start(context.Background()) } <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called @@ -72,7 +72,7 @@ func TestErrorTriggersImmediateReconciliation(t *testing.T) { RateLimiter: &stubRateLimiter{}, // no rate limiting } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) for i := 0; i < 10; i++ { <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called } @@ -96,7 +96,7 @@ func TestErrorTriggersRateLimiting(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called once to trigger rate limiting ctrl.stop <- struct{}{} @@ -120,7 +120,7 @@ func TestRequeueAfterResultRequeueInterval(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) for i := 0; i < 10; i++ { <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called } @@ -143,7 +143,7 @@ func TestExternalTrigger(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // initial trigger for i := 0; i < 10; i++ { exec.Trigger() @@ -167,7 +167,7 @@ func TestSimultaneousExternalTriggers(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) <-ctrl.waitUntilReconciled // initial trigger for i := 0; i < 100; i++ { exec.Trigger() // extra trigger calls are coalesced @@ -184,7 +184,7 @@ func TestSimultaneousExternalTriggers(t *testing.T) { func TestContextCancel(t *testing.T) { assert := assert.New(t) - ctx, cancel := context.WithCancel(t.Context()) + ctx, cancel := context.WithCancel(context.Background()) ctrl := newStubController(Result{}, nil) cfg := Config{ PollingFrequency: time.Hour * 24 * 365, // 1 year. Should be high enough to not trigger the timer in the test. @@ -219,7 +219,7 @@ func TestRequeueAfterPollingFrequency(t *testing.T) { }, } exec := New(ctrl, cfg) - stopAndWait := exec.Start(t.Context()) + stopAndWait := exec.Start(context.Background()) for i := 0; i < 10; i++ { <-ctrl.waitUntilReconciled // makes sure to wait until reconcile was called } diff --git a/operators/constellation-node-operator/internal/node/node.go b/operators/constellation-node-operator/internal/node/node.go index b94241c5b..854b49906 100644 --- a/operators/constellation-node-operator/internal/node/node.go +++ b/operators/constellation-node-operator/internal/node/node.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package node diff --git a/operators/constellation-node-operator/internal/node/node_test.go b/operators/constellation-node-operator/internal/node/node_test.go index bd746b976..8a11a19aa 100644 --- a/operators/constellation-node-operator/internal/node/node_test.go +++ b/operators/constellation-node-operator/internal/node/node_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package node diff --git a/operators/constellation-node-operator/internal/patch/annotations.go b/operators/constellation-node-operator/internal/patch/annotations.go index 685759350..3f57b1ad1 100644 --- a/operators/constellation-node-operator/internal/patch/annotations.go +++ b/operators/constellation-node-operator/internal/patch/annotations.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package patch diff --git a/operators/constellation-node-operator/internal/patch/annotations_test.go b/operators/constellation-node-operator/internal/patch/annotations_test.go index f2571e264..cb8dae133 100644 --- a/operators/constellation-node-operator/internal/patch/annotations_test.go +++ b/operators/constellation-node-operator/internal/patch/annotations_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package patch diff --git a/operators/constellation-node-operator/internal/patch/labels.go b/operators/constellation-node-operator/internal/patch/labels.go index 14970fb00..7aca3a44c 100644 --- a/operators/constellation-node-operator/internal/patch/labels.go +++ b/operators/constellation-node-operator/internal/patch/labels.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package patch diff --git a/operators/constellation-node-operator/internal/patch/labels_test.go b/operators/constellation-node-operator/internal/patch/labels_test.go index b4547259d..b6913f5da 100644 --- a/operators/constellation-node-operator/internal/patch/labels_test.go +++ b/operators/constellation-node-operator/internal/patch/labels_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package patch diff --git a/operators/constellation-node-operator/internal/poller/poller.go b/operators/constellation-node-operator/internal/poller/poller.go index 6c3328e09..26d2e2757 100644 --- a/operators/constellation-node-operator/internal/poller/poller.go +++ b/operators/constellation-node-operator/internal/poller/poller.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package poller implements a poller that can be used to wait for a condition to be met. diff --git a/operators/constellation-node-operator/internal/poller/poller_test.go b/operators/constellation-node-operator/internal/poller/poller_test.go index fac1421f4..e60564150 100644 --- a/operators/constellation-node-operator/internal/poller/poller_test.go +++ b/operators/constellation-node-operator/internal/poller/poller_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package poller @@ -49,17 +49,17 @@ func TestResult(t *testing.T) { pollErr: tc.pollErr, resultErr: tc.resultErr, }) - _, firstErr := poller.Result(t.Context()) + _, firstErr := poller.Result(context.Background()) if tc.wantErr { assert.Error(firstErr) // calling Result again should return the same error - _, secondErr := poller.Result(t.Context()) + _, secondErr := poller.Result(context.Background()) assert.Equal(firstErr, secondErr) return } assert.NoError(firstErr) // calling Result again should still not return an error - _, secondErr := poller.Result(t.Context()) + _, secondErr := poller.Result(context.Background()) assert.NoError(secondErr) }) } @@ -136,7 +136,7 @@ func TestPollUntilDone(t *testing.T) { wg.Add(1) go func() { defer wg.Done() - gotResult, gotErr = poller.PollUntilDone(t.Context(), &PollUntilDoneOptions{ + gotResult, gotErr = poller.PollUntilDone(context.Background(), &PollUntilDoneOptions{ MaxBackoff: tc.maxBackoff, Clock: clock, }) diff --git a/operators/constellation-node-operator/internal/upgrade/upgrade.go b/operators/constellation-node-operator/internal/upgrade/upgrade.go index ba6a081b0..7204f473d 100644 --- a/operators/constellation-node-operator/internal/upgrade/upgrade.go +++ b/operators/constellation-node-operator/internal/upgrade/upgrade.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package upgrade diff --git a/operators/constellation-node-operator/internal/upgrade/upgrade_test.go b/operators/constellation-node-operator/internal/upgrade/upgrade_test.go index acb725d61..394ffc54d 100644 --- a/operators/constellation-node-operator/internal/upgrade/upgrade_test.go +++ b/operators/constellation-node-operator/internal/upgrade/upgrade_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package upgrade @@ -40,7 +40,7 @@ func TestGRPCDialer(t *testing.T) { require.Equal(os.ModeSocket, fileInfo.Mode()&os.ModeType) upgradeClient := newClientWithAddress(sockAddr) - require.NoError(upgradeClient.Upgrade(t.Context(), []*components.Component{}, "v1.29.6")) + require.NoError(upgradeClient.Upgrade(context.Background(), []*components.Component{}, "v1.29.6")) } type fakeUpgradeAgent struct { diff --git a/operators/constellation-node-operator/main.go b/operators/constellation-node-operator/main.go index 1422541d4..07e3b303b 100644 --- a/operators/constellation-node-operator/main.go +++ b/operators/constellation-node-operator/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/operators/constellation-node-operator/sgreconciler/nodejoin_watcher.go b/operators/constellation-node-operator/sgreconciler/nodejoin_watcher.go index 29b01f2bb..2b31aef50 100644 --- a/operators/constellation-node-operator/sgreconciler/nodejoin_watcher.go +++ b/operators/constellation-node-operator/sgreconciler/nodejoin_watcher.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sgreconciler diff --git a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller.go b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller.go index 3a8529827..ceb5805f4 100644 --- a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller.go +++ b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sgreconciler diff --git a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_env_test.go b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_env_test.go index 85748be5c..bbb20a71e 100644 --- a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_env_test.go +++ b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_env_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sgreconciler diff --git a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go index 488f87923..5f312d97b 100644 --- a/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go +++ b/operators/constellation-node-operator/sgreconciler/scalinggroup_controller_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sgreconciler @@ -88,7 +88,7 @@ func TestCreateScalingGroupIfNotExists(t *testing.T) { autoscalingGroupName: "autoscaling-group-name", role: updatev1alpha1.WorkerRole, } - err := createScalingGroupIfNotExists(t.Context(), newScalingGroupConfig) + err := createScalingGroupIfNotExists(context.Background(), newScalingGroupConfig) if tc.wantErr { assert.Error(err) return @@ -184,7 +184,7 @@ func TestPatchNodeGroupName(t *testing.T) { getErr: tc.getErr, updateErr: tc.updateErr, } - gotExists, gotErr := patchNodeGroupName(t.Context(), k8sClient, "resource-name", "node-group-name") + gotExists, gotErr := patchNodeGroupName(context.Background(), k8sClient, "resource-name", "node-group-name") if tc.wantErr { assert.Error(gotErr) return diff --git a/operators/constellation-node-operator/sgreconciler/sgreconciler.go b/operators/constellation-node-operator/sgreconciler/sgreconciler.go index 8cc4c2ada..57abc1cff 100644 --- a/operators/constellation-node-operator/sgreconciler/sgreconciler.go +++ b/operators/constellation-node-operator/sgreconciler/sgreconciler.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // Package sgreconciler contains a reconciler that reconciles on cloud provider infrastructure. diff --git a/operators/constellation-node-operator/sgreconciler/suite_test.go b/operators/constellation-node-operator/sgreconciler/suite_test.go index ca1e1211c..ffb11a630 100644 --- a/operators/constellation-node-operator/sgreconciler/suite_test.go +++ b/operators/constellation-node-operator/sgreconciler/suite_test.go @@ -3,7 +3,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package sgreconciler diff --git a/renovate.json5 b/renovate.json5 index cba66f393..8424d5473 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,418 +1,303 @@ { - $schema: 'https://docs.renovatebot.com/renovate-schema.json', - extends: [ - 'config:recommended', - ':preserveSemverRanges', - 'helpers:pinGitHubActionDigests', - ':separateMajorReleases', - ':semanticCommitsDisabled', + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":preserveSemverRanges", + "helpers:pinGitHubActionDigests", + ":separateMajorReleases", + ":semanticCommitsDisabled", ], - commitMessagePrefix: 'deps:', - commitMessageAction: 'update', - addLabels: [ - 'dependencies' - ], - postUpdateOptions: [ - 'gomodTidy', - 'gomodUpdateImportPaths', - 'gomodMassage' - ], - ignorePaths: [ - 'internal/constellation/helm/charts/aws-load-balancer-controller/**', - 'internal/constellation/helm/charts/cilium/**', - 'internal/constellation/helm/charts/coredns/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/aws-csi-driver/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/azuredisk-csi-driver/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/**', - 'internal/constellation/helm/charts/edgeless/csi/charts/openstack-cinder-csi/**', - 'operators/constellation-node-operator/config/manager/kustomization.yaml', - ], - ignoreDeps: [ - 'github.com/edgelesssys/constellation/v2', - 'github.com/daniel-weisse/go-cryptsetup', - // Only update once they fixed dependency violations on their side. - 'github.com/google/go-tpm-tools', + "commitMessagePrefix": "deps:", + "commitMessageAction": "update", + "addLabels": ["dependencies"], + "postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths"], + "prConcurrentLimit": 4, + "ignorePaths": [ + "internal/constellation/helm/charts/cilium/**", + "internal/constellation/helm/charts/edgeless/csi/charts/aws-csi-driver/**", + "internal/constellation/helm/charts/edgeless/csi/charts/azuredisk-csi-driver/**", + "internal/constellation/helm/charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/**", + "internal/constellation/helm/charts/edgeless/csi/charts/openstack-cinder-csi/**", + "operators/constellation-node-operator/config/manager/kustomization.yaml", ], + "ignoreDeps": ["github.com/edgelesssys/constellation/v2"], // Rules for changing renovates behaviour for different packages. // The documentation for configuration options can be found here: // https://docs.renovatebot.com/configuration-options/ - packageRules: [ + "packageRules": [ { - matchManagers: [ - 'gomod' + "matchManagers": ["gomod"], + "matchDepTypes": ["indirect"], + "matchUpdateTypes": [ + "minor", + "patch", + "pin", + "pinDigest", + "digest", + "lockFileMaintenance", + "rollback", + "bump", ], - matchDepTypes: [ - 'indirect' - ], - matchUpdateTypes: [ - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'digest', - 'lockFileMaintenance', - 'rollback', - 'bump', - ], - enabled: true, - prPriority: -30, + "enabled": true, + "prPriority": -30, }, { // Group update of direct Go dependencies. - groupName: 'Go dependencies', - matchManagers: [ - 'gomod' - ], - matchDepTypes: [ - 'require', - 'replace' - ], - matchUpdateTypes: [ - 'bump', - 'digest', - 'lockFileMaintenance', - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'rollback', - ], - matchDepNames: [ - '!github.com/bazelbuild/rules_go', - ], - schedule: [ - 'before 8am on monday', - ], - }, - { - // Group update of rules_go dependencies. - groupName: 'rules_go dependencies', - matchManagers: [ - 'gomod', - 'bazel', - 'bazel-module', - ], - matchDepNames: [ - 'github.com/bazelbuild/rules_go', - 'io_bazel_rules_go', - 'rules_go', - ], - schedule: [ - 'before 8am on tuesday', + "groupName": "Go dependencies", + "matchManagers": ["gomod"], + "matchDepTypes": ["require"], + "matchUpdateTypes": [ + "bump", + "digest", + "lockFileMaintenance", + "minor", + "patch", + "pin", + "pinDigest", + "rollback", ], + "schedule": ["before 8am on monday"], }, { // Group update of Terraform dependencies. - groupName: 'Terraform dependencies', - matchManagers: [ - 'terraform' - ], - matchUpdateTypes: [ - 'bump', - 'digest', - 'lockFileMaintenance', - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'rollback', - ], - schedule: [ - 'before 8am on wednesday', + "groupName": "Terraform dependencies", + "matchManagers": ["terraform"], + "matchUpdateTypes": [ + "bump", + "digest", + "lockFileMaintenance", + "minor", + "patch", + "pin", + "pinDigest", + "rollback", ], + "schedule": ["before 8am on wednesday"], }, { - matchManagers: [ - 'bazelisk', - 'bazel', - 'bazel-module', - ], - matchDepNames: [ - 'bazel', - 'bazel_gazelle', - 'gazelle', - ], - groupName: 'bazel (core)', + "matchManagers": ["bazelisk", "bazel", "bazel-module"], + "matchDepNames": ["bazel", "io_bazel_rules_go", "bazel_gazelle", "rules_go", "gazelle"], + "groupName": "bazel (core)", }, { - matchManagers: [ - 'bazel', + "matchManagers": ["bazel"], + "matchDepNames": [ + "!bazel", + "!io_bazel_rules_go", + "!bazel_gazelle", + "!rules_go", + "!gazelle", ], - matchDepNames: [ - '!bazel', - '!io_bazel_rules_go', - '!bazel_gazelle', - '!rules_go', - '!gazelle', - ], - groupName: 'bazel (plugins)', + "groupName": "bazel (plugins)", }, { - matchManagers: [ - 'bazel-module' + "matchManagers": ["bazel-module"], + "matchDepNames": [ + "!bazel", + "!io_bazel_rules_go", + "!bazel_gazelle", + "!rules_go", + "!gazelle", ], - matchDepNames: [ - '!bazel', - '!io_bazel_rules_go', - '!bazel_gazelle', - '!rules_go', - '!gazelle', - ], - groupName: 'bazel (modules)', + "groupName": "bazel (modules)", }, { - matchDatasources: [ - 'golang-version' - ], - allowedVersions: '1.23', + "matchDatasources": ["golang-version"], + "allowedVersions": "1.23", }, { - matchManagers: [ - 'pip_requirements' - ], - groupName: 'Python dependencies', + "matchManagers": ["pip_requirements"], + "groupName": "Python dependencies", }, { - matchManagers: [ - 'github-actions' - ], - groupName: 'GitHub action dependencies', - matchUpdateTypes: [ - 'major', - 'minor', - 'patch', - 'pin', - 'pinDigest', - 'digest', - 'lockFileMaintenance', - 'rollback', - 'bump', - ], - schedule: [ - 'before 8am on tuesday' + "matchManagers": ["github-actions"], + "groupName": "GitHub action dependencies", + "matchUpdateTypes": [ + "major", + "minor", + "patch", + "pin", + "pinDigest", + "digest", + "lockFileMaintenance", + "rollback", + "bump", ], + "schedule": ["before 8am on tuesday"], }, { - matchDepNames: [ - 'kubernetes/kubernetes' + "matchDepNames": ["kubernetes/kubernetes"], + // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "Kubernetes versions", + "prPriority": 15, + }, + { + "matchDepNames": [ + "registry.k8s.io/provider-aws/cloud-controller-manager", ], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'Kubernetes versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained AWS versions", + "prPriority": 15, }, { - matchDepNames: [ - 'registry.k8s.io/provider-aws/cloud-controller-manager', + "matchDepNames": [ + "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager", + "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager", ], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained AWS versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained Azure versions", + "prPriority": 15, }, { - matchDepNames: [ - 'mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager', - 'mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager', + "matchDepNames": [ + "docker.io/k8scloudprovider/openstack-cloud-controller-manager", ], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained Azure versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained OpenStack versions", + "prPriority": 15, }, { - matchDepNames: [ - 'docker.io/k8scloudprovider/openstack-cloud-controller-manager', - ], + "matchDepNames": ["registry.k8s.io/autoscaling/cluster-autoscaler"], // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained OpenStack versions', - prPriority: 15, + "versioning": "regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$", + "groupName": "K8s constrained GCP versions", + "prPriority": 15, }, { - matchDepNames: [ - 'registry.k8s.io/autoscaling/cluster-autoscaler' - ], - // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch) - versioning: 'regex:^(?v?\\d+\\.\\d+\\.)(?\\d+)$', - groupName: 'K8s constrained GCP versions', - prPriority: 15, - }, - { - matchDepNames: [ - 'ghcr.io/edgelesssys/cloud-provider-gcp' - ], + "matchDepNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"], // example match: v1.2.3 (1. -> compatibility, 2 -> minor, 3 -> patch) - versioning: 'regex:^(?v\\d+\\.)(?\\d+)\\.(?\\d+)$', - groupName: 'cloud-provider-gcp (K8s version constrained)', - prPriority: 15, + "versioning": "regex:^(?v\\d+\\.)(?\\d+)\\.(?\\d+)$", + "groupName": "cloud-provider-gcp (K8s version constrained)", + "prPriority": 15, }, { - matchPackageNames: [ - 'ghcr.io/edgelesssys/{/,}**', - '!ghcr.io/edgelesssys/cloud-provider-gcp', - '!ghcr.io/edgelesssys/constellation/s3proxy', - ], - versioning: 'semver', + "matchPackagePrefixes": ["ghcr.io/edgelesssys/"], + "excludePackageNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"], + "versioning": "semver", // Allow packages of ghcr.io/edgelesssys to update to unstable prereleases. // This is necessary because renovate will not update minor versions of // containers that are already tagged as a prerelease in the code // if this is not set. - ignoreUnstable: false, - groupName: 'Constellation containers', - prPriority: 20, - schedule: [ - 'before 8am on thursday' - ], + "ignoreUnstable": false, + "groupName": "Constellation containers", + "prPriority": 20, + "schedule": ["before 8am on thursday"], }, { - matchDepNames: [ - 'registry.k8s.io/kas-network-proxy/proxy-agent', - 'registry.k8s.io/kas-network-proxy/proxy-server', + "matchDepNames": [ + "registry.k8s.io/kas-network-proxy/proxy-agent", + "registry.k8s.io/kas-network-proxy/proxy-server", ], - versioning: 'semver', - groupName: 'K8s version independent containers', - prPriority: 15, + "versioning": "semver", + "groupName": "K8s version independent containers", + "prPriority": 15, }, { - matchDepNames: [ - '^k8s.io/client-go' - ], - matchUpdateTypes: [ - 'major' - ], - enabled: false, + "matchDepNames": ["^k8s.io/client-go"], + "matchUpdateTypes": ["major"], + "enabled": false, }, { - matchCategories: [ - 'python', - 'js', - 'node' - ], - prPriority: -20, + "matchCategories": ["python", "js", "node"], + "prPriority": -20, }, { - matchManagers: [ - 'github-actions' - ], - matchDepNames: [ - 'slsa-framework/slsa-github-generator' - ], - pinDigests: false, + "matchManagers": ["github-actions"], + "matchDepNames": ["slsa-framework/slsa-github-generator"], + "pinDigests": false, }, { - additionalBranchPrefix: '{{packageName}}-', - groupName: '{{packageName}}', - matchDepNames: [ - '/_(darwin|linux)_(arm64|amd64)$/', - ], + "matchDepPatterns": ["_(darwin|linux)_(arm64|amd64)$"], + "additionalBranchPrefix": "{{packageName}}-", + "groupName": "{{packageName}}", }, ], // Regex Managers allow detection of other versions in files that renovate // cannot parse by default. For more information, look at // https://docs.renovatebot.com/modules/manager/regex/ . - customManagers: [ + "regexManagers": [ { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$"], + "matchStrings": [ // Match all container packages. // example match:' "registry.io/owner/foo/bar:v1.2.3@sha256:somehash" // renovate:container' // (registry.io/owner/foo/bar -> depName, v1.2.3 -> currentValue, sha256:somehash -> currentDigest) - ' \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+\\/\\/ renovate:container', + " \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+\\/\\/ renovate:container", ], - datasourceTemplate: 'docker', + "datasourceTemplate": "docker", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$"], + "matchStrings": [ // Match kubernetes releases. - // example match:' "https://dl.k8s.io/v1.2.3/foo" // renovate:kubernetes-release' + // example match:' "https://storage.googleapis.com/kubernetes-release/release/v1.2.3/foo" // renovate:kubernetes-release' // (v1.2.3 -> currentValue) - ' \"https:\\/\\/dl\\.k8s\\.io\\/(?[^\\/\\s\"]+)\\/[^\"]+\"[^\\n]+\\/\\/ renovate:kubernetes-release', + " \"https:\\/\\/storage\\.googleapis\\.com\\/kubernetes-release\\/release\\/(?[^\\/\\s\"]+)\\/[^\"]+\"[^\\n]+\\/\\/ renovate:kubernetes-release", // Match kubernetes releases. // example match:' " "v1.2.3" // renovate:kubernetes-release"' // (v1.2.3 -> currentValue) - ' \"(?v\\d+\\.\\d+\\.\\d+)\"[^\\n]+\\/\\/ renovate:kubernetes-release', + " \"(?v\\d+\\.\\d+\\.\\d+)\"[^\\n]+\\/\\/ renovate:kubernetes-release", ], - depNameTemplate: 'kubernetes/kubernetes', - datasourceTemplate: 'github-releases', + "depNameTemplate": "kubernetes/kubernetes", + "datasourceTemplate": "github-releases", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$', - '[.]github\\/(actions|workflows)\\/.*[.]ya?ml' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$", "[.]github\\/(actions|workflows)\\/.*[.]ya?ml"], + "matchStrings": [ // Match github releases. // example match:' "https://github.com/foo/bar/releases/download/v1.2.3/foo.bin" // renovate:github-release' // (foo/bar -> depName, v1.2.3 -> currentValue) - 'https:\\/\\/github\\.com\\/(?[^\\/\\s\"]+\\/[^\\/\\s\"]+)\\/releases\\/download\\/(?[^\\/\\s\"]+).*renovate:github-release', + "https:\\/\\/github\\.com\\/(?[^\\/\\s\"]+\\/[^\\/\\s\"]+)\\/releases\\/download\\/(?[^\\/\\s\"]+).*renovate:github-release", ], - datasourceTemplate: 'github-releases', + "datasourceTemplate": "github-releases", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)versions.go$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)versions.go$"], + "matchStrings": [ // Match kubernetes cri-tools releases (https://github.com/kubernetes-sigs/cri-tools). // example Match:' "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.2.3/foo"' // (v1.2.3 -> currentValue) - ' \"https:\\/\\/github\\.com\\/kubernetes-sigs\\/cri-tools\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"', + " \"https:\\/\\/github\\.com\\/kubernetes-sigs\\/cri-tools\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"", ], - depNameTemplate: 'kubernetes-sigs/cri-tools', - datasourceTemplate: 'github-releases', - autoReplaceStringTemplate: ' \"https://github.com/kubernetes-sigs/cri-tools/releases/download/{{{newValue}}}/crictl-{{{newValue}}}-linux-amd64.tar.gz\"', + "depNameTemplate": "kubernetes-sigs/cri-tools", + "datasourceTemplate": "github-releases", + "autoReplaceStringTemplate": " \"https://github.com/kubernetes-sigs/cri-tools/releases/download/{{{newValue}}}/crictl-{{{newValue}}}-linux-amd64.tar.gz\"", }, { - customType: 'regex', - fileMatch: [ - 'versions.go$' - ], - matchStrings: [ + "fileMatch": ["versions.go$"], + "matchStrings": [ // Match containernetworking plugin releases (https://github.com/containernetworking/plugins). // example Match:' "https://github.com/containernetworking/plugins/releases/download/v1.2.3/foo"' // (v1.2.3 -> currentValue) - ' \"https:\\/\\/github\\.com\\/containernetworking\\/plugins\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"', + " \"https:\\/\\/github\\.com\\/containernetworking\\/plugins\\/releases\\/download\\/(?[^\\/\\s\"]+)\\/[^\"]+\"", ], - depNameTemplate: 'containernetworking/plugins', - datasourceTemplate: 'github-releases', - autoReplaceStringTemplate: ' \"https://github.com/containernetworking/plugins/releases/download/{{{newValue}}}/cni-plugins-linux-amd64-{{{newValue}}}.tgz\"', + "depNameTemplate": "containernetworking/plugins", + "datasourceTemplate": "github-releases", + "autoReplaceStringTemplate": " \"https://github.com/containernetworking/plugins/releases/download/{{{newValue}}}/cni-plugins-linux-amd64-{{{newValue}}}.tgz\"", }, { - customType: 'regex', - fileMatch: [ - '\\.yaml$', - '\\.yml$' - ], - matchStrings: [ + "fileMatch": ["\\.yaml$", "\\.yml$"], + "matchStrings": [ // Match `go install` commands. - // example Match: 'go install foo.bar@0000000000000000000000000000000000000000' + // example Match: "go install foo.bar@0000000000000000000000000000000000000000" // (foo.bar -> depName, 0000000000000000000000000000000000000000 -> currentValue) - 'go install (?[^@]+?)@(?[0-9a-f]{40})', + "go install (?[^@]+?)@(?[0-9a-f]{40})", ], - datasourceTemplate: 'go', + "datasourceTemplate": "go", }, { - customType: 'regex', - fileMatch: [ - '(^|\\/)e2e_s3proxy/action.yml$' - ], - matchStrings: [ + "fileMatch": ["(^|\\/)e2e_s3proxy/action.yml$"], + "matchStrings": [ // Match mint tags (ghcr.io/edgelesssys/mint). // example Match:' "ghcr.io/edgelesssys/mint:v1.2.3"' // (ghcr.io/edgelesssys/mint -> depName, v1.2.3 -> currentValue) - 'IMAGE: \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+# renovate:mint-fork', + "IMAGE: \"(?[^\"]*?):(?[^\"]*?)@(?sha256:[a-f0-9]+)\"[^\\n]+# renovate:mint-fork", ], - datasourceTemplate: 'docker', + "datasourceTemplate": "docker", }, ], } diff --git a/rfc/016-node-access.md b/rfc/016-node-access.md index abc495400..0c6875c48 100644 --- a/rfc/016-node-access.md +++ b/rfc/016-node-access.md @@ -1,3 +1,7 @@ +--- +status: approved, not implemented +--- + # RFC 016: Node Access ## Background diff --git a/s3proxy/cmd/main.go b/s3proxy/cmd/main.go index 9db11dea8..b0a017856 100644 --- a/s3proxy/cmd/main.go +++ b/s3proxy/cmd/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* @@ -40,6 +40,13 @@ func main() { panic(err) } + // logLevel can be made a public variable so logging level can be changed dynamically. + // TODO (derpsteb): enable once we are on go 1.21. + // logLevel := new(slog.LevelVar) + // handler := slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: logLevel}) + // logger := slog.New(handler) + // logLevel.Set(flags.logLevel) + logger := logger.NewJSONLogger(logger.VerbosityFromInt(flags.logLevel)) if flags.forwardMultipartReqs { @@ -103,6 +110,12 @@ func parseFlags() (cmdFlags, error) { return cmdFlags{}, fmt.Errorf("not a valid IPv4 address: %s", *ip) } + // TODO(derpsteb): enable once we are on go 1.21. + // logLevel := new(slog.Level) + // if err := logLevel.UnmarshalText([]byte(*level)); err != nil { + // return cmdFlags{}, fmt.Errorf("parsing log level: %w", err) + // } + return cmdFlags{ noTLS: *noTLS, ip: netIP.String(), @@ -121,5 +134,7 @@ type cmdFlags struct { certLocation string kmsEndpoint string forwardMultipartReqs bool - logLevel int + // TODO(derpsteb): enable once we are on go 1.21. + // logLevel slog.Level + logLevel int } diff --git a/s3proxy/deploy/deployment-s3proxy.yaml b/s3proxy/deploy/deployment-s3proxy.yaml index 73c7bf098..aa8e4b1f0 100644 --- a/s3proxy/deploy/deployment-s3proxy.yaml +++ b/s3proxy/deploy/deployment-s3proxy.yaml @@ -72,7 +72,7 @@ spec: spec: containers: - name: s3proxy - image: ghcr.io/edgelesssys/constellation/s3proxy:v2.23.0 + image: ghcr.io/edgelesssys/constellation/s3proxy:v2.13.0-pre args: - "--level=-1" ports: diff --git a/s3proxy/deploy/s3proxy/Chart.yaml b/s3proxy/deploy/s3proxy/Chart.yaml index f07afba51..61d62946b 100644 --- a/s3proxy/deploy/s3proxy/Chart.yaml +++ b/s3proxy/deploy/s3proxy/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: s3proxy description: Helm chart to deploy s3proxy. type: application -version: 0.0.0 +version: 2.20.0 diff --git a/s3proxy/deploy/s3proxy/values.yaml b/s3proxy/deploy/s3proxy/values.yaml index d70f349e3..60f9b7717 100644 --- a/s3proxy/deploy/s3proxy/values.yaml +++ b/s3proxy/deploy/s3proxy/values.yaml @@ -1,12 +1,9 @@ # Secrets to use for S3 access. awsAccessKeyID: "replaceme" awsSecretAccessKey: "replaceme" - # Pod image to deploy. -image: "ghcr.io/edgelesssys/constellation/s3proxy:v2.23.1" - +image: "ghcr.io/edgelesssys/constellation/s3proxy:v2.20.0" # Control if multipart uploads are blocked. allowMultipart: false - # Number of pod replicas to deploy. replicaCount: 1 diff --git a/s3proxy/internal/crypto/crypto.go b/s3proxy/internal/crypto/crypto.go index 6ab7b6837..bdc117a7b 100644 --- a/s3proxy/internal/crypto/crypto.go +++ b/s3proxy/internal/crypto/crypto.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/s3proxy/internal/crypto/crypto_test.go b/s3proxy/internal/crypto/crypto_test.go index 7b55ba54e..4fb17e87d 100644 --- a/s3proxy/internal/crypto/crypto_test.go +++ b/s3proxy/internal/crypto/crypto_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package crypto diff --git a/s3proxy/internal/kms/kms.go b/s3proxy/internal/kms/kms.go index f935c3f2c..f0d71b875 100644 --- a/s3proxy/internal/kms/kms.go +++ b/s3proxy/internal/kms/kms.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/s3proxy/internal/kms/kms_test.go b/s3proxy/internal/kms/kms_test.go index 974bce382..cd831ddc4 100644 --- a/s3proxy/internal/kms/kms_test.go +++ b/s3proxy/internal/kms/kms_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package kms @@ -60,7 +60,7 @@ func TestGetDataKey(t *testing.T) { client.grpc = tc.client - res, err := client.GetDataKey(t.Context(), "disk-uuid", 32) + res, err := client.GetDataKey(context.Background(), "disk-uuid", 32) if tc.wantErr { assert.Error(err) } else { diff --git a/s3proxy/internal/router/handler.go b/s3proxy/internal/router/handler.go index c0005fb74..a85b97a1a 100644 --- a/s3proxy/internal/router/handler.go +++ b/s3proxy/internal/router/handler.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package router diff --git a/s3proxy/internal/router/object.go b/s3proxy/internal/router/object.go index 78b69ee7c..d7f6779f1 100644 --- a/s3proxy/internal/router/object.go +++ b/s3proxy/internal/router/object.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package router diff --git a/s3proxy/internal/router/router.go b/s3proxy/internal/router/router.go index c8ab7ebf7..0efa4302f 100644 --- a/s3proxy/internal/router/router.go +++ b/s3proxy/internal/router/router.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/s3proxy/internal/router/router_test.go b/s3proxy/internal/router/router_test.go index f3cc1b959..a690ce669 100644 --- a/s3proxy/internal/router/router_test.go +++ b/s3proxy/internal/router/router_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package router diff --git a/s3proxy/internal/s3/s3.go b/s3proxy/internal/s3/s3.go index f02ca4aa1..462530be7 100644 --- a/s3proxy/internal/s3/s3.go +++ b/s3proxy/internal/s3/s3.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ /* diff --git a/terraform-provider-constellation/docs/resources/cluster.md b/terraform-provider-constellation/docs/resources/cluster.md index a88026a23..c2a322582 100644 --- a/terraform-provider-constellation/docs/resources/cluster.md +++ b/terraform-provider-constellation/docs/resources/cluster.md @@ -69,7 +69,7 @@ resource "constellation_cluster" "azure_example" { See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports. - `image` (Attributes) Constellation OS Image to use on the nodes. (see [below for nested schema](#nestedatt--image)) - `init_secret` (String) Secret used for initialization of the cluster. -- `kubernetes_version` (String) The Kubernetes version to use for the cluster. The supported versions are [v1.29.15 v1.30.13 v1.31.9]. +- `kubernetes_version` (String) The Kubernetes version to use for the cluster. The supported versions are [v1.28.15 v1.29.11 v1.30.7]. - `master_secret` (String) Hex-encoded 32-byte master secret for the cluster. - `master_secret_salt` (String) Hex-encoded 32-byte master secret salt for the cluster. - `measurement_salt` (String) Hex-encoded 32-byte measurement salt for the cluster. diff --git a/terraform-provider-constellation/examples/full/aws/main.tf b/terraform-provider-constellation/examples/full/aws/main.tf index 03856e81b..1229d810e 100644 --- a/terraform-provider-constellation/examples/full/aws/main.tf +++ b/terraform-provider-constellation/examples/full/aws/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform-provider-constellation/examples/full/azure/main.tf b/terraform-provider-constellation/examples/full/azure/main.tf index 761406f61..eba3ab291 100644 --- a/terraform-provider-constellation/examples/full/azure/main.tf +++ b/terraform-provider-constellation/examples/full/azure/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform-provider-constellation/examples/full/gcp/main.tf b/terraform-provider-constellation/examples/full/gcp/main.tf index c16906785..b93f6eed8 100644 --- a/terraform-provider-constellation/examples/full/gcp/main.tf +++ b/terraform-provider-constellation/examples/full/gcp/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -45,11 +45,11 @@ resource "random_bytes" "measurement_salt" { module "gcp_iam" { // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0 - source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp" - project_id = local.project_id - name_prefix = local.name - zone = local.zone - region = local.region + source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp" + project_id = local.project_id + service_account_id = "${local.name}-sa" + zone = local.zone + region = local.region } module "gcp_infrastructure" { @@ -81,7 +81,6 @@ module "gcp_infrastructure" { project = local.project_id internal_load_balancer = false cc_technology = local.cc_technology - iam_service_account_vm = module.gcp_iam.service_account_mail_vm } data "constellation_attestation" "foo" { diff --git a/terraform-provider-constellation/examples/full/stackit/main.tf b/terraform-provider-constellation/examples/full/stackit/main.tf index 403e57e02..500a8db5c 100644 --- a/terraform-provider-constellation/examples/full/stackit/main.tf +++ b/terraform-provider-constellation/examples/full/stackit/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { constellation = { source = "edgelesssys/constellation" - version = "2.23.1" // replace with the version you want to use + version = "2.19.3" // replace with the version you want to use } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform-provider-constellation/internal/data/data.go b/terraform-provider-constellation/internal/data/data.go index 077ae745d..733f76703 100644 --- a/terraform-provider-constellation/internal/data/data.go +++ b/terraform-provider-constellation/internal/data/data.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // The data package implements the structures used to pass data between different resources. diff --git a/terraform-provider-constellation/internal/data/providerdata.go b/terraform-provider-constellation/internal/data/providerdata.go index 1e9bb6f1f..118272082 100644 --- a/terraform-provider-constellation/internal/data/providerdata.go +++ b/terraform-provider-constellation/internal/data/providerdata.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package data diff --git a/terraform-provider-constellation/internal/provider/BUILD.bazel b/terraform-provider-constellation/internal/provider/BUILD.bazel index e60064603..8f6f573d1 100644 --- a/terraform-provider-constellation/internal/provider/BUILD.bazel +++ b/terraform-provider-constellation/internal/provider/BUILD.bazel @@ -110,6 +110,6 @@ go_test( "@com_github_hashicorp_terraform_plugin_testing//terraform", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", - "@io_bazel_rules_go//go/runfiles", + "@io_bazel_rules_go//go/runfiles:go_default_library", ], ) diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source.go b/terraform-provider-constellation/internal/provider/attestation_data_source.go index 4f59504f0..f48c24a13 100644 --- a/terraform-provider-constellation/internal/provider/attestation_data_source.go +++ b/terraform-provider-constellation/internal/provider/attestation_data_source.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go index 3a0b9c578..ff97968e7 100644 --- a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go +++ b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/internal/provider/cluster_resource.go b/terraform-provider-constellation/internal/provider/cluster_resource.go index ba7be3d43..978771e83 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider @@ -15,6 +15,7 @@ import ( "errors" "fmt" "io" + "net" "net/url" "regexp" "strings" @@ -549,7 +550,7 @@ func (r *ClusterResource) Configure(_ context.Context, req resource.ConfigureReq } newDialer := func(validator atls.Validator) *dialer.Dialer { - return dialer.New(nil, validator, nil) + return dialer.New(nil, validator, &net.Dialer{}) } r.newApplier = func(ctx context.Context, _ atls.Validator) *constellation.Applier { @@ -1093,7 +1094,6 @@ func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, DeployCSIDriver: microserviceCfg.CSIDriver, masterSecret: secrets.masterSecret, serviceAccURI: serviceAccURI, - serviceCIDR: networkCfg.IPCidrService.ValueString(), } if csp == cloudprovider.OpenStack { payload.openStackHelmValues = &helm.OpenStackValues{ @@ -1268,7 +1268,6 @@ type applyHelmChartsPayload struct { masterSecret uri.MasterSecret // master secret of the cluster. serviceAccURI string // URI of the service account used within the cluster. openStackHelmValues *helm.OpenStackValues // OpenStack-specific Helm values. - serviceCIDR string // CIDR used for k8s services - needed for CoreDNS chart. } // applyHelmCharts applies the Helm charts to the cluster. @@ -1290,7 +1289,6 @@ func (r *ClusterResource) applyHelmCharts(ctx context.Context, applier *constell // The user has previously been warned about this when planning a microservice version change. AllowDestructive: helm.AllowDestructive, OpenStackValues: payload.openStackHelmValues, - ServiceCIDR: payload.serviceCIDR, } if err := applier.AnnotateCoreDNSResources(ctx); err != nil { diff --git a/terraform-provider-constellation/internal/provider/cluster_resource_test.go b/terraform-provider-constellation/internal/provider/cluster_resource_test.go index 7831c4c7e..fb1b5c4fc 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource_test.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource_test.go @@ -1,12 +1,13 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider import ( + "context" "fmt" "regexp" "testing" @@ -95,14 +96,14 @@ func TestViolatedImageConstraint(t *testing.T) { Version: tc.version, } - input, diags := basetypes.NewObjectValueFrom(t.Context(), map[string]attr.Type{ + input, diags := basetypes.NewObjectValueFrom(context.Background(), map[string]attr.Type{ "version": basetypes.StringType{}, "reference": basetypes.StringType{}, "short_path": basetypes.StringType{}, "marketplace_image": basetypes.BoolType{}, }, img) require.Equal(t, 0, diags.ErrorsCount()) - _, _, diags2 := sut.getImageVersion(t.Context(), &ClusterResourceModel{ + _, _, diags2 := sut.getImageVersion(context.Background(), &ClusterResourceModel{ Image: input, }) require.Equal(t, tc.expectedErrorCount, diags2.ErrorsCount()) diff --git a/terraform-provider-constellation/internal/provider/convert.go b/terraform-provider-constellation/internal/provider/convert.go index 09161c776..84e4c8832 100644 --- a/terraform-provider-constellation/internal/provider/convert.go +++ b/terraform-provider-constellation/internal/provider/convert.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/internal/provider/convert_test.go b/terraform-provider-constellation/internal/provider/convert_test.go index 9efa14f38..2e29378a3 100644 --- a/terraform-provider-constellation/internal/provider/convert_test.go +++ b/terraform-provider-constellation/internal/provider/convert_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/internal/provider/image_data_source.go b/terraform-provider-constellation/internal/provider/image_data_source.go index 33288d6a8..6ed11c363 100644 --- a/terraform-provider-constellation/internal/provider/image_data_source.go +++ b/terraform-provider-constellation/internal/provider/image_data_source.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/internal/provider/image_data_source_test.go b/terraform-provider-constellation/internal/provider/image_data_source_test.go index 789d169e0..986ee1b53 100644 --- a/terraform-provider-constellation/internal/provider/image_data_source_test.go +++ b/terraform-provider-constellation/internal/provider/image_data_source_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/internal/provider/provider.go b/terraform-provider-constellation/internal/provider/provider.go index 1605d1d60..b0eb86c39 100644 --- a/terraform-provider-constellation/internal/provider/provider.go +++ b/terraform-provider-constellation/internal/provider/provider.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ // The provider package implements the Constellation Terraform provider's diff --git a/terraform-provider-constellation/internal/provider/provider_test.go b/terraform-provider-constellation/internal/provider/provider_test.go index a96fdcc37..75c7ade73 100644 --- a/terraform-provider-constellation/internal/provider/provider_test.go +++ b/terraform-provider-constellation/internal/provider/provider_test.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/internal/provider/shared_attributes.go b/terraform-provider-constellation/internal/provider/shared_attributes.go index f3938914d..e1cc4e1dd 100644 --- a/terraform-provider-constellation/internal/provider/shared_attributes.go +++ b/terraform-provider-constellation/internal/provider/shared_attributes.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package provider diff --git a/terraform-provider-constellation/main.go b/terraform-provider-constellation/main.go index cf0824343..447ecc4e6 100644 --- a/terraform-provider-constellation/main.go +++ b/terraform-provider-constellation/main.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package main diff --git a/terraform/assets.go b/terraform/assets.go index 61ada6f1e..9e0d71842 100644 --- a/terraform/assets.go +++ b/terraform/assets.go @@ -1,7 +1,7 @@ /* Copyright (c) Edgeless Systems GmbH -SPDX-License-Identifier: BUSL-1.1 +SPDX-License-Identifier: AGPL-3.0-only */ package terraform diff --git a/terraform/infrastructure/aws/.terraform.lock.hcl b/terraform/infrastructure/aws/.terraform.lock.hcl index 4914aaf10..ec2b3204e 100644 --- a/terraform/infrastructure/aws/.terraform.lock.hcl +++ b/terraform/infrastructure/aws/.terraform.lock.hcl @@ -2,52 +2,61 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.98.0" - constraints = "5.98.0" + version = "5.78.0" + constraints = "5.78.0" hashes = [ - "h1:/RMObGCrfJlVoQCf9h88hFkSyLafDXnw6r0yi4gpO80=", - "h1:KgOCdSG6euSc2lquuFlISJU/CzQTRhAO7WoaASxLZRc=", - "h1:neMFK/kP1KT6cTGID+Tkkt8L7PsN9XqwrPDGXVw3WVY=", - "h1:tSqQC0adIJ0VWRrbChyEGjGuWKwibrz+/YJ2Q1ZOs2Y=", - "h1:tfWnOmzoWOvwOGlUx0HrxCfUZq3YHhlkeEbMccAYiec=", - "zh:23377bd90204b6203b904f48f53edcae3294eb072d8fc18a4531c0cde531a3a1", - "zh:2e55a6ea14cc43b08cf82d43063e96c5c2f58ee953c2628523d0ee918fe3b609", - "zh:4885a817c16fdaaeddc5031edc9594c1f300db0e5b23be7cd76a473e7dcc7b4f", - "zh:6ca7177ad4e5c9d93dee4be1ac0792b37107df04657fddfe0c976f36abdd18b5", - "zh:78bf8eb0a67bae5dede09666676c7a38c9fb8d1b80a90ba06cf36ae268257d6f", - "zh:874b5a99457a3f88e2915df8773120846b63d820868a8f43082193f3dc84adcb", - "zh:95e1e4cf587cde4537ac9dfee9e94270652c812ab31fce3a431778c053abf354", + "h1:/EKXECKi3XzLR0SwaEyQucvsQx2TdyIF2DYabr9DVqM=", + "h1:15pt02WPsTWUsLi37o791kSplIqEf2Ihl+zFdBOpKnY=", + "h1:3TLJUm+6523EtS8W8G4f22e0bp2MpZ72f9qptc31WD8=", + "h1:EGEcXHT4WdxUTRSPzjevCNXStQ+u2eeQB4EmOSp2nPc=", + "h1:GwVGbd+IHAq+qwGs2QKuxazKzrJhSWVicYyGBPftuG0=", + "h1:OUmta/bL/0S6g4K/Mn1LBkEnMWNCq4dLsfYrdrllcEo=", + "h1:cxjNJTMeoxw0csix1iWp4m2esNUOuFfVbIAacUGjYSQ=", + "h1:kB3dnSsazjI63RZdz2gldCkDFw8KI0IJd6RbhqxrE6I=", + "h1:o7jz+dFixEcwjfdubken5ldmDJm1tkvM2adPtNDei3g=", + "h1:vIzenE93tNUfA/hFcwB6wouenp59n9g2J6FNPfJAOpg=", + "h1:zA5P+U4hv2P52fwfLNjAIA2jS9xOn4xCmrXrOMKH8gs=", + "h1:zKNuYrqjerfmrU0bgKQtubN/NiMLRXP4HTThTm1WfJE=", + "h1:zYvhhpw56OF8ClJezKBdKV0+6elVM3FYEAjaNWAinjk=", + "h1:zel31ZX4jCQoeQXydOfcm4ncD9aj+437F9Cr1eoCumM=", + "zh:0ae7d41b96441d0cf7ce2e1337657bdb2e1e5c9f1c2227b0642e1dcec2f9dfba", + "zh:21f8f1edf477681ea3b095c02cad6b8e85262e45015de58e84e0c7b2bfe9a1f6", + "zh:2bdc335e341bf98445255549ae93d66cfb9bca706e62b949da98fe467c182cad", + "zh:2fe4096e260367a225a9faf4a424d62b87e5498f12cb43bdb6f4e713d11b82c3", + "zh:3c63bb7a7925d65118d17461f4691a22dbb55ea39a7404e4d71f6ccca8765f8b", + "zh:6609a28a1c638a1901d8007b5386868ccfd313b4df2e98b35d9fdef436974e3b", + "zh:7ae3aef43bc4b365824cca4659cf92459d766800656e354bdbf83feabab835e8", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a75145b58b241d64570803e6565c72467cd664633df32678755b51871f553e50", - "zh:aa31b13d0b0e8432940d6892a48b6268721fa54a02ed62ee42745186ee32f58d", - "zh:ae4565770f76672ce8e96528cbb66afdade1f91383123c079c7fdeafcb3d2877", - "zh:b99f042c45bf6aa69dd73f3f6d9cbe0b495b30442c526e0b3810089c059ba724", - "zh:bbb38e86d926ef101cefafe8fe090c57f2b1356eac9fc5ec81af310c50375897", - "zh:d03c89988ba4a0bd3cfc8659f951183ae7027aa8018a7ca1e53a300944af59cb", - "zh:d179ef28843fe663fc63169291a211898199009f0d3f63f0a6f65349e77727ec", + "zh:c314efe454adc6ca483261c6906e64315aeb9db0c0332818714e9b81e07df0f0", + "zh:cd3e30396b554bbc1d260252db8a0f344065d619038fe60ea870689cd32c6aa9", + "zh:d1ba48fd9d8a1cb1daa927fb9e8bb708b857f2792d796e110460c6fdcd896a47", + "zh:d31c8abe75cb9cdc1c59ad9d356a1c3ae1ba8cd29ac15eb7e01b6cd01221ab04", + "zh:dc27c5c2116b4d9b404753f73bccaa635bce21f3bfb4bb7bc8e63225c36c98fe", + "zh:de491f0d05408378413187475c815d8cb2ac6bfa63d0b42a30ad5ee492e51c07", + "zh:eb44b45a40f80a309dd5b0eb7d7fcb2cbfe588fe2f18b173ef5851346898a662", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/aws/main.tf b/terraform/infrastructure/aws/main.tf index 6c85d2817..65dff58e1 100644 --- a/terraform/infrastructure/aws/main.tf +++ b/terraform/infrastructure/aws/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -29,7 +29,6 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) target_group_arns = { control-plane : [ diff --git a/terraform/infrastructure/aws/modules/instance_group/main.tf b/terraform/infrastructure/aws/modules/instance_group/main.tf index f2ae997ea..187917e45 100644 --- a/terraform/infrastructure/aws/modules/instance_group/main.tf +++ b/terraform/infrastructure/aws/modules/instance_group/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -51,6 +51,15 @@ resource "aws_launch_template" "launch_template" { # use "disabled" to disable SEV-SNP (but still require SNP-capable hardware) # use null to leave the setting unset (allows non-SNP-capable hardware to be used) amd_sev_snp = var.enable_snp ? "enabled" : null + # Disable SMT. We are already disabling it inside the image. + # Disabling SMT only in the image, not in the Hypervisor creates problems. + # Thus, also disable it in the Hypervisor. + # TODO(derpsteb): reenable once AWS confirms it's safe to do so. + # threads_per_core = 1 + # When setting threads_per_core we also have to set core_count. + # For the currently supported SNP instance families (C6a, M6a, R6a) default_cores + # equals the maximum number of available cores. + # core_count = data.aws_ec2_instance_type.instance_data.default_cores } lifecycle { diff --git a/terraform/infrastructure/aws/modules/jump_host/main.tf b/terraform/infrastructure/aws/modules/jump_host/main.tf index f2a34429e..d25115e89 100644 --- a/terraform/infrastructure/aws/modules/jump_host/main.tf +++ b/terraform/infrastructure/aws/modules/jump_host/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } } } diff --git a/terraform/infrastructure/aws/modules/load_balancer_target/main.tf b/terraform/infrastructure/aws/modules/load_balancer_target/main.tf index 798ec3511..993e6a9ef 100644 --- a/terraform/infrastructure/aws/modules/load_balancer_target/main.tf +++ b/terraform/infrastructure/aws/modules/load_balancer_target/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } } } diff --git a/terraform/infrastructure/aws/modules/public_private_subnet/main.tf b/terraform/infrastructure/aws/modules/public_private_subnet/main.tf index a749fe351..d34dcc9f3 100644 --- a/terraform/infrastructure/aws/modules/public_private_subnet/main.tf +++ b/terraform/infrastructure/aws/modules/public_private_subnet/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } } } diff --git a/terraform/infrastructure/aws/outputs.tf b/terraform/infrastructure/aws/outputs.tf index b362ff094..62f220619 100644 --- a/terraform/infrastructure/aws/outputs.tf +++ b/terraform/infrastructure/aws/outputs.tf @@ -45,8 +45,3 @@ output "ip_cidr_node" { value = local.cidr_vpc_subnet_nodes description = "CIDR block of the node network." } - -output "loadbalancer_address" { - value = aws_lb.front_end.dns_name - description = "Public loadbalancer address." -} diff --git a/terraform/infrastructure/aws/variables.tf b/terraform/infrastructure/aws/variables.tf index d55dedabb..67d0ec4d3 100644 --- a/terraform/infrastructure/aws/variables.tf +++ b/terraform/infrastructure/aws/variables.tf @@ -85,9 +85,3 @@ variable "additional_tags" { default = {} description = "Additional tags that should be applied to created resources." } - -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/azure/.terraform.lock.hcl b/terraform/infrastructure/azure/.terraform.lock.hcl index a4e090c0d..0e0fc1026 100644 --- a/terraform/infrastructure/azure/.terraform.lock.hcl +++ b/terraform/infrastructure/azure/.terraform.lock.hcl @@ -2,62 +2,62 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index b062010ce..c6383d82b 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -40,7 +40,6 @@ locals { { name = "recovery", port = "9999", health_check_protocol = "Tcp", path = null, priority = 104 }, { name = "join", port = "30090", health_check_protocol = "Tcp", path = null, priority = 105 }, var.debug ? [{ name = "debugd", port = "4000", health_check_protocol = "Tcp", path = null, priority = 106 }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check_protocol = "Tcp", path = null, priority = 107 }] : [], ]) // wildcard_lb_dns_name is the DNS name of the load balancer with a wildcard for the name. // example: given "name-1234567890.location.cloudapp.azure.com" it will return "*.location.cloudapp.azure.com" @@ -182,6 +181,7 @@ module "loadbalancer_backend_control_plane" { } # We cannot delete them right away since we first need to to delete the dependency from the VMSS to this backend pool. +# TODO(@3u13r): Remove this resource after v2.18.0 has been released. module "loadbalancer_backend_worker" { source = "./modules/load_balancer_backend" @@ -192,6 +192,7 @@ module "loadbalancer_backend_worker" { } # We cannot delete them right away since we first need to to delete the dependency from the VMSS to this backend pool. +# TODO(@3u13r): Remove this resource after v2.18.0 has been released. resource "azurerm_lb_backend_address_pool" "all" { loadbalancer_id = azurerm_lb.loadbalancer.id name = "${var.name}-all" @@ -232,6 +233,7 @@ resource "azurerm_network_security_rule" "nsg_rule" { for_each = { for o in local.ports : o.name => o } + # TODO(elchead): v2.20.0: remove name suffix and priority offset. Might need to add create_before_destroy to the NSG rule. name = "${each.value.name}-new" priority = each.value.priority + 10 # offset to not overlap with old rules direction = "Inbound" diff --git a/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf b/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf index 4b466bf65..52d5d4fd1 100644 --- a/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf +++ b/terraform/infrastructure/azure/modules/load_balancer_backend/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } } } diff --git a/terraform/infrastructure/azure/modules/scale_set/main.tf b/terraform/infrastructure/azure/modules/scale_set/main.tf index d78b84c72..fd5ca1876 100644 --- a/terraform/infrastructure/azure/modules/scale_set/main.tf +++ b/terraform/infrastructure/azure/modules/scale_set/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/infrastructure/azure/outputs.tf b/terraform/infrastructure/azure/outputs.tf index b3e5d844b..945c793b8 100644 --- a/terraform/infrastructure/azure/outputs.tf +++ b/terraform/infrastructure/azure/outputs.tf @@ -47,11 +47,6 @@ output "ip_cidr_node" { description = "CIDR block of the node network." } -output "loadbalancer_address" { - value = azurerm_public_ip.loadbalancer_ip[0].fqdn - description = "Public loadbalancer address." -} - # Azure-specific outputs output "attestation_url" { diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf index 64a02a35d..a3ab1fd0b 100644 --- a/terraform/infrastructure/azure/variables.tf +++ b/terraform/infrastructure/azure/variables.tf @@ -101,9 +101,3 @@ variable "additional_tags" { default = {} description = "Additional tags that should be applied to created resources." } - -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/gcp/.terraform.lock.hcl b/terraform/infrastructure/gcp/.terraform.lock.hcl index 5e188a8ce..47ba3a7c5 100644 --- a/terraform/infrastructure/gcp/.terraform.lock.hcl +++ b/terraform/infrastructure/gcp/.terraform.lock.hcl @@ -2,61 +2,55 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "6.36.0" - constraints = "6.36.0" + version = "6.12.0" + constraints = "6.12.0" hashes = [ - "h1:7UUG6owE+FafOHh0JK8BTM0yOlO7/XbHiEDh087fd0E=", - "h1:80HOG2KFPy07zgflMevKhsKrU8tEFvVncVMZOiffqV0=", - "h1:8aaMc8jT1GL3I15Aiz9Lr6k8+u79Fo3D6KA4Np+JUI8=", - "h1:aQ8E+XveXDO6zbqO1upcKqkrWr+5dwxowmQgMZ/zgrM=", - "h1:e/3n+WKR/ikY8m/MIAHOvH1HFY1fng76SEpnvGStxMU=", - "h1:fcjI1cXeKYJDWcgUXL+UPD23HIN4IDJjlc7XVD3i3Bc=", - "h1:iQx5xJnQvBN2aUdQbWZQPmtuT0xjfaNpFJD3qzOvC7U=", - "h1:kRbYOLtROkOjc3XMgptzFWKdgRCjyf2FH0UTlCJXkg8=", - "h1:lxi5P8TBMfiKk88FI4xM2Lnwlk2+Q3r9oa4yrg83x1w=", - "h1:m085EpkXRmg1TqRbPP6RxdVmlwJJujvyfMtznvURS04=", - "h1:vvvbnteZLIMosgsxO6YXDgxGYdU5BuSxPD1w4f4LV6c=", - "zh:0a67432c04d4c74829632cc5669b8c5988f837259333307e07c2915a0529b3fb", - "zh:4559afe21bb59e8fb9e3e7414ea65b6be233e8f217e8683dd0e9c347ecadf910", - "zh:58a34fe3b28271deba9a44db1e704c2844f2e30e252ded5f200a8f9af170d52d", - "zh:6b07f388b4fb2189d9fe3a058831e5c755092f7bd5f7388a1c0d9583f8c43ef0", - "zh:6fae25f93bf4a6fd59ce0f9d05e8551b65b4be7084f5e6e5f528ab011dbbef6a", - "zh:73be19906c569f1d46b8f88d3e846bd8dabd6ed65d8ba9a91f67da5365b534dc", - "zh:7b047330342f600e92c02e248f72eefae1a2e01c16ef45cc533942eb73c49c06", - "zh:9fecf5cdf1a16b9b9c1e83dc6129a40bfbc9e640252d2afddd34dc61de213330", - "zh:c557ea7357880615af290452ff06bc23bd3821132783240bd7cd75aadf16a04a", - "zh:dc11ad9a0b595b70490326563ea5f77de9c69aba0ee959971392e46b10a3c246", - "zh:ed8dc5d5ce3d8e3c1648c3fc6f48a19da9ed38d0157c33019c74b7790480c29f", + "h1:D6eBvo6Qs3OXXMwB2vFBhKuiL/TMNu5bBtjznSPbBH0=", + "h1:JuVRL27b9/g/FdblPwGZEacECBZRIuHZ+nzRgpIDduo=", + "h1:MgQU4YOpoJQngarNuPfvNKF4r7YyqYii7DBOiiaKBEw=", + "h1:OQp1STR+bhXfBQKs02krIJuELZ2c4GmGhlBd4bSq128=", + "h1:OvpG2uAeuIc19TFOQrr+s7Ded6sVBripLWLIzeWn90U=", + "h1:PmkvZRF8v7SszpUP4l9gXfhlVwq3z+HrTE39qusLrBw=", + "h1:WZulOZ1tthsLm/w7t7yy3C7JZ8QIXfO+QMEEW1pjrAY=", + "h1:Yez7eMayTGGmX/LCIDD3Xgnktpv/701g2zotNmg6u2o=", + "h1:nQTLHstv9bSviqpeBRzCfUG1lD8j+3f6Daxuv32At8k=", + "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=", + "h1:zpwamvGGsck1qNunJeyfolgiBDOJpXVINPzLLSECpjY=", + "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c", + "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8", + "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8", + "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475", + "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688", + "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8", + "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f", + "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9", + "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3", + "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b", + "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/gcp/main.tf b/terraform/infrastructure/gcp/main.tf index 215c86a8c..b20b74d15 100644 --- a/terraform/infrastructure/gcp/main.tf +++ b/terraform/infrastructure/gcp/main.tf @@ -2,12 +2,12 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -40,7 +40,6 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) node_groups_by_role = { for name, node_group in var.node_groups : node_group.role => name... @@ -161,29 +160,28 @@ resource "google_compute_firewall" "firewall_internal_pods" { } module "instance_group" { - source = "./modules/instance_group" - for_each = var.node_groups - base_name = local.name - node_group_name = each.key - role = each.value.role - zone = each.value.zone - uid = local.uid - instance_type = each.value.instance_type - initial_count = each.value.initial_count - image_id = var.image_id - disk_size = each.value.disk_size - disk_type = each.value.disk_type - network = google_compute_network.vpc_network.id - subnetwork = google_compute_subnetwork.vpc_subnetwork.id - alias_ip_range_name = google_compute_subnetwork.vpc_subnetwork.secondary_ip_range[0].range_name - kube_env = local.kube_env - debug = var.debug - named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : [] - labels = local.labels - init_secret_hash = local.init_secret_hash - custom_endpoint = var.custom_endpoint - cc_technology = var.cc_technology - iam_service_account_vm = var.iam_service_account_vm + source = "./modules/instance_group" + for_each = var.node_groups + base_name = local.name + node_group_name = each.key + role = each.value.role + zone = each.value.zone + uid = local.uid + instance_type = each.value.instance_type + initial_count = each.value.initial_count + image_id = var.image_id + disk_size = each.value.disk_size + disk_type = each.value.disk_type + network = google_compute_network.vpc_network.id + subnetwork = google_compute_subnetwork.vpc_subnetwork.id + alias_ip_range_name = google_compute_subnetwork.vpc_subnetwork.secondary_ip_range[0].range_name + kube_env = local.kube_env + debug = var.debug + named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : [] + labels = local.labels + init_secret_hash = local.init_secret_hash + custom_endpoint = var.custom_endpoint + cc_technology = var.cc_technology } resource "google_compute_address" "loadbalancer_ip_internal" { diff --git a/terraform/infrastructure/gcp/modules/instance_group/main.tf b/terraform/infrastructure/gcp/modules/instance_group/main.tf index b24f5d61f..33eb47aea 100644 --- a/terraform/infrastructure/gcp/modules/instance_group/main.tf +++ b/terraform/infrastructure/gcp/modules/instance_group/main.tf @@ -2,12 +2,12 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -77,11 +77,17 @@ resource "google_compute_instance_template" "template" { on_host_maintenance = "TERMINATE" } - # Define all IAM access via the service account and not via scopes: - # See: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template#nested_service_account service_account { - email = var.iam_service_account_vm - scopes = ["cloud-platform"] + scopes = [ + "https://www.googleapis.com/auth/compute", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/trace.append", + "https://www.googleapis.com/auth/cloud-platform", + ] } shielded_instance_config { diff --git a/terraform/infrastructure/gcp/modules/instance_group/variables.tf b/terraform/infrastructure/gcp/modules/instance_group/variables.tf index e4d2cbe5c..5370ec7d1 100644 --- a/terraform/infrastructure/gcp/modules/instance_group/variables.tf +++ b/terraform/infrastructure/gcp/modules/instance_group/variables.tf @@ -108,9 +108,3 @@ variable "cc_technology" { error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'." } } - -variable "iam_service_account_vm" { - type = string - default = "" - description = "IAM service account used for the VMs" -} diff --git a/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf b/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf index 7c73433ce..49cd0eb90 100644 --- a/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf +++ b/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } diff --git a/terraform/infrastructure/gcp/modules/jump_host/main.tf b/terraform/infrastructure/gcp/modules/jump_host/main.tf index 3b5682526..864115228 100644 --- a/terraform/infrastructure/gcp/modules/jump_host/main.tf +++ b/terraform/infrastructure/gcp/modules/jump_host/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } diff --git a/terraform/infrastructure/gcp/modules/loadbalancer/main.tf b/terraform/infrastructure/gcp/modules/loadbalancer/main.tf index 0ee6bc477..e815d9dea 100644 --- a/terraform/infrastructure/gcp/modules/loadbalancer/main.tf +++ b/terraform/infrastructure/gcp/modules/loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } diff --git a/terraform/infrastructure/gcp/outputs.tf b/terraform/infrastructure/gcp/outputs.tf index 8525bdb13..cbdf9164a 100644 --- a/terraform/infrastructure/gcp/outputs.tf +++ b/terraform/infrastructure/gcp/outputs.tf @@ -45,11 +45,6 @@ output "ip_cidr_node" { description = "CIDR block of the node network." } -output "loadbalancer_address" { - value = var.internal_load_balancer ? google_compute_address.loadbalancer_ip_internal[0].address : google_compute_global_address.loadbalancer_ip[0].address - description = "Public loadbalancer address." -} - # GCP-specific outputs output "project" { diff --git a/terraform/infrastructure/gcp/variables.tf b/terraform/infrastructure/gcp/variables.tf index c29c24391..601394a55 100644 --- a/terraform/infrastructure/gcp/variables.tf +++ b/terraform/infrastructure/gcp/variables.tf @@ -75,14 +75,3 @@ variable "additional_labels" { default = {} description = "Additional labels that should be given to created recources." } - -variable "iam_service_account_vm" { - type = string - default = "" - description = "IAM service account used for the VMs" -} -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/iam/aws/.terraform.lock.hcl b/terraform/infrastructure/iam/aws/.terraform.lock.hcl index 4914aaf10..ec2b3204e 100644 --- a/terraform/infrastructure/iam/aws/.terraform.lock.hcl +++ b/terraform/infrastructure/iam/aws/.terraform.lock.hcl @@ -2,52 +2,61 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.98.0" - constraints = "5.98.0" + version = "5.78.0" + constraints = "5.78.0" hashes = [ - "h1:/RMObGCrfJlVoQCf9h88hFkSyLafDXnw6r0yi4gpO80=", - "h1:KgOCdSG6euSc2lquuFlISJU/CzQTRhAO7WoaASxLZRc=", - "h1:neMFK/kP1KT6cTGID+Tkkt8L7PsN9XqwrPDGXVw3WVY=", - "h1:tSqQC0adIJ0VWRrbChyEGjGuWKwibrz+/YJ2Q1ZOs2Y=", - "h1:tfWnOmzoWOvwOGlUx0HrxCfUZq3YHhlkeEbMccAYiec=", - "zh:23377bd90204b6203b904f48f53edcae3294eb072d8fc18a4531c0cde531a3a1", - "zh:2e55a6ea14cc43b08cf82d43063e96c5c2f58ee953c2628523d0ee918fe3b609", - "zh:4885a817c16fdaaeddc5031edc9594c1f300db0e5b23be7cd76a473e7dcc7b4f", - "zh:6ca7177ad4e5c9d93dee4be1ac0792b37107df04657fddfe0c976f36abdd18b5", - "zh:78bf8eb0a67bae5dede09666676c7a38c9fb8d1b80a90ba06cf36ae268257d6f", - "zh:874b5a99457a3f88e2915df8773120846b63d820868a8f43082193f3dc84adcb", - "zh:95e1e4cf587cde4537ac9dfee9e94270652c812ab31fce3a431778c053abf354", + "h1:/EKXECKi3XzLR0SwaEyQucvsQx2TdyIF2DYabr9DVqM=", + "h1:15pt02WPsTWUsLi37o791kSplIqEf2Ihl+zFdBOpKnY=", + "h1:3TLJUm+6523EtS8W8G4f22e0bp2MpZ72f9qptc31WD8=", + "h1:EGEcXHT4WdxUTRSPzjevCNXStQ+u2eeQB4EmOSp2nPc=", + "h1:GwVGbd+IHAq+qwGs2QKuxazKzrJhSWVicYyGBPftuG0=", + "h1:OUmta/bL/0S6g4K/Mn1LBkEnMWNCq4dLsfYrdrllcEo=", + "h1:cxjNJTMeoxw0csix1iWp4m2esNUOuFfVbIAacUGjYSQ=", + "h1:kB3dnSsazjI63RZdz2gldCkDFw8KI0IJd6RbhqxrE6I=", + "h1:o7jz+dFixEcwjfdubken5ldmDJm1tkvM2adPtNDei3g=", + "h1:vIzenE93tNUfA/hFcwB6wouenp59n9g2J6FNPfJAOpg=", + "h1:zA5P+U4hv2P52fwfLNjAIA2jS9xOn4xCmrXrOMKH8gs=", + "h1:zKNuYrqjerfmrU0bgKQtubN/NiMLRXP4HTThTm1WfJE=", + "h1:zYvhhpw56OF8ClJezKBdKV0+6elVM3FYEAjaNWAinjk=", + "h1:zel31ZX4jCQoeQXydOfcm4ncD9aj+437F9Cr1eoCumM=", + "zh:0ae7d41b96441d0cf7ce2e1337657bdb2e1e5c9f1c2227b0642e1dcec2f9dfba", + "zh:21f8f1edf477681ea3b095c02cad6b8e85262e45015de58e84e0c7b2bfe9a1f6", + "zh:2bdc335e341bf98445255549ae93d66cfb9bca706e62b949da98fe467c182cad", + "zh:2fe4096e260367a225a9faf4a424d62b87e5498f12cb43bdb6f4e713d11b82c3", + "zh:3c63bb7a7925d65118d17461f4691a22dbb55ea39a7404e4d71f6ccca8765f8b", + "zh:6609a28a1c638a1901d8007b5386868ccfd313b4df2e98b35d9fdef436974e3b", + "zh:7ae3aef43bc4b365824cca4659cf92459d766800656e354bdbf83feabab835e8", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a75145b58b241d64570803e6565c72467cd664633df32678755b51871f553e50", - "zh:aa31b13d0b0e8432940d6892a48b6268721fa54a02ed62ee42745186ee32f58d", - "zh:ae4565770f76672ce8e96528cbb66afdade1f91383123c079c7fdeafcb3d2877", - "zh:b99f042c45bf6aa69dd73f3f6d9cbe0b495b30442c526e0b3810089c059ba724", - "zh:bbb38e86d926ef101cefafe8fe090c57f2b1356eac9fc5ec81af310c50375897", - "zh:d03c89988ba4a0bd3cfc8659f951183ae7027aa8018a7ca1e53a300944af59cb", - "zh:d179ef28843fe663fc63169291a211898199009f0d3f63f0a6f65349e77727ec", + "zh:c314efe454adc6ca483261c6906e64315aeb9db0c0332818714e9b81e07df0f0", + "zh:cd3e30396b554bbc1d260252db8a0f344065d619038fe60ea870689cd32c6aa9", + "zh:d1ba48fd9d8a1cb1daa927fb9e8bb708b857f2792d796e110460c6fdcd896a47", + "zh:d31c8abe75cb9cdc1c59ad9d356a1c3ae1ba8cd29ac15eb7e01b6cd01221ab04", + "zh:dc27c5c2116b4d9b404753f73bccaa635bce21f3bfb4bb7bc8e63225c36c98fe", + "zh:de491f0d05408378413187475c815d8cb2ac6bfa63d0b42a30ad5ee492e51c07", + "zh:eb44b45a40f80a309dd5b0eb7d7fcb2cbfe588fe2f18b173ef5851346898a662", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } diff --git a/terraform/infrastructure/iam/aws/alb_policy.json b/terraform/infrastructure/iam/aws/alb_policy.json index fe1976170..e8a05f8e6 100644 --- a/terraform/infrastructure/iam/aws/alb_policy.json +++ b/terraform/infrastructure/iam/aws/alb_policy.json @@ -29,8 +29,6 @@ "ec2:DescribeTags", "ec2:GetCoipPoolUsage", "ec2:DescribeCoipPools", - "ec2:GetSecurityGroupsForVpc", - "ec2:DescribeIpamPools", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", @@ -41,9 +39,7 @@ "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTrustStores", - "elasticloadbalancing:DescribeListenerAttributes", - "elasticloadbalancing:DescribeCapacityReservation" + "elasticloadbalancing:DescribeTrustStores" ], "Resource": "*" }, @@ -192,10 +188,7 @@ "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:ModifyListenerAttributes", - "elasticloadbalancing:ModifyCapacityReservation", - "elasticloadbalancing:ModifyIpPools" + "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "*", "Condition": { @@ -241,8 +234,7 @@ "elasticloadbalancing:ModifyListener", "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule", - "elasticloadbalancing:SetRulePriorities" + "elasticloadbalancing:ModifyRule" ], "Resource": "*" } diff --git a/terraform/infrastructure/iam/aws/main.tf b/terraform/infrastructure/iam/aws/main.tf index c1298689e..bec0b5412 100644 --- a/terraform/infrastructure/iam/aws/main.tf +++ b/terraform/infrastructure/iam/aws/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.98.0" + version = "5.78.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/infrastructure/iam/azure/.terraform.lock.hcl b/terraform/infrastructure/iam/azure/.terraform.lock.hcl index 931a0a0fb..e1f335cd4 100644 --- a/terraform/infrastructure/iam/azure/.terraform.lock.hcl +++ b/terraform/infrastructure/iam/azure/.terraform.lock.hcl @@ -2,61 +2,61 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azuread" { - version = "3.4.0" - constraints = "3.4.0" + version = "3.0.2" + constraints = "3.0.2" hashes = [ - "h1:/+HxxFGciTGycNTDUPkcbALGsV+qcCPit8UyYX1Beho=", - "h1:2rAM1pT8sXeViTLMU7Tvd5sDSYuZeavFPVbe5xWgJ3A=", - "h1:CkN8DpmNYWU9mvlrmOpzFdPofGjKgrnL8leImrSL9Uk=", - "h1:D4wPDjiMNuWQcB1cYQIbS9M68QwQ2BQ8TdcamU3ig3k=", - "h1:ELINo/Jm4IDo5uZp1deObsOmcx3Lco1IEEowVVDzgtw=", - "h1:KeA9a60dssTVEFWkAuJ2lxztHyYB9bKmUfYanW2POSo=", - "h1:Rxzm2bElqWCmoNZvs/kjr4vPocw4v9Bw4HQHOtYWjzg=", - "h1:k4Gpl4uNxQgm8hDS3jjnzHEmp72Vrw6+bxNn4m4rxu0=", - "h1:mpZ2ZiLutwDNqOLoZwNKZgHSGn5vMvtA+00GKbaWb5U=", - "h1:qQNUA7kQIX30KkARDCpiZy1MFL/j9LiuSCzbOTHSsjo=", - "h1:rfO7hSYJLdpff/s2iuooHtxNacwKq5n03IwvVQ+xbSI=", - "zh:035a6d6e6aa7f117969702873c27344ec4ddd88f676cebc1088316fb26d5c95a", - "zh:11f86935174d8223699cae00b3a705ded1d75a4efb6d4723d3788f5446e1eaa5", - "zh:16d52b5bf8eefa98cd2793122be0c5a7b41767caedbd8a08786aeefb3d0c6856", + "h1:4HpBtur7h9Naz0BUhoJLVMQmmNABvpVDE/v/WC4LuHU=", + "h1:4ONsd+zmaW77NHdwY6tZ9f5Vk4uk5j4c6phuIAYd9c8=", + "h1:Ac2hOMzVtFxZL6U0znQB++O+AHsi47F4nZt0dGMAEJ4=", + "h1:HNrx7UJEDY5Kbx/r1LRQDWnziqvB6x3IU+pEA8Vq7dw=", + "h1:P807RV/+/XY1fylsKngmj2B5l2XOVTzqpd4ylZAwA+M=", + "h1:SDn/pi6q3CZyt9T8Bgobb91WziY2iE1teqr9Y8TlfJw=", + "h1:Sbb9HgPsFPsY3Jv8Kn+eoyYXoWHLWcODr7Okh/V001k=", + "h1:XUrQ/352oXVMh1ya8E7uMAmaC69zNICCIKqZ3kA4nXw=", + "h1:k0kPplqH7FWmnYeCXXrFIeCshgF1tC4LLhfk66bos3w=", + "h1:sYCyzbPpSYu2XDah8XqBUITQAfB0x4j4Twh6lw2C4CA=", + "h1:yQqvUtgtrYKGpIygdM8P6N+pvMWJJWIsVdPow29VE20=", + "zh:16e724b80a9004c7978c30f69a73c98ff63eb8a03937dd44c2a8f0ea0438b7a3", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2fe201c7a1c17279f7674c160861296015d9b9d120de598999d169398ce285c9", - "zh:37bb91dff5b751f0c86a02a12980bdb5935d2ca6cdd249d9eef7eca619f628c0", - "zh:7533a35300e411893a024f858e722e50107dfd7212236d396ebf2ca2b13b7bcc", - "zh:88a95b2cb606439ae2f60ebe63a800580e232e94bc1b02ac7d25d25be10cb511", - "zh:c7b138b6bc34d8a1eff91742b38bce1718d9c50c343393fdfc918bef022ed74f", - "zh:cab09fda45b8a9a9896aedb22f5829745b7e9a01abb8077696bccb170fb01b5f", - "zh:cc4a29f074f1cc25f3abd3a41444f68307f3eb08c4d5f79f60a012b632c1ea05", - "zh:e30e9fe8e04271431cb730a1a888b6da5afeae385e2e53ff7b4114066c1250db", + "zh:2bbbf13713ca4767267b889471c9fc14a56a8fdf5d1013da3ca78667e3caec64", + "zh:409ccb05431d643a079da082d89db2d95d6afed4769997ac537c8b7de3bff867", + "zh:53e4bca0f5d015380f7f524f36344afe6211ccaf614bfc69af73ca64a9f47d6c", + "zh:5780be2c1981d090604d7fa4cef675462f17f40e7f3dc501a031488e87a35b8f", + "zh:850e61a1b3e64c752c418526ccf48653514c861b36f5feb631619f906f7e99a0", + "zh:8c3565bfcea006a734149cc080452a9daf7d2a9d5362eb7e0a088b6c0d7f0f03", + "zh:908b9e6ad49d5d21173ecefc7924902047611be93bbf8e7d021aa9563358396f", + "zh:a2a79765c029bc58966eff61cb6e9b0ee14d2ac52b0a22fc7dfa35c9a49af669", + "zh:c7f56cbe8743e9ba81fce871bc97d9c07abe86770d9ee7ffefbf3882a61ba89a", + "zh:d4dba80e33421b30d81c62611fb7fc62ad39afecc6484436e635913cd8553e67", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.29.0" - constraints = "4.29.0" + version = "4.12.0" + constraints = "4.12.0" hashes = [ - "h1:Bde/KCh2xGVCBx/JnixC3I2fmoRTwHXgsapfQ5QG8eg=", - "h1:IyINmgNiLfWx3Istkt5Mz+IJrDhSMhj3/qQeJlC4qS4=", - "h1:KEJAt0mJAACyIKUB5mCk/wqtxKMhivdeW8w6byz5Ll4=", - "h1:Y4gTSs+ZE5YSJVXG2qmsbXmv9Daq5aGM8Ip/GE6nev8=", - "h1:YtcHvTVfVBKbMCp9esoj527R1UK/hU0Zmo3pyQb8YhQ=", - "h1:atJdgnuqk+w3v4Zzhw2B1FZeYYA4su9JfanwNsx+c8o=", - "h1:c9tmtEdVTb9siGa3hVxPrMVl9ij5zijnD02JMHcHjrE=", - "h1:eN0KhMGVepEPpSA+YN5Kaz/v9PFKCafbkqqBzpLJf+g=", - "h1:hNVKlXTx2duXnR6SNKtyQMx7zSIlrxBu66Z0gbyfv3c=", - "h1:jC2GJo4VzTKnKociUDLVv8/+u9Mz+4scZrqbEasV+Y0=", - "h1:m3xYvc9X0pec0Zd1dpn82ALQ+6vwz56RnF/3CbkI2Eg=", - "zh:16590eea68c7c8aedb7af19f690eb34ab6636ef417b3fa9e06ca038fdb4c44b8", - "zh:1c907dfe44d00a54aa63d443004add90188f9a53ef3e919aff8aba92f715f42b", - "zh:258a0ff4198d80cae33c89091cd556d84c1b522c4416458484f23719a0cdf4cc", - "zh:587f5e9b2b33e51b18fb0f372025c961c3f57f2958b388459dd8432412650bda", - "zh:6318ca03bd9dbac272a75bb193688c7d4c4b45c7460289820528f31bcd6c3fe9", - "zh:63e4e8128e26e4c3e0c3b6582ef527245eb35eb5c80ad278dc675ebdf71edeaf", - "zh:845c898a27a84a15ba26e95ee66ac9563f81bc672b5ca216af82d87fe09bd5f8", - "zh:8fa6434fa212d5501185f0adc985d3a3c1e0f449c78f040a4ca640cb1e809cac", - "zh:9b49c0d72ab19aab43b2b48d23c5dddbbe29afae1569a987e6f20ed4c80ddf4c", - "zh:b14cc1ee5e3acf52490de7dd9791cce7953c0ee4bcccf0306aafd256568bd69f", - "zh:cd444836b2579fa42bfca2ae6145d394c41b6438b1ae01078c060bfaf803bb4d", + "h1:2tHjSJI1VW6sUL042kwkTfmOF3rAjZmYzpFucBq0EjQ=", + "h1:3TmHdOUKadLf5mJfYqm2OpsA/jiuqmEvCmR1EnaluF0=", + "h1:81V4UGJgVTzRQgIhYYvDJ1N+WCsQbmBgyCQ0HL/i/ks=", + "h1:9ZTFblaxLkCzg8jvRBk/J7QKV2hjxrwNhVlk96IUr6U=", + "h1:DjLdwL6J0qqUTx02BOMQxfOLHUqlYH+ewRcwFWTiHjY=", + "h1:EDeJjlZGOezaIQ+kiCN8GXRj049Lo42b93rEGlbOscM=", + "h1:U/tpa2Accjlzco7ohA1CEeL3fT/65yqiTf2ydCHhzjE=", + "h1:VJfcRLECBhANa1S5yHF3hJtOAzJuqe969XTK8LPbp6U=", + "h1:W6fcPNvsD7ce81J0H3Ib5FBlt5VLq5MlLXQIw+zooPc=", + "h1:tI7FQgfIFIER3wMbZN5mIX24B0mWVNb4r7hi7mUmAw8=", + "h1:wofqhlcgsUPYq6ZrN5hoUE34PDn7jmvK6YlQ0BobjyQ=", + "zh:127709945923a0034ec302c41494b82f0748707ecba15feba9db3af03e2b4709", + "zh:16ce5040984456f332598e1515cfde12b1bba78eae37b7a4b08ec332bbb55d6c", + "zh:1901cf598a048a1f135ed1c723de5e3c501aa7d1399490b7722c44cb61cb566e", + "zh:1b4a1fa65f32de535481ff38bd5869f44582b14b64bd00cc4902439cf2728a8a", + "zh:72ff727353151bd1a41ea1d6b2ecf24157918658ccd02d56acd62a7c4d330a7b", + "zh:78c0e4d7e1701fc5b3227d098807b1ed1c6d80c1ee443c0db89c64aeb317a39f", + "zh:a9964f7d9142cdd6f84673e1e936491f14bf1a44dd51fd55525c42fb05208c83", + "zh:ada1ffdebe10a44fcfa330618376fbd5d5daf7a9faad833496162686a98016d0", + "zh:d02d4d5a1fc4b0cb7975311bf37596456ace782ab195281a48338eb2a0f478c1", + "zh:e0fb626158b0cb7d8c5662a518cee8924b00a87312feff9db40b30e26539aa0f", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f683582bc5b12587aa7a78152774f2eaae9cfac0fb61b6de81284abbbea5b", ] } diff --git a/terraform/infrastructure/iam/azure/main.tf b/terraform/infrastructure/iam/azure/main.tf index fe1672165..56b77fb63 100644 --- a/terraform/infrastructure/iam/azure/main.tf +++ b/terraform/infrastructure/iam/azure/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "4.29.0" + version = "4.12.0" } azuread = { source = "hashicorp/azuread" - version = "3.4.0" + version = "3.0.2" } } } diff --git a/terraform/infrastructure/iam/gcp/.terraform.lock.hcl b/terraform/infrastructure/iam/gcp/.terraform.lock.hcl index 2fbbe32c2..2f295aaac 100644 --- a/terraform/infrastructure/iam/gcp/.terraform.lock.hcl +++ b/terraform/infrastructure/iam/gcp/.terraform.lock.hcl @@ -2,31 +2,31 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "6.36.0" - constraints = "6.36.0" + version = "6.12.0" + constraints = "6.12.0" hashes = [ - "h1:7UUG6owE+FafOHh0JK8BTM0yOlO7/XbHiEDh087fd0E=", - "h1:80HOG2KFPy07zgflMevKhsKrU8tEFvVncVMZOiffqV0=", - "h1:8aaMc8jT1GL3I15Aiz9Lr6k8+u79Fo3D6KA4Np+JUI8=", - "h1:aQ8E+XveXDO6zbqO1upcKqkrWr+5dwxowmQgMZ/zgrM=", - "h1:e/3n+WKR/ikY8m/MIAHOvH1HFY1fng76SEpnvGStxMU=", - "h1:fcjI1cXeKYJDWcgUXL+UPD23HIN4IDJjlc7XVD3i3Bc=", - "h1:iQx5xJnQvBN2aUdQbWZQPmtuT0xjfaNpFJD3qzOvC7U=", - "h1:kRbYOLtROkOjc3XMgptzFWKdgRCjyf2FH0UTlCJXkg8=", - "h1:lxi5P8TBMfiKk88FI4xM2Lnwlk2+Q3r9oa4yrg83x1w=", - "h1:m085EpkXRmg1TqRbPP6RxdVmlwJJujvyfMtznvURS04=", - "h1:vvvbnteZLIMosgsxO6YXDgxGYdU5BuSxPD1w4f4LV6c=", - "zh:0a67432c04d4c74829632cc5669b8c5988f837259333307e07c2915a0529b3fb", - "zh:4559afe21bb59e8fb9e3e7414ea65b6be233e8f217e8683dd0e9c347ecadf910", - "zh:58a34fe3b28271deba9a44db1e704c2844f2e30e252ded5f200a8f9af170d52d", - "zh:6b07f388b4fb2189d9fe3a058831e5c755092f7bd5f7388a1c0d9583f8c43ef0", - "zh:6fae25f93bf4a6fd59ce0f9d05e8551b65b4be7084f5e6e5f528ab011dbbef6a", - "zh:73be19906c569f1d46b8f88d3e846bd8dabd6ed65d8ba9a91f67da5365b534dc", - "zh:7b047330342f600e92c02e248f72eefae1a2e01c16ef45cc533942eb73c49c06", - "zh:9fecf5cdf1a16b9b9c1e83dc6129a40bfbc9e640252d2afddd34dc61de213330", - "zh:c557ea7357880615af290452ff06bc23bd3821132783240bd7cd75aadf16a04a", - "zh:dc11ad9a0b595b70490326563ea5f77de9c69aba0ee959971392e46b10a3c246", - "zh:ed8dc5d5ce3d8e3c1648c3fc6f48a19da9ed38d0157c33019c74b7790480c29f", + "h1:D6eBvo6Qs3OXXMwB2vFBhKuiL/TMNu5bBtjznSPbBH0=", + "h1:JuVRL27b9/g/FdblPwGZEacECBZRIuHZ+nzRgpIDduo=", + "h1:MgQU4YOpoJQngarNuPfvNKF4r7YyqYii7DBOiiaKBEw=", + "h1:OQp1STR+bhXfBQKs02krIJuELZ2c4GmGhlBd4bSq128=", + "h1:OvpG2uAeuIc19TFOQrr+s7Ded6sVBripLWLIzeWn90U=", + "h1:PmkvZRF8v7SszpUP4l9gXfhlVwq3z+HrTE39qusLrBw=", + "h1:WZulOZ1tthsLm/w7t7yy3C7JZ8QIXfO+QMEEW1pjrAY=", + "h1:Yez7eMayTGGmX/LCIDD3Xgnktpv/701g2zotNmg6u2o=", + "h1:nQTLHstv9bSviqpeBRzCfUG1lD8j+3f6Daxuv32At8k=", + "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=", + "h1:zpwamvGGsck1qNunJeyfolgiBDOJpXVINPzLLSECpjY=", + "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c", + "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8", + "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8", + "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475", + "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688", + "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8", + "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f", + "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9", + "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3", + "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b", + "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/terraform/infrastructure/iam/gcp/main.tf b/terraform/infrastructure/iam/gcp/main.tf index 3c45be09e..b105aee22 100644 --- a/terraform/infrastructure/iam/gcp/main.tf +++ b/terraform/infrastructure/iam/gcp/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "6.36.0" + version = "6.12.0" } } } @@ -13,19 +13,8 @@ provider "google" { zone = var.zone } -locals { - sa_name = var.name_prefix == "" ? var.service_account_id : "${var.name_prefix}-sa" - sa_vm_name = var.name_prefix == "" ? "${var.service_account_id}-vm" : "${var.name_prefix}-sa-vm" -} - -resource "google_service_account" "vm" { - account_id = local.sa_vm_name - display_name = "Constellation service account for VMs" - description = "Service account used by the VMs" -} - resource "google_service_account" "service_account" { - account_id = local.sa_name + account_id = var.service_account_id display_name = "Constellation service account" description = "Service account used inside Constellation" } @@ -76,31 +65,6 @@ resource "google_project_iam_member" "iam_service_account_user_role" { depends_on = [null_resource.delay] } -resource "google_project_iam_custom_role" "vm" { - # role_id must not contain dashes - role_id = replace("${local.sa_vm_name}-role", "-", "_") - title = "Constellation IAM role for VMs" - description = "Constellation IAM role for VMs" - permissions = [ - "compute.instances.get", - "compute.instances.list", - "compute.subnetworks.get", - "compute.globalForwardingRules.list", - "compute.zones.list", - "compute.forwardingRules.list", - ] -} - -resource "google_project_iam_binding" "custom_role_vm_to_service_account_vm" { - project = var.project_id - role = "projects/${var.project_id}/roles/${google_project_iam_custom_role.vm.role_id}" - - members = [ - "serviceAccount:${google_service_account.vm.email}", - ] - depends_on = [null_resource.delay] -} - resource "google_service_account_key" "service_account_key" { service_account_id = google_service_account.service_account.name depends_on = [null_resource.delay] diff --git a/terraform/infrastructure/iam/gcp/outputs.tf b/terraform/infrastructure/iam/gcp/outputs.tf index 45d586de6..437261bb8 100644 --- a/terraform/infrastructure/iam/gcp/outputs.tf +++ b/terraform/infrastructure/iam/gcp/outputs.tf @@ -3,9 +3,3 @@ output "service_account_key" { description = "Private key of the service account." sensitive = true } - -output "service_account_mail_vm" { - value = google_service_account.vm.email - description = "Mail address of the service account to be attached to the VMs" - sensitive = false -} diff --git a/terraform/infrastructure/iam/gcp/variables.tf b/terraform/infrastructure/iam/gcp/variables.tf index 37dc35144..19c25d787 100644 --- a/terraform/infrastructure/iam/gcp/variables.tf +++ b/terraform/infrastructure/iam/gcp/variables.tf @@ -5,13 +5,7 @@ variable "project_id" { variable "service_account_id" { type = string - default = null - description = "[DEPRECATED use var.name_prefix] ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$." -} - -variable "name_prefix" { - type = string - description = "Prefix to be used for all resources created by this module." + description = "ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$." } variable "region" { diff --git a/terraform/infrastructure/openstack/.terraform.lock.hcl b/terraform/infrastructure/openstack/.terraform.lock.hcl index 292f31c77..73faa0ec0 100644 --- a/terraform/infrastructure/openstack/.terraform.lock.hcl +++ b/terraform/infrastructure/openstack/.terraform.lock.hcl @@ -2,93 +2,87 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } provider "registry.terraform.io/stackitcloud/stackit" { - version = "0.53.0" - constraints = "0.53.0" + version = "0.35.0" + constraints = "0.35.0" hashes = [ - "h1:BVPETE48KhoqyKYClDhUBstmFzRiAcuxe27hQZwDK+Q=", - "h1:FcdIzdfUZY6BPCCng9WImmsfJcRH+iAr8DgRI4Fia04=", - "h1:KhLsCQC08QvAiBFb1LhfpfNSTPUes1JJUOuTPmDbn2c=", - "h1:KpyF8wGtsxPKJjDla/r93FftL7qFCe/MtiN+1ug1+No=", - "h1:P6OSZsAasyZIgC2xllDldPv4Bvg6uXPPNzxkicTwuq0=", - "h1:P7uxrCcb0itwa44WmUpAfb/bpg74lT+yDiAcveM0aa8=", - "h1:QPX1BtGEBa51bKpsGPPqV0Ssuhn64xJcEohBtyEY3Pg=", - "h1:RmmMw2xkNYRFyuI3qqL1JpnIWSXLV51DSSZeil8Ec6w=", - "h1:RwiKzxuiJ+dOvaFQ/A92zLGz5JLN+0fA7riYFrNKZ9Y=", - "h1:To9R3LyIlT+S/6d/tcgQgxaKB3UWoaaNBAhbWs5wYGM=", - "h1:UQpT+MqZyPRX5usq1u77GUDTW5UFVcvh+fkDItGZfzM=", - "h1:bLlVOzfu3fje3M81Whny1yQiOC89r4x4Akw6JNzy2fk=", - "h1:hQasTcIA5yfYrgbelOcceatBDj8//shVvNfUAZyOOAc=", - "h1:xXlBF8c3btnkAIgBiipcpsvbMK6n2+/8OqNAGxBhni8=", + "h1:Cc+HFJYbY2X9KsgMvLhikdjz/bN671/osUkXFT+H1AI=", + "h1:GnJ+gbhhJ+ZdH5L5QS4eMi638nafDqxcRsrZQLJPHnU=", + "h1:V/ayYinMV9pGGLg7OBPeG0XONnSkmDbWDH3deWtTmM0=", + "h1:Ws8n3pe5/cStjDF6VnRdax9ledzUja2nUNPYTEzdEAs=", + "h1:XwLQ50fsxJ5MGUlJEs7dWIdErbrGgEExSqj22BHwykM=", + "h1:ZIays0MW9HD++OUktDQlrBhADXsseUhXI9LNXiV7R0I=", + "h1:a544QqVZaDj2QjSddFynSKjdlbw+cXw+wImF4XbKPW4=", + "h1:kQ7j2jRkEai4Id5BRXnky2ZcytrLP8JMrkVL0vsZJnE=", + "h1:s1s8GBkKD0buf48bKMcj0bQG3cR5Xfyt1MMRik46sTs=", + "h1:srQRAu7VfVWcKaeypDJg4Bvo2AxzZO/cwefxIt+Uduw=", + "h1:tKEqWCG0wcOiYHaWgsqAqF4LOKHU5lahM4t9zpMsBR8=", + "h1:ulAmt5tk9bBD0HjN4c8Cy4Aai7gEbbo6K38Duly7jyE=", + "h1:wPPCGyWv6rjaZ7dcMXNsAK6x+AjVlWClHVC1ctt4lLY=", + "h1:zJozfYwxty/4meQ65hh6fHMqeT2LA7xTvOX3yGB2HPs=", + "zh:0c5ff45f9d8785cf39189908c70ce989423b823f468d5664794aa1352838560f", "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f", - "zh:27df5dd8cd7af79080e071d8c3ef81d792ee7665b569255ec4c931fa5595b7b5", - "zh:452f8ee8dabc0bdf8ec623d186061750a527bb02225c9810f412c46d142bb73a", - "zh:48512ed6362d537687a74f5ddd36ed288e36b8f47ad6ead78c71f5152912c777", - "zh:4e4b2be9cda9f866b47bf4c9b3a9d3c9c8a0c6006d66e9a33f54317694ea48a1", - "zh:5239ec2377e1d186b465b07bd1c71793d7a142a1bfe155abdf84d60d8189b1bc", - "zh:5e506b9e423ff1c65482bd8dcee629cef0789b0879d1b2d61c1e478c4506b2eb", - "zh:705762fa6bfc02ccab39a8b544f9090f63d6e49364c09ac4a2f29878ff53235f", - "zh:882ceb507151aff47ec57808adb2a7104686be46ee34963eecb0fabfd771caf8", - "zh:ab2ba4430a0eb433ee6d0b99c738c6addbcab6bd921b7ed660d55fc979515c29", - "zh:b26b03356b44e6eacaa84aa4170aee4b9afe78f18c48ec209a6a1c0bfe7f4d47", - "zh:b77ddbc99c4a77b1c2410ba7526498be6ee723bb3b42c5dd4e712408119224bf", - "zh:c808c34807aeb34aa0e66ee9c25b523b398925682fa7c0f6b0115dd0e91b2c33", - "zh:d76c00fddbc80140825757f71b22d1c3a64978a4792b52bfde3747ee93f8e7fa", - "zh:fb03cb807d9817693a001bed3334c5636fd61fb745d611b14b013bfdcf066068", + "zh:51c0fee775b63d96a6a95e4022960628d8b5257b744deb8705fc90d8763ebf42", + "zh:7e7a2186713d260911e56b2b5c3adf064cbbca6762b12e7bfe244d7044b3661b", + "zh:859b785d74ab91173738bef0d7f25efc4db21918c3b9a599273b99dcafc6e1cb", + "zh:86b8797678f908c048f4ae0795edde199de2335f5b56a9c6d66cb5c8e88b08e1", + "zh:8f12189510b6ec166f2fb8b251c95afb28cf0b5b58733487b4e8bf3da31c68b8", + "zh:a70ab1bd728aacefd7da38f1e8c0634c5b9b8d37ac892adadafc9f5da8965373", + "zh:b5c7dd74c47155d95891b83d8755fc3c6d60c854207a5ba3cb1d4bd82d2ed10f", + "zh:bf5af8348a80b62030b539c963dbe2605954622059468b69487758fa40e276e2", + "zh:d246e353614a76235e834ce4fb26228bd70a6cb14eca60171d12cfb54e9a833c", + "zh:d29e53cedab668531be90745c359a4d4b461a06e867331ba13141adc1b78282d", + "zh:dac9be6f3333389c2d2ea3b206554b397909b413d5bfc10e7054646a96906f0b", + "zh:def772fb3965b36ec684f2d25d9f27ce5cf7905753806d449732cbbf3d3b09e4", + "zh:e2eccc14ce98d05be2d87f1c82e8ea47020598faf14ce9e7c2ee928922530ce1", ] } provider "registry.terraform.io/terraform-provider-openstack/openstack" { - version = "3.0.0" - constraints = "3.0.0" + version = "1.54.1" + constraints = "1.54.1" hashes = [ - "h1:5LLYtkab+Vdg8CE9pI1O8ufh3sTXqWlY3uKxko/y3X8=", - "h1:9/pRGncPl05UJquv3mXwSMU0NVa3ilwPtilcZcNgdys=", - "h1:K/LldMyf/FKaGOWUPAdpkMvKqE7tH+cmxLLhHKHjseQ=", - "h1:i7sj9flNOPDNraNq3QztV+cQ1JeqSQF30xQrY6Vi2Yk=", - "h1:sxq+0vFl4SfV9dlut5liwaH4FejyNIf4ClAjRgowxv8=", - "zh:01718f229597b34ed430236a230a407dacd6289543556d33910e151462e8cb8a", - "zh:2424c5347d35fe0de778d1c40dbe8d9b1278309c4d65cce31709e6fcbec139df", - "zh:2a785f9efd6d8c979031803dd78411a583bc0d9a572ddf5fb9e539cbbfc1ce43", - "zh:8ab18c7eb1fd04b34be75fcecfc461888bd37ff017973f46745abeabd21b3fda", - "zh:98e805318292b58d9692bfe6d3d82e0db0f8044e588a38b239309221198aa92d", - "zh:9a99c9801f96dc69e7c76c5ddc0e2800b77a333becacae530d7a3acd18855347", - "zh:c5aa6690c094be211d2700d7ea44ffe937763e4dd566506c87eb99d6d8330b52", - "zh:d06fc3a148a49aab059a1f08ceadbfe1a5c82c7b80b960169987603dddaaaf58", - "zh:d079da24a9f2cc0d6fec9616e7ebe994245a3d98da629f012069c26d650edb05", - "zh:d1d2b63dba9045a4ff3869c65ddcaf2703d993254b58b2a0230d067f5c036de2", - "zh:d2b9d09c47e7eca08091da825cdf0982dc30089ee401888ce8704b79c7636e95", - "zh:dd6be78f98772bfc1ebf022fc36e5d68ef0f165f9e87476430d4e0dc3f1cc57f", - "zh:e7743c11dd0c83a5c1905f04ffd490b4471941218b4c841b760223fcf416affd", - "zh:f234aefac77f4e9a2b05877a00d322ee165009713d79a8d8e19039c6c6f7cf1b", + "h1:Cqk18+r4bJF/sIusEK9lM0gc841RwsJ8AMhWyiU7lig=", + "h1:Cs9sP2V0MssWIQo+gur9soaNAAQleRaWdnvFP61s0Y0=", + "h1:JC0mScAPBs1MlHeEIPMZTQGhTA5aIG3iEuKMSPpR31E=", + "h1:jx2WdbttenKA2gWZDil6ffQT2CcY/TZ46pG0FlbNPuY=", + "h1:xt7LbO3lAXcDUjDxPHrQtgv4mO2GKvSOFMF1uPsK4vE=", + "zh:45ba84df17f94b15af7aab7007241e035dde8a5b46aeb761259d937058a80f71", + "zh:493b1deb7be9b600e5b1f5da2a9dfd3bce5df0c6d38090614dbe4ed05ade8441", + "zh:53551401fba8c1d5b27a08ee307552b84b1d0c1218f3717a4b766ec701b3e016", + "zh:53629bebb48ce5220f7601d776c2ac1485b6c860cb695f150fb716f5be8aa86d", + "zh:5a20f32cca767bef70b79bc8ecbd10fec3dc8696183e2d29631aa510947cb70d", + "zh:653693f630777e4aa3f410976a5169cf0f2a301516a820b3860de116054ae30a", + "zh:70f2d7bd5f5940f4fc3f023a01468890fbd9d704d0256bc65f7c64fb2cbcd4e4", + "zh:9cc22af51e5124dd5c2e0f1adefb1b08dcff3138aba9c92961cef36b1641d7aa", + "zh:9df45e893f215266159733dbc120809bc3d313188e121532dc6e2d10165e9899", + "zh:cb3e240992069cd6160f5b5cbbd50b70948f25bb337a75e780a0648461505d3f", + "zh:cb8343c0cf1bf5ca4d060826a8b68e3e5935b4a65974c76ac9c071c5a510e67e", + "zh:cc2060f93c66276dff6366b48e3a0e619874e3d939e0d2a39fc6ce10ca91232d", + "zh:d495b3051977018696113eded89c2cddfae0570f2adbdf7e9097c189ba41903e", + "zh:dfad1be943769780d5e948c06db957ce45f98b057a774964da0b82130c22f139", ] } diff --git a/terraform/infrastructure/openstack/main.tf b/terraform/infrastructure/openstack/main.tf index 325279818..ed650ccd1 100644 --- a/terraform/infrastructure/openstack/main.tf +++ b/terraform/infrastructure/openstack/main.tf @@ -2,17 +2,17 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "3.0.0" + version = "1.54.1" } stackit = { source = "stackitcloud/stackit" - version = "0.53.0" + version = "0.35.0" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } @@ -22,7 +22,7 @@ provider "openstack" { } provider "stackit" { - default_region = "eu01" + region = "eu01" } @@ -43,7 +43,6 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], - var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) cidr_vpc_subnet_nodes = "192.168.178.0/24" cidr_vpc_subnet_lbs = "192.168.177.0/24" diff --git a/terraform/infrastructure/openstack/modules/instance_group/main.tf b/terraform/infrastructure/openstack/modules/instance_group/main.tf index 5f027fdfa..b2feecb5f 100644 --- a/terraform/infrastructure/openstack/modules/instance_group/main.tf +++ b/terraform/infrastructure/openstack/modules/instance_group/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "3.0.0" + version = "1.54.1" } } } diff --git a/terraform/infrastructure/openstack/modules/loadbalancer/main.tf b/terraform/infrastructure/openstack/modules/loadbalancer/main.tf index f86399612..a10a43d8f 100644 --- a/terraform/infrastructure/openstack/modules/loadbalancer/main.tf +++ b/terraform/infrastructure/openstack/modules/loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "3.0.0" + version = "1.54.1" } } } diff --git a/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf b/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf index 50179a534..cbe4e4d0d 100644 --- a/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf +++ b/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { stackit = { source = "stackitcloud/stackit" - version = "0.53.0" + version = "0.35.0" } } } diff --git a/terraform/infrastructure/openstack/outputs.tf b/terraform/infrastructure/openstack/outputs.tf index 810b11977..be45ec065 100644 --- a/terraform/infrastructure/openstack/outputs.tf +++ b/terraform/infrastructure/openstack/outputs.tf @@ -36,11 +36,6 @@ output "ip_cidr_node" { description = "CIDR block of the node network." } -output "loadbalancer_address" { - value = openstack_networking_floatingip_v2.public_ip.address - description = "Public loadbalancer address." -} - # OpenStack-specific outputs output "network_id" { diff --git a/terraform/infrastructure/openstack/variables.tf b/terraform/infrastructure/openstack/variables.tf index 3afa8c97a..12242f08b 100644 --- a/terraform/infrastructure/openstack/variables.tf +++ b/terraform/infrastructure/openstack/variables.tf @@ -71,9 +71,3 @@ variable "stackit_project_id" { type = string description = "STACKIT project ID." } - -variable "emergency_ssh" { - type = bool - default = false - description = "Wether to expose the SSH port through the public load balancer." -} diff --git a/terraform/infrastructure/qemu/.terraform.lock.hcl b/terraform/infrastructure/qemu/.terraform.lock.hcl index 1796c477f..f5ecba7ec 100644 --- a/terraform/infrastructure/qemu/.terraform.lock.hcl +++ b/terraform/infrastructure/qemu/.terraform.lock.hcl @@ -2,99 +2,92 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/dmacvicar/libvirt" { - version = "0.8.3" - constraints = "0.8.3" + version = "0.8.1" + constraints = "0.8.1" hashes = [ - "h1:4R2L9SlbXt5VVZtQ0vPe1s65UygQT3aKTWpsGKqTnvM=", - "h1:AGOjd7NzTBQAiOjjlUdq5JjuYdWBL6jfrNf+qO7Z+cg=", - "h1:HuCu3y7gzhI1YLYWY7L9c3f5lhJyo5/Peozd50hoj4w=", - "h1:SE2o8WY/6vqSTow2nds6P2+IoJln0TvuF794xBjDIeE=", - "h1:Tttxr3E9O75MM+dDmq5sYHQEw29PwtIj+XDj/5drdfE=", - "h1:Wqa218+IMxnn4psH5r4FlvEL2/LKZRHc4tFm63uOrVc=", - "h1:Z+uoKz1rZ/z0xwEvycBhuDGDwQDKhHUDxlAfKkoGCko=", - "h1:bKZooqVcZ2vCovziB23j4exHuGg8s/FyxjoZ0NIY36Y=", - "h1:dSnCr6ib3qdJot4gXPMe8DW9pHwRPTkN+jkCbG/w4uI=", - "h1:fg6FmBx96CV7M1osSsZ215N47M3TGFeaoy2XVSmh2/Y=", - "h1:h7F4ON38TMmy+8fAoYBaKDOFWv7ZVUnI0J+h7jSL2T8=", - "h1:mymyoJNy7FTe3lkYzgt2Gqgrehn1m1EiqNLrpx5nerk=", - "h1:x44dqohhlnP6MxVsv0c07CcjOERfOBt79QCaoPgtFic=", - "h1:zEKrqI+ape4+ySL7RAZf2PFQ5jBqgfr239zdkyr6U+U=", - "zh:06ff0169beafd1891dc5a30616983abd32004a4f570d1d3dbb5851d84bd1c007", - "zh:2dbdd726d0987cda73b56ecdfbcb98a67485e86a7a44aec976c0081b7239d89d", - "zh:2e195a7bbdfcc13c45460571a5ba848a5c1e746b477c8381058767560f0ac93b", - "zh:3952da13080018c5aec498b73e343c4c22ad884afb8c983138fb7255617aa991", - "zh:478841bcf57df938726ddb90f55c7953fad09db4f6348747519afe7fc84b403b", - "zh:53bce78b03a82c4782acfe1f32c2b46a68fa5fb2fb90d4a5392c90b436b44244", - "zh:5c157f23e9768c67cddf9e847a571adca441607cb5adfb96dbfdd626ceadf92c", - "zh:6bc78d631959fb695664966851308e140c38f3f5cf648dd89756320c2d91765d", - "zh:8605d7d6915190836802654920a8eea3d751ae437273c4f4476dc0ebb9167a1d", - "zh:8b66a22b97331c2a56aed092fd39152d06ad957fd4810aa3f0c4ade0f9b15755", - "zh:92586a47a04082f70bb33f722672127a287caeed109beaaca2668e2e1d6a9caf", - "zh:99a9ee414f5c4268e287660ce8edec2efcba1f79351f83791b64c7e5ab04f569", - "zh:b7cff09fe74b0eb63b5b9aa94de5b33dadbd006d6d5b9578ac476039ea20b062", - "zh:d4188a343ff32c0e03ff28c7e84abce0f43cad2fdbcd9046eaafc247429039ff", + "h1:5FeCYHMRIdyECDTNoFsAj8ImUjcJdeyGvLr8Ja1w+EY=", + "h1:7O8wfEcqhW1bvWOUcrxL7cbCrdvXeD6nkXRSbr4KUZA=", + "h1:9PKhle3FeywAgnuJU1qzP1pmv8SSOWKhtVszkt+5+PM=", + "h1:E05LPgJfl9hkZ4q42rQThDy6S9nLajwFF3dPUMJOzIM=", + "h1:EvrKlA6d+0OjWFPy7p15U+suA5deQdgHo7V8x3d1/MM=", + "h1:IKy4tvKIxwGjzvLwVp/gfm9Ce8Iegqx0u3tuPXlwYLM=", + "h1:IxpbyFtBCvMVZVufdITj5SLyYQZSIRTUTRs7b8Pr+tQ=", + "h1:KUGB3qu7THug9hwg+Witf8PInTeMarpT1VnjeHIPE9Y=", + "h1:P89mPLLTUwyEvyUnHNW+m2QIXvjfJ9hTY8xtTl3D29o=", + "h1:PYgdRe26T85VCqUPjCpwWTnq1AN90IlOXf6zMD7rjbk=", + "h1:RcwrppqfAbj9po935/q7SQkEu4LpLcjU34VB8GCDauk=", + "h1:VdVOp9wkDQlo4FE9s1qrjOLDBZT/wWJ13TnasQEMnXw=", + "h1:fsZ4cwYgn7XdtEo/eSoyDlgbO5yycX8Mm5myTp0PGFU=", + "h1:zMNA/zoL1CY5Vdj91hkFhI9bddu5wTEdioeKVaTqxss=", + "zh:126b9c265f5c2c4faf9b6ea6abfd3f86639d6301ba99d11cb87caae65e91eca4", + "zh:282527a99f75468fe20a59e207ccc71f5de545548f1b0c6a4d235cc3664ff095", + "zh:3b44aba6825ef5c909607ac5ec7e2f286de4e8ecc36cc00e3a0780bba372f248", + "zh:41dfed618ef200061d2b7c991fbda7dd8c9c3a919d5952a4ce26315fa2f698e0", + "zh:43e628f793bef68892eefbd9afc571d2314df225c7dd78485a75fbc9e2869442", + "zh:478bb7bd04df95b8d71a33c1bc0d0f8b5ff2fc807c118ca3129ba6b3507fdb70", + "zh:65a5b3c1497e1b12b6d6b9feab2174fc58e861c164c08cdecf2bca10e4612fd4", + "zh:6f07753897cc9e3e9031597548e8716e39bfe7b348d7f271f67a477e1f5c9c22", + "zh:72282261a35e81895d002d6ec2b799404183803f55f5a4ecdb85ab2925196f5d", + "zh:7a7853515f4b9a30f76c10f3c38df4d7562b6b55332a9c07477364a49d2b462f", + "zh:a14dbc814c8aa5ba26b7a4195c28c4822f5024767a10f643de3822b0e32f7be1", + "zh:baa396ad19bb486ac356a89ec759b9355c4fb0a94fd67e49980a2e57fc243960", + "zh:ec626cc9e0e30321313c0ce80aea0dcca9f468da0530ee66beb217526fe8f8ea", + "zh:f4ee4844f3b8ef3d2c13fea620cc816f725daccb596cea0a2f6b18301b9f1d1a", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = "3.7.2" + version = "3.6.3" + constraints = "3.6.3" hashes = [ - "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "h1:Def/iHM4HihJCIxQ8AYoxtoVL5lVlYx0V7bX91pxwgM=", - "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=", - "h1:Lmv2TxyKKm9Vt4uxcPZHw1uf0Ax/yYizJlilbLSZN8E=", - "h1:hkKSY5xI4R1H4Yrg10HHbtOoxZif2dXa9HFPSbaVg5o=", - "h1:khu3pu9zeUMd6Ev+yH6cQ1S4+xpzx8wqwwFwADYGeRI=", - "h1:l35vnL76rzaOjhhJQiaWviW0noK2YzHeHN0/vIXJnHk=", - "h1:nWZjMYzp+nsqD3xslcihzq1Enxv33a7iC8/I8CTBcHA=", - "h1:pSMn/cwmyHB6V67lToGmCHfJFfzA711vV+E1cGP0LBg=", - "h1:w+NoF7vNMFS+qrU2XUEm0/wnuIZxPC733qOOfLVOdfk=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", + "h1:4LlZaEeRPQNeQVS/qkH33e0fw92dZV8bS855mhDZ5GU=", + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", + "h1:LFe/7Z6YZvnrBcYhSEQY50DfS3uoDKBakwdqVXcEQkc=", + "h1:N2IQabOiZC5eCEGrfgVS6ChVmRDh1ENtfHgGjnV4QQQ=", + "h1:aP69UhBhTPIVy1laxOTwOVRPB5Gv3WP9wKPyAnYd8DI=", + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "h1:ph2J8mV6yYVsaN6FIsxhpWv//QuloQESo4tAZU732Uk=", + "h1:swbWBC5hf9ijj1BQcCpwLOI1m1tXH2KNGp8TEqnMiAY=", + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", ] } provider "registry.terraform.io/kreuzwerker/docker" { - version = "3.5.0" - constraints = "3.5.0" + version = "3.0.2" + constraints = "3.0.2" hashes = [ - "h1:2m9zj6qkquTHzwXFp+8NpA6e7n6RgckdzvLcBfCCaX4=", - "h1:5fbzStQvS4Ec+/QKefUVDf/pabuwGBpVgLYeigOpMe8=", - "h1:5ykMfyIfMooAmowvmPXc7sVdkhkATrOSkq98Ca0T4ZQ=", - "h1:CIiLFn0SJ+1b2ArewLFjDThJ6rxFf54u9FATgZD9Kac=", - "h1:GSPQAzIJs+b3Ypy9YUTvF4/RrA8Uawx+liA+cQ7RaP4=", - "h1:TYbKlCFkOOI9hh63nbWT6yvd/0PfBONtMO4jkGvu8Us=", - "h1:TzYSjwiML0arIOHzYWD7dLMZZEg0jLHTiSNNNB9c0H8=", - "h1:bU1vBUeUoyaGMkforubnY6O1udOLwYWReXTnneZ8sDk=", - "h1:d+4qP/GCkGnPyfzSa19M49n+6FkIe1BmuEl+HXSDYXs=", - "h1:f7cuN7GkUm4ucgZzr0DwzdbbXrRUmKvmUHkKL40Zg7U=", - "h1:j0REIQY6zq1P0iDUdo5pGZQZy85/EK5ckvRqqzYMMLQ=", - "h1:q00T95a38TRhPJ90y8okMMGQtbOQPROMr+sCbU/mP8Y=", - "h1:qXkfTd57rY0sp++8oU+qSeSMLRLLOZu7jWEJONOkwek=", - "zh:01fa6b2f9c44fc0f286f27941d3866adb749e34235f25b9d731b4f45f9c8a601", - "zh:0f945042448360b3f44662db4dceb7287236a950cf936bc973735acc7cded206", - "zh:44f1e6b5b451d072e84dffe61dbf2c3fbbb4a9f8e98f921a99025ac19c6adbb6", - "zh:5724f8af7c2bbd0f019114421dd46e7c8983ec7ea9444a03fc3a770510b47f03", - "zh:790d0b9bc941d1953a739da5426b6a5efa4db97a9c4bb30c52019536abc40661", - "zh:7b89c7cf131a33604a9b8c3fd7a94b28446beba633bbf52e6e37ea3fef643421", - "zh:7e59eb91e253a3f04b40e1e0b45b027fed0e69fed78cd996788a23d92f02137d", - "zh:9caf1c13d1c6ed6a3b7aa11a61b56623b6bd30a6a1e396558c3dbe82370f34f5", - "zh:ba5b46ae242953fbec32f9f93dc5a81fd2e6962df68f17c670c0533040c74b42", - "zh:cae081982d5931ad265223c09824f2b3cd58a1fe307ccc701188d688ad217e6e", - "zh:cda2545056b6028d84505b18aaf20e7c769f6665fe27e16d2c52e35d23840689", - "zh:e41f2b9901202cb2cf7929005340ffc498ab1ca813005e364af4016a85634b5e", - "zh:e84272077a0287bc68523134292d9b12af54e200e413a89ae37f5788c063de5d", + "h1:DcRxJArfX6EiATluWeCBW7HoD6usz9fMoTK2U3dmyPk=", + "h1:XjdpVL61KtTsuPE8swok3GY8A+Bu3TZs8T2DOEpyiXo=", + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", + "h1:os8pBi4rbtFJJtzNWlcGhOVsz5V9UPJvo+L0wNQFYE8=", + "h1:tMiDR/3WQYAwE4Z7Xr1iqJN23z2GNr1ARis9yutVgjw=", + "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", + "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", + "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", + "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da", + "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2", + "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06", + "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1", + "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710", + "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005", + "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d", + "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792", + "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387", + "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62", + "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d", ] } diff --git a/terraform/infrastructure/qemu/main.tf b/terraform/infrastructure/qemu/main.tf index 3c01a07a9..62c283183 100644 --- a/terraform/infrastructure/qemu/main.tf +++ b/terraform/infrastructure/qemu/main.tf @@ -2,15 +2,15 @@ terraform { required_providers { libvirt = { source = "dmacvicar/libvirt" - version = "0.8.3" + version = "0.8.1" } docker = { source = "kreuzwerker/docker" - version = "3.5.0" + version = "3.0.2" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/infrastructure/qemu/modules/instance_group/main.tf b/terraform/infrastructure/qemu/modules/instance_group/main.tf index 00c83c6df..cd4f43b7d 100644 --- a/terraform/infrastructure/qemu/modules/instance_group/main.tf +++ b/terraform/infrastructure/qemu/modules/instance_group/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { libvirt = { source = "dmacvicar/libvirt" - version = "0.8.3" + version = "0.8.1" } random = { source = "hashicorp/random" - version = "3.7.2" + version = "3.6.3" } } } diff --git a/terraform/legacy-module/README.md b/terraform/legacy-module/README.md new file mode 100644 index 000000000..c755b0a54 --- /dev/null +++ b/terraform/legacy-module/README.md @@ -0,0 +1,6 @@ +## Constellation Terraform Modules + +> [!WARNING] +> The Constellation Terraform modules are deprecated, and support will be discontinued in v2.15.0. +> To continue managing Constellation clusters through Terraform, you can use the [Constellation Terraform provider](https://docs.edgeless.systems/constellation/workflows/terraform-provider). +> Clusters created through the Constellation Terraform modules can also be [imported](https://registry.terraform.io/providers/edgelesssys/constellation/latest/docs/resources/cluster#import) to the Constellation Terraform provider. diff --git a/terraform/legacy-module/aws-constellation/main.tf b/terraform/legacy-module/aws-constellation/main.tf new file mode 100644 index 000000000..83c92528a --- /dev/null +++ b/terraform/legacy-module/aws-constellation/main.tf @@ -0,0 +1,68 @@ +locals { + region = substr(var.zone, 0, length(var.zone) - 1) +} + +module "aws_iam" { + source = "../../infrastructure/iam/aws" + name_prefix = var.name_prefix + region = local.region +} + +resource "null_resource" "ensure_yq" { + provisioner "local-exec" { + command = < "image.txt" + + if [ '${var.csp}' = 'azure' ]; then + sed -i 's/CommunityGalleries/communityGalleries/g' image.txt + sed -i 's/Images/images/g' image.txt + sed -i 's/Versions/versions/g' image.txt + fi + EOT +} + + +resource "null_resource" "fetch_image" { + provisioner "local-exec" { + command = local.fetch_image_command + + environment = { + attestation_variant = var.attestation_variant + } + } + provisioner "local-exec" { + when = destroy + command = "rm image.txt" + } + triggers = { + always_run = "${timestamp()}" + } +} + +data "local_file" "image" { + filename = "image.txt" + depends_on = [null_resource.fetch_image] +} diff --git a/terraform/legacy-module/common/fetch-image/output.tf b/terraform/legacy-module/common/fetch-image/output.tf new file mode 100644 index 000000000..8fcdc030f --- /dev/null +++ b/terraform/legacy-module/common/fetch-image/output.tf @@ -0,0 +1,4 @@ +output "image" { + description = "The resolved image ID of the CSP." + value = data.local_file.image.content +} diff --git a/terraform/legacy-module/common/fetch-image/variables.tf b/terraform/legacy-module/common/fetch-image/variables.tf new file mode 100644 index 000000000..25b88bd1b --- /dev/null +++ b/terraform/legacy-module/common/fetch-image/variables.tf @@ -0,0 +1,20 @@ +variable "csp" { + description = "The cloud service provider to fetch image data for." + type = string +} + +variable "attestation_variant" { + description = "The attestation variant to fetch image data for." + type = string +} + +variable "region" { + description = "The region to fetch image data for." + type = string + default = "" +} + +variable "image" { + description = "The image reference or semantical release version to fetch image data for." + type = string +} diff --git a/terraform/legacy-module/common/install-yq.sh b/terraform/legacy-module/common/install-yq.sh new file mode 100755 index 000000000..14c375fd9 --- /dev/null +++ b/terraform/legacy-module/common/install-yq.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +version="v4.35.2" +if [[ -f ./yq ]] && ./yq --version | grep -q "${version}"; then + echo "yq is already available and up to date." + exit 0 +fi +if [[ -f ./yq ]]; then + echo "yq is already available but not at the required version. Replacing with ${version}." + rm -f yq +fi + +echo "Fetching yq ${version}" +os=$(uname -s) +arch=$(uname -m) +url="" + +if [[ ${os} == "Darwin" ]]; then + if [[ ${arch} == "arm64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_arm64" + elif [[ ${arch} == "x86_64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_amd64" + fi +elif [[ ${os} == "Linux" ]]; then + if [[ ${arch} == "x86_64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_amd64" + elif [[ ${arch} == "arm64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_arm64" + fi +fi + +if [[ -z ${url} ]]; then + echo "os \"${os}\" and/or architecture \"${arch}\" is not supported." + exit 1 +else + echo "Downloading yq from ${url}" + curl -o yq -L "${url}" + chmod +x ./yq + ./yq --version + if ! ./yq --version | grep -q "${version}"; then # check that yq was installed correctly + echo "Version is incorrect" + exit 1 + fi +fi diff --git a/terraform/legacy-module/constellation-cluster/install-constellation.sh b/terraform/legacy-module/constellation-cluster/install-constellation.sh new file mode 100755 index 000000000..b056db21a --- /dev/null +++ b/terraform/legacy-module/constellation-cluster/install-constellation.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +if [[ -f ./constellation ]]; then + echo "constellation CLI is already available." + exit 0 +fi + +os=$(uname -s) +arch=$(uname -m) +version=$1 +url="" + +echo "Fetching constellation ${version}" + +if [[ ${os} == "Darwin" ]]; then + if [[ ${arch} == "arm64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-arm64" + elif [[ ${arch} == "x86_64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-amd64" + fi +elif [[ ${os} == "Linux" ]]; then + if [[ ${arch} == "x86_64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-amd64" + elif [[ ${arch} == "arm64" ]]; then + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-arm64" + fi +fi + +if [[ -z ${url} ]]; then + echo "os \"${os}\" and/or architecture \"${arch}\" is not supported." + exit 1 +else + curl -o constellation -L "${url}" + chmod +x constellation +fi diff --git a/terraform/legacy-module/constellation-cluster/main.tf b/terraform/legacy-module/constellation-cluster/main.tf new file mode 100644 index 000000000..f84406f16 --- /dev/null +++ b/terraform/legacy-module/constellation-cluster/main.tf @@ -0,0 +1,191 @@ +locals { + yq_node_groups = join("\n", flatten([ + for name, group in var.node_groups : [ + "./yq eval '.nodeGroups.${name}.role = \"${group.role}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.zone = \"${group.zone}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.instanceType = \"${group.instance_type}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.stateDiskSizeGB = ${group.disk_size}' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.stateDiskType = \"${group.disk_type}\"' -i constellation-conf.yaml", + "./yq eval '.nodeGroups.${name}.initialCount = ${group.initial_count}' -i constellation-conf.yaml" + ] + ])) + gcp_sa_file_path = "service_account_file.json" +} + +resource "null_resource" "ensure_cli" { + provisioner "local-exec" { + command = < "${local.gcp_sa_file_path}" + EOT + } + provisioner "local-exec" { + when = destroy + command = "rm ${self.triggers.file_path}" + } + triggers = { + always_run = timestamp() + file_path = local.gcp_sa_file_path + } +} + +resource "null_resource" "gcp_config" { + count = var.gcp_config != null ? 1 : 0 + provisioner "local-exec" { + command = <