Git-Mirrors
/
constellation
mirror of https://github.com/edgelesssys/constellation.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git-Mirrors:e30a5d4f9158db91fe0748d3942c620282d43e35
Branches Tags
Git-Mirrors:main
Git-Mirrors:burgerdev/ignore-same-version-upgrades
Git-Mirrors:fix/aws/snp-firmware-upgrade
Git-Mirrors:e2e-mini-cleanup
Git-Mirrors:experiment/upgrade-uplosi-all
Git-Mirrors:renovate/constellation-containers
Git-Mirrors:renovate/kubernetes-versions
Git-Mirrors:burgerdev/image
Git-Mirrors:release/v2.16
Git-Mirrors:flx-docs
Git-Mirrors:burgerdev/node-access
Git-Mirrors:renovate/k8s-constrained-gcp-versions
Git-Mirrors:burgerdev/forks
Git-Mirrors:renovate/rules_proto-digest
Git-Mirrors:image/automated/update-measurements-395
Git-Mirrors:feat/attestation/genoa-gpu
Git-Mirrors:fix/azure/snp-eastus2
Git-Mirrors:feat/gpu/h100-support
Git-Mirrors:fix/stackit/docs-feature-state
Git-Mirrors:feat/eastus2-az-img
Git-Mirrors:feat/image/gcp-snp-tdx
Git-Mirrors:release/v2.15
Git-Mirrors:fix/ci/disable-tdx-verify
Git-Mirrors:burgerdev/coredns
Git-Mirrors:burgerdev/generate-operator-resources
Git-Mirrors:experiment/ci/disable-use-of-self-hosted-runners
Git-Mirrors:deps/mkosi/20
Git-Mirrors:release/v2.14
Git-Mirrors:ref/bench/aws
Git-Mirrors:release/v2.14.1
Git-Mirrors:fix/devbuild/make-provider-optional
Git-Mirrors:feat/ci/test-provider-example-bckp
Git-Mirrors:feat/terraform/azure-mp-image-test
Git-Mirrors:release/v2.14.0
Git-Mirrors:experiment/image/azure-tdx
Git-Mirrors:test/bulid-image/data-urls
Git-Mirrors:ref/terraform-provider/doc-nits
Git-Mirrors:experiment/kernel/6-1-68-revert-systemd-update
Git-Mirrors:deps/kernel/6-1-67
Git-Mirrors:feat/terraform-provider/cluster-resource2
Git-Mirrors:feat/bazel/bzlmod-support
Git-Mirrors:experiment/nix-cc-darwin
Git-Mirrors:feat/terraform/data-attestation-suggestion
Git-Mirrors:feat/cli/allow-internal-lb-on-azure
Git-Mirrors:experiment/bazel/integration-tests
Git-Mirrors:experiment/ci/investigate-coverage-failure
Git-Mirrors:experiment/ci/network-sandbox
Git-Mirrors:feat/ci/ghissue
Git-Mirrors:release/v2.13
Git-Mirrors:release/v2.13.0
Git-Mirrors:fix/ci/1gb-min-image-size
Git-Mirrors:setup-1
Git-Mirrors:feat/arch/internal-lb
Git-Mirrors:deps/go/bump-to-1-21-3
Git-Mirrors:release/v2.12
Git-Mirrors:fix/nix/fhs
Git-Mirrors:feat/config/read-from-snp-report
Git-Mirrors:feat/verifyKubernetesComponentsSignatures
Git-Mirrors:tmp/3u13r/strict
Git-Mirrors:fix/etcd/pre-vote
Git-Mirrors:ref/cli/split-k8s-and-image-upgrade
Git-Mirrors:release/v2.11
Git-Mirrors:fix/image/aws-selection
Git-Mirrors:feat/bootstrapper/purego-cryptsetup
Git-Mirrors:fix/image/nosmt
Git-Mirrors:docs/1.99
Git-Mirrors:ref/cli/cmd-pkgs
Git-Mirrors:feat/cli/config-migration-v3-v4
Git-Mirrors:feat/attestationcfg/aws-snp
Git-Mirrors:poc/azure/2023-07-19
Git-Mirrors:release/v2.9
Git-Mirrors:fix/aws-lb/copy
Git-Mirrors:fix/aws/new-controller-copy
Git-Mirrors:fix/ci/go-version
Git-Mirrors:failure
Git-Mirrors:renovate/github.com-onsi-gomega-1.x
Git-Mirrors:fix/aws/delete-vpc-tf-failure
Git-Mirrors:poc/openstack/2023-06-30
Git-Mirrors:test/ci/tf-resource-selectors
Git-Mirrors:revert-1916-feat/aws/snp-attestation-impl
Git-Mirrors:feat/cli/declarative-maa-policy
Git-Mirrors:feat/terraform/azure-node-groups
Git-Mirrors:fix/api/client
Git-Mirrors:feat/multiarch/bazel-container
Git-Mirrors:refactor/type-invariants
Git-Mirrors:release/v2.8
Git-Mirrors:wip/e2e-self-hosted-runner
Git-Mirrors:customerDebug/allow-upgrades-if-in-progress
Git-Mirrors:experiment/upgrade-all-2023-05-31
Git-Mirrors:feat/config/s3-api-rebased
Git-Mirrors:release/v1.48
Git-Mirrors:fix/ci/e2e-upgrade-fromVersion
Git-Mirrors:feat/attestation/gcp-snp
Git-Mirrors:feat/bazel/container-shutdown
Git-Mirrors:fix/image/limit-fallback-dns
Git-Mirrors:release/v2.7
Git-Mirrors:feat/image/kdump
Git-Mirrors:ci/hasher/apk
Git-Mirrors:feat/bazel/container-builder
Git-Mirrors:test/bootstrapper/journald-ram-usage
Git-Mirrors:docs/dev/etcd-recovery
Git-Mirrors:release/v2.6
Git-Mirrors:test/cilium/disable-hubble
Git-Mirrors:test/screencast-webp
Git-Mirrors:experiment/netgo
Git-Mirrors:experiment/clang-toolchain
Git-Mirrors:fix/mtu-e2e
Git-Mirrors:test/bootstr-timeouts
Git-Mirrors:feat/bazel/remote
Git-Mirrors:feat/release/v2.6.0/changes-to-main
Git-Mirrors:revert-1325-feat/renovate/containers
Git-Mirrors:renovate/gopkg.in-yaml.v2-3.x
Git-Mirrors:release/v2.5
Git-Mirrors:deps/rules_proto/5.3.0
Git-Mirrors:feat/reproducible-builds-ko-gcp
Git-Mirrors:fix/prepare-tpm-patch
Git-Mirrors:fix/disable-lb-test-on-aws
Git-Mirrors:dbg/v2.5-netvsc
Git-Mirrors:test/reproducible-deployed
Git-Mirrors:feat/reproducible-builds-integration
Git-Mirrors:release/v1.2
Git-Mirrors:docs/1.2
Git-Mirrors:feat/mkosi-pin-rpms
Git-Mirrors:hasher/apk
Git-Mirrors:docs/0.0
Git-Mirrors:release/v2.4
Git-Mirrors:dog/6.0.17-nopat
Git-Mirrors:fix/podman
Git-Mirrors:flxflx/arch-rewrite
Git-Mirrors:dbg/v2.3/az-fedpkg
Git-Mirrors:dbg/v2.3/az-kernel
Git-Mirrors:flxflx/architecture
Git-Mirrors:feat/reproducible-builds-ko
Git-Mirrors:test/kernel-5.18
Git-Mirrors:release/v2.3
Git-Mirrors:test/debug-disks-azure
Git-Mirrors:fix/sonobuoy-regression
Git-Mirrors:rfc/reproducible-builds-fixup
Git-Mirrors:feat/reAddMoreSonobuoyTests
Git-Mirrors:release/v2.2
Git-Mirrors:feat/pseudonew-debug-img
Git-Mirrors:release/v2.0
Git-Mirrors:ref/windows-build
Git-Mirrors:release/v2.1
Git-Mirrors:feat/gcp-multizone
Git-Mirrors:fix/konnectivity
Git-Mirrors:v2.16.4
Git-Mirrors:v2.16.3
Git-Mirrors:v2.16.2
Git-Mirrors:v2.16.1
Git-Mirrors:v2.16.0
Git-Mirrors:v2.15.1
Git-Mirrors:v2.15.0
Git-Mirrors:v2.14.3
Git-Mirrors:v2.14.2
Git-Mirrors:v2.14.1
Git-Mirrors:v2.14.0
Git-Mirrors:v2.13.0
Git-Mirrors:v2.12.0
Git-Mirrors:v2.11.0
Git-Mirrors:v2.10.1
Git-Mirrors:v2.10.0
Git-Mirrors:v2.9.1
Git-Mirrors:v2.9.0
Git-Mirrors:v2.8.0
Git-Mirrors:v2.7.1
Git-Mirrors:v2.8.0-pre
Git-Mirrors:v2.7.0
Git-Mirrors:v2.6.0
Git-Mirrors:v2.7.0-pre
Git-Mirrors:v2.5.3
Git-Mirrors:v2.5.2
Git-Mirrors:v2.5.1
Git-Mirrors:v2.6.0-pre
Git-Mirrors:v2.5.0
Git-Mirrors:v2.4.0
Git-Mirrors:v2.5.0-pre
Git-Mirrors:v2.4.0-pre
Git-Mirrors:v2.3.0
Git-Mirrors:v2.2.2
Git-Mirrors:v2.2.1
Git-Mirrors:v2.3.0-pre
Git-Mirrors:v2.2.0
Git-Mirrors:v2.2.0-pre
Git-Mirrors:v2.1.0
Git-Mirrors:v2.1.0-pre
Git-Mirrors:v2.0.0
Git-Mirrors:v0.0.0
...
compare: Git-Mirrors:0fd7ac69ef6a7c07c543b78f90d4e00a0772020a
Branches Tags
Git-Mirrors:burgerdev/ignore-same-version-upgrades
Git-Mirrors:main
Git-Mirrors:fix/aws/snp-firmware-upgrade
Git-Mirrors:e2e-mini-cleanup
Git-Mirrors:experiment/upgrade-uplosi-all
Git-Mirrors:renovate/constellation-containers
Git-Mirrors:renovate/kubernetes-versions
Git-Mirrors:burgerdev/image
Git-Mirrors:release/v2.16
Git-Mirrors:flx-docs
Git-Mirrors:burgerdev/node-access
Git-Mirrors:renovate/k8s-constrained-gcp-versions
Git-Mirrors:burgerdev/forks
Git-Mirrors:renovate/rules_proto-digest
Git-Mirrors:image/automated/update-measurements-395
Git-Mirrors:feat/attestation/genoa-gpu
Git-Mirrors:fix/azure/snp-eastus2
Git-Mirrors:feat/gpu/h100-support
Git-Mirrors:fix/stackit/docs-feature-state
Git-Mirrors:feat/eastus2-az-img
Git-Mirrors:feat/image/gcp-snp-tdx
Git-Mirrors:release/v2.15
Git-Mirrors:fix/ci/disable-tdx-verify
Git-Mirrors:burgerdev/coredns
Git-Mirrors:burgerdev/generate-operator-resources
Git-Mirrors:experiment/ci/disable-use-of-self-hosted-runners
Git-Mirrors:deps/mkosi/20
Git-Mirrors:release/v2.14
Git-Mirrors:ref/bench/aws
Git-Mirrors:release/v2.14.1
Git-Mirrors:fix/devbuild/make-provider-optional
Git-Mirrors:feat/ci/test-provider-example-bckp
Git-Mirrors:feat/terraform/azure-mp-image-test
Git-Mirrors:release/v2.14.0
Git-Mirrors:experiment/image/azure-tdx
Git-Mirrors:test/bulid-image/data-urls
Git-Mirrors:ref/terraform-provider/doc-nits
Git-Mirrors:experiment/kernel/6-1-68-revert-systemd-update
Git-Mirrors:deps/kernel/6-1-67
Git-Mirrors:feat/terraform-provider/cluster-resource2
Git-Mirrors:feat/bazel/bzlmod-support
Git-Mirrors:experiment/nix-cc-darwin
Git-Mirrors:feat/terraform/data-attestation-suggestion
Git-Mirrors:feat/cli/allow-internal-lb-on-azure
Git-Mirrors:experiment/bazel/integration-tests
Git-Mirrors:experiment/ci/investigate-coverage-failure
Git-Mirrors:experiment/ci/network-sandbox
Git-Mirrors:feat/ci/ghissue
Git-Mirrors:release/v2.13
Git-Mirrors:release/v2.13.0
Git-Mirrors:fix/ci/1gb-min-image-size
Git-Mirrors:setup-1
Git-Mirrors:feat/arch/internal-lb
Git-Mirrors:deps/go/bump-to-1-21-3
Git-Mirrors:release/v2.12
Git-Mirrors:fix/nix/fhs
Git-Mirrors:feat/config/read-from-snp-report
Git-Mirrors:feat/verifyKubernetesComponentsSignatures
Git-Mirrors:tmp/3u13r/strict
Git-Mirrors:fix/etcd/pre-vote
Git-Mirrors:ref/cli/split-k8s-and-image-upgrade
Git-Mirrors:release/v2.11
Git-Mirrors:fix/image/aws-selection
Git-Mirrors:feat/bootstrapper/purego-cryptsetup
Git-Mirrors:fix/image/nosmt
Git-Mirrors:docs/1.99
Git-Mirrors:ref/cli/cmd-pkgs
Git-Mirrors:feat/cli/config-migration-v3-v4
Git-Mirrors:feat/attestationcfg/aws-snp
Git-Mirrors:poc/azure/2023-07-19
Git-Mirrors:release/v2.9
Git-Mirrors:fix/aws-lb/copy
Git-Mirrors:fix/aws/new-controller-copy
Git-Mirrors:fix/ci/go-version
Git-Mirrors:failure
Git-Mirrors:renovate/github.com-onsi-gomega-1.x
Git-Mirrors:fix/aws/delete-vpc-tf-failure
Git-Mirrors:poc/openstack/2023-06-30
Git-Mirrors:test/ci/tf-resource-selectors
Git-Mirrors:revert-1916-feat/aws/snp-attestation-impl
Git-Mirrors:feat/cli/declarative-maa-policy
Git-Mirrors:feat/terraform/azure-node-groups
Git-Mirrors:fix/api/client
Git-Mirrors:feat/multiarch/bazel-container
Git-Mirrors:refactor/type-invariants
Git-Mirrors:release/v2.8
Git-Mirrors:wip/e2e-self-hosted-runner
Git-Mirrors:customerDebug/allow-upgrades-if-in-progress
Git-Mirrors:experiment/upgrade-all-2023-05-31
Git-Mirrors:feat/config/s3-api-rebased
Git-Mirrors:release/v1.48
Git-Mirrors:fix/ci/e2e-upgrade-fromVersion
Git-Mirrors:feat/attestation/gcp-snp
Git-Mirrors:feat/bazel/container-shutdown
Git-Mirrors:fix/image/limit-fallback-dns
Git-Mirrors:release/v2.7
Git-Mirrors:feat/image/kdump
Git-Mirrors:ci/hasher/apk
Git-Mirrors:feat/bazel/container-builder
Git-Mirrors:test/bootstrapper/journald-ram-usage
Git-Mirrors:docs/dev/etcd-recovery
Git-Mirrors:release/v2.6
Git-Mirrors:test/cilium/disable-hubble
Git-Mirrors:test/screencast-webp
Git-Mirrors:experiment/netgo
Git-Mirrors:experiment/clang-toolchain
Git-Mirrors:fix/mtu-e2e
Git-Mirrors:test/bootstr-timeouts
Git-Mirrors:feat/bazel/remote
Git-Mirrors:feat/release/v2.6.0/changes-to-main
Git-Mirrors:revert-1325-feat/renovate/containers
Git-Mirrors:renovate/gopkg.in-yaml.v2-3.x
Git-Mirrors:release/v2.5
Git-Mirrors:deps/rules_proto/5.3.0
Git-Mirrors:feat/reproducible-builds-ko-gcp
Git-Mirrors:fix/prepare-tpm-patch
Git-Mirrors:fix/disable-lb-test-on-aws
Git-Mirrors:dbg/v2.5-netvsc
Git-Mirrors:test/reproducible-deployed
Git-Mirrors:feat/reproducible-builds-integration
Git-Mirrors:release/v1.2
Git-Mirrors:docs/1.2
Git-Mirrors:feat/mkosi-pin-rpms
Git-Mirrors:hasher/apk
Git-Mirrors:docs/0.0
Git-Mirrors:release/v2.4
Git-Mirrors:dog/6.0.17-nopat
Git-Mirrors:fix/podman
Git-Mirrors:flxflx/arch-rewrite
Git-Mirrors:dbg/v2.3/az-fedpkg
Git-Mirrors:dbg/v2.3/az-kernel
Git-Mirrors:flxflx/architecture
Git-Mirrors:feat/reproducible-builds-ko
Git-Mirrors:test/kernel-5.18
Git-Mirrors:release/v2.3
Git-Mirrors:test/debug-disks-azure
Git-Mirrors:fix/sonobuoy-regression
Git-Mirrors:rfc/reproducible-builds-fixup
Git-Mirrors:feat/reAddMoreSonobuoyTests
Git-Mirrors:release/v2.2
Git-Mirrors:feat/pseudonew-debug-img
Git-Mirrors:release/v2.0
Git-Mirrors:ref/windows-build
Git-Mirrors:release/v2.1
Git-Mirrors:feat/gcp-multizone
Git-Mirrors:fix/konnectivity
Git-Mirrors:v2.16.4
Git-Mirrors:v2.16.3
Git-Mirrors:v2.16.2
Git-Mirrors:v2.16.1
Git-Mirrors:v2.16.0
Git-Mirrors:v2.15.1
Git-Mirrors:v2.15.0
Git-Mirrors:v2.14.3
Git-Mirrors:v2.14.2
Git-Mirrors:v2.14.1
Git-Mirrors:v2.14.0
Git-Mirrors:v2.13.0
Git-Mirrors:v2.12.0
Git-Mirrors:v2.11.0
Git-Mirrors:v2.10.1
Git-Mirrors:v2.10.0
Git-Mirrors:v2.9.1
Git-Mirrors:v2.9.0
Git-Mirrors:v2.8.0
Git-Mirrors:v2.7.1
Git-Mirrors:v2.8.0-pre
Git-Mirrors:v2.7.0
Git-Mirrors:v2.6.0
Git-Mirrors:v2.7.0-pre
Git-Mirrors:v2.5.3
Git-Mirrors:v2.5.2
Git-Mirrors:v2.5.1
Git-Mirrors:v2.6.0-pre
Git-Mirrors:v2.5.0
Git-Mirrors:v2.4.0
Git-Mirrors:v2.5.0-pre
Git-Mirrors:v2.4.0-pre
Git-Mirrors:v2.3.0
Git-Mirrors:v2.2.2
Git-Mirrors:v2.2.1
Git-Mirrors:v2.3.0-pre
Git-Mirrors:v2.2.0
Git-Mirrors:v2.2.0-pre
Git-Mirrors:v2.1.0
Git-Mirrors:v2.1.0-pre
Git-Mirrors:v2.0.0
Git-Mirrors:v0.0.0

10 Commits
e30a5d4f91 ... 0fd7ac69ef

Author SHA1 Message Date
Markus Rudy 0fd7ac69ef
Merge 8704da6f5f into 9def35ed06 2024-05-08 17:33:24 +02:00
Daniel Weiße 9def35ed06
deps: update all Go dependencies (#3071) 
* Upgrade Go dependencies

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Group Go dependency upgrades

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Remove usage of deprecated docker types

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Fix usage of invalid validation tags

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Regenerate bazel files

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Keep github.com/bazelbuild/buildtools at old version to not break other dependencies

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2024-05-08 17:31:47 +02:00
Malte Poll 1c0c7d6227
ci: disable e2e-attestationconfigapi on PRs (#2937) 
This workflow touches shared state by deleting all objects of a bucket and then
uploading a signed blob of data to that S3 bucket under a fixed name.
It also does so multiple times in a row, while invalidating the cloudfront
cache and checking if the uploaded object exists.
All runs of this workflow share the same bucket.
Since this pipeline runs on any modification of go.mod, it is very prone
to race condition between PRs (or PRs and main).
 2024-05-08 14:59:03 +02:00
renovate[bot] adf03ad76c
deps: update GitHub action dependencies (#3070) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-05-08 14:33:35 +02:00
Daniel Weiße 86c45d1d5f
deps: update to Go 1.22.3 (#3069) 
* Update renovate syntax
* Update to Go 1.22.3

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2024-05-08 11:34:31 +02:00
Daniel Weiße a15cf54477
ci: use 7zip for creating archives (#3068) 
* Use 7zip for creating and processing encrypted archives
* Switch to .7z file extension
* Fix shell check issues
* Fix tfstate update logic

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2024-05-08 10:34:10 +02:00
Markus Rudy 8704da6f5f fixup! terraform: add missing policies for AWS ALB 2024-05-06 13:48:05 +02:00
Markus Rudy 9a1de44776 fixup! terraform: add missing policies for AWS ALB 2024-05-06 13:42:38 +02:00
Markus Rudy 3e41e890b9 fixup! terraform: add missing policies for AWS ALB 2024-05-03 17:12:50 +02:00
Markus Rudy 04cbfd2bd2 terraform: add missing policies for AWS ALB 2024-05-03 13:28:18 +02:00
81 changed files with 1907 additions and 1435 deletions
Show Stats Expand all files Collapse all files

8
.github/actions/artifact_download/action.yml vendored
View File

@ -16,11 +16,11 @@ inputs:
runs:
using: "composite"
steps:
- name: Install unzip
- name: Install 7zip
uses: ./.github/actions/setup_bazel_nix
with:
nixTools: |
unzip
_7zz
- name: Create temporary directory
id: tempdir
@ -28,7 +28,7 @@ runs:
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
- name: Download the artifact
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}
@ -37,4 +37,4 @@ runs:
shell: bash
run: |
mkdir -p ${{ inputs.path }}
unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip
7zz x -p'${{ inputs.encryptionSecret }}' -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z

42
.github/actions/artifact_upload/action.yml vendored
View File

@ -22,13 +22,51 @@ inputs:
runs:
using: "composite"
steps:
- name: Install zip
- name: Install 7zip
uses: ./.github/actions/setup_bazel_nix
with:
nixTools: |
zip
_7zz
- name: Create temporary directory
id: tempdir
shell: bash
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
- name: Create archive
shell: bash
run: |
shopt -s extglob
paths="${{ inputs.path }}"
paths=${paths%$'\n'} # Remove trailing newline
# Check if any file matches the given pattern(s).
something_exists=false
for pattern in ${paths}
do
if compgen -G "${pattern}" > /dev/null; then
something_exists=true
fi
done
# Create an archive if files exist.
# Don't create an archive file if no files are found
# and warn.
if ! ${something_exists}
then
echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
exit 0
fi
for target in ${paths}
do
pushd "$(dirname "${target}")" || exit 1
7zz a -p'${{ inputs.encryptionSecret }}' -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
popd || exit 1
done
- name: Upload archive as artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}/archive.7z
retention-days: ${{ inputs.retention-days }}
if-no-files-found: ignore
overwrite: ${{ inputs.overwrite }}

2
.github/actions/build_cli/action.yml vendored
View File

@ -79,7 +79,7 @@ runs:
# once it has the functionality
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Install Rekor
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

2
.github/actions/build_micro_service/action.yml vendored
View File

@ -62,7 +62,7 @@ runs:
- name: Build and push container image
id: build-micro-service
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: .
file: ${{ inputs.dockerfile }}

2
.github/actions/container_registry_login/action.yml vendored
View File

@ -17,7 +17,7 @@ runs:
steps:
- name: Use docker for logging in
if: runner.os != 'macOS'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}

2
.github/actions/container_sbom/action.yml vendored
View File

@ -19,7 +19,7 @@ runs:
steps:
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype

2
.github/actions/deploy_logcollection/action.yml vendored
View File

@ -67,7 +67,7 @@ runs:
# Make sure that helm is installed
# This is not always the case, e.g. on MacOS runners
- name: Install Helm
uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.9.0

20
.github/actions/download_release_binaries/action.yml vendored
View File

@ -5,51 +5,51 @@ runs:
using: "composite"
steps:
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-linux-arm64
- name: Download CLI binaries windows-amd64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-windows-amd64
- name: Download Terraform module
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: terraform-module
- name: Download Terraform provider binary darwin-amd64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: terraform-provider-constellation-darwin-amd64
- name: Download Terraform provider binary darwin-arm64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: terraform-provider-constellation-darwin-arm64
- name: Download Terraform provider binary linux-amd64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: terraform-provider-constellation-linux-amd64
- name: Download Terraform provider binary linux-arm64
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: terraform-provider-constellation-linux-arm64

4
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -33,7 +33,7 @@ runs:
steps:
- name: Setup python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: "3.10"
@ -49,7 +49,7 @@ runs:
install kubestr /usr/local/bin
- name: Checkout k8s-bench-suite
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
repository: "edgelesssys/k8s-bench-suite"

4
.github/actions/e2e_cleanup_timeframe/action.yml vendored
View File

@ -31,11 +31,11 @@ runs:
with:
service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Install unzip
- name: Install 7zip
uses: ./.github/actions/setup_bazel_nix
with:
nixTools: |
unzip
_7zz
- name: Run cleanup
run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
shell: bash

44
.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh vendored
View File

@ -3,7 +3,7 @@
# get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date.
function get_e2e_test_ids_on_date {
ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)"
echo "$ids"
echo "${ids}"
}
# download_tfstate_artifact downloads all artifacts matching the pattern terraform-state-* from a given workflow ID.
@ -13,7 +13,7 @@ function download_tfstate_artifact {
# delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder.
function delete_resources {
if [ -d "$1/constellation-terraform" ]; then
if [[ -d "$1/constellation-terraform" ]]; then
cd "$1/constellation-terraform" || exit 1
terraform init > /dev/null || exit 1 # first, install plugins
terraform destroy -auto-approve || exit 1
@ -23,7 +23,7 @@ function delete_resources {
# delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder.
function delete_iam_config {
if [ -d "$1/constellation-iam-terraform" ]; then
if [[ -d "$1/constellation-iam-terraform" ]]; then
cd "$1/constellation-iam-terraform" || exit 1
terraform init > /dev/null || exit 1 # first, install plugins
terraform destroy -auto-approve || exit 1
@ -32,12 +32,12 @@ function delete_iam_config {
}
# check if the password for artifact decryption was given
if [[ -z $ENCRYPTION_SECRET ]]; then
if [[ -z ${ENCRYPTION_SECRET} ]]; then
echo "ENCRYPTION_SECRET is not set. Please set an environment variable with that secret."
exit 1
fi
artifact_pwd=$ENCRYPTION_SECRET
artifact_pwd=${ENCRYPTION_SECRET}
shopt -s nullglob
@ -46,9 +46,9 @@ end_date=$(date --date "-7 day" "+%Y-%m-%d")
dates_to_clean=()
# get all dates of the last week
while [[ $end_date != "$start_date" ]]; do
dates_to_clean+=("$end_date")
end_date=$(date --date "$end_date +1 day" "+%Y-%m-%d")
while [[ ${end_date} != "${start_date}" ]]; do
dates_to_clean+=("${end_date}")
end_date=$(date --date "${end_date} +1 day" "+%Y-%m-%d")
done
echo "[*] retrieving run IDs for cleanup"
@ -65,33 +65,33 @@ mapfile -td " " database_ids < <(echo "${database_ids[@]}")
echo "[*] downloading terraform state artifacts"
for id in "${database_ids[@]}"; do
if [[ $id == *[^[:space:]]* ]]; then
echo " downloading from workflow $id"
download_tfstate_artifact "$id"
if [[ ${id} == *[^[:space:]]* ]]; then
echo " downloading from workflow ${id}"
download_tfstate_artifact "${id}"
fi
done
echo "[*] extracting artifacts"
for directory in ./terraform-state-*; do
echo " extracting $directory"
echo " extracting ${directory}"
# extract and decrypt the artifact
unzip -d "${directory}" -P "$artifact_pwd" "$directory/archive.zip" > /dev/null || exit 1
7zz x -t7z -p"${artifact_pwd}" -o"${directory}" "${directory}/archive.7z" > /dev/null || exit 1
done
# create terraform caching directory
mkdir "$HOME/tf_plugin_cache"
export TF_PLUGIN_CACHE_DIR="$HOME/tf_plugin_cache"
echo "[*] created terraform cache directory $TF_PLUGIN_CACHE_DIR"
mkdir "${HOME}/tf_plugin_cache"
export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache"
echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}"
echo "[*] deleting resources"
for directory in ./terraform-state-*; do
echo " deleting resources in $directory"
delete_resources "$directory"
echo " deleting IAM configuration in $directory"
delete_iam_config "$directory"
echo " deleting directory $directory"
rm -rf "$directory"
echo " deleting resources in ${directory}"
delete_resources "${directory}"
echo " deleting IAM configuration in ${directory}"
delete_iam_config "${directory}"
echo " deleting directory ${directory}"
rm -rf "${directory}"
done
exit 0

22
.github/actions/e2e_lb/action.yml vendored
View File

@ -5,6 +5,9 @@ inputs:
kubeconfig:
description: "The kubeconfig of the cluster to test."
required: true
cloudProvider:
description: "The CSP this test runs on. Some tests exercise functionality not supported everywhere."
required: false
runs:
using: "composite"
@ -20,6 +23,24 @@ runs:
kubectl apply -f lb.yml
bazel run //e2e/internal/lb:lb_test
- name: Test AWS Ingress
if: inputs.cloudProvider == 'aws'
shell: bash
env:
KUBECONFIG: ${{ inputs.kubeconfig }}
working-directory: ./.github/actions/e2e_lb
run: |
kubectl apply -f aws-ingress.yml
kubectl wait -n lb-test ing/whoami --for=jsonpath='{.status.loadBalancer.ingress}' --timeout=5m
host=$(kubectl get -n lb-test ingress whoami -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}')
for i in $(seq 30); do
curl --silent --fail --connect-timeout 5 --output /dev/null http://$host && exit 0
sleep 10
done
echo "::error::Ingress did not become ready in the alloted time."
kubectl describe ing -n lb-test
exit 1
- name: Delete deployment
if: always()
shell: bash
@ -28,4 +49,5 @@ runs:
working-directory: ./.github/actions/e2e_lb
run: |
kubectl delete -f lb.yml
kubectl delete --ignore-not-found -f aws-ingress.yml
kubectl delete -f ns.yml --timeout=5m

35
.github/actions/e2e_lb/aws-ingress.yml vendored Normal file
View File

@ -0,0 +1,35 @@
apiVersion: v1
kind: Service
metadata:
name: whoami-internal
namespace: lb-test
spec:
selector:
app: whoami
ports:
- port: 80
targetPort: 80
type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: lb-test
name: whoami
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: instance
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami-internal
port:
number: 80

2
.github/actions/e2e_mini/action.yml vendored
View File

@ -25,7 +25,7 @@ runs:
using: "composite"
steps:
- name: Install terraform
uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
with:
terraform_wrapper: false

2
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -64,7 +64,7 @@ runs:
- name: Publish test results
if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
uses: mikepenz/action-junit-report@5f47764eec0e1c1f19f40c8e60a5ba47e47015c5 # v4.1.0
uses: mikepenz/action-junit-report@9379f0ccddcab154835d4e2487555ee79614fe95 # v4.2.1
with:
report_paths: "**/junit_01.xml"
fail_on_failure: true

1
.github/actions/e2e_test/action.yml vendored
View File

@ -364,6 +364,7 @@ runs:
uses: ./.github/actions/e2e_lb
with:
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
cloudProvider: ${{ inputs.cloudProvider }}
- name: Run Performance Benchmark
if: inputs.test == 'perf-bench'

4
.github/actions/find_latest_image/action.yml vendored
View File

@ -26,13 +26,13 @@ runs:
steps:
- name: Checkout head
if: inputs.imageVersion == '' && inputs.git-ref == 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.imageVersion == '' && inputs.git-ref != 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.git-ref }}

2
.github/actions/login_gcp/action.yml vendored
View File

@ -20,7 +20,7 @@ runs:
echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
- name: Authorize GCP access
uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
with:
workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
service_account: ${{ inputs.service_account }}

4
.github/actions/publish_helmchart/action.yml vendored
View File

@ -13,7 +13,7 @@ runs:
using: "composite"
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: edgelesssys/helm
ref: main
@ -29,7 +29,7 @@ runs:
echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
- name: Create pull request
uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
path: helm
branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"

18
.github/actions/update_tfstate/action.yml vendored
View File

@ -1,5 +1,5 @@
name: Update TFState
description: "Update the terraform state artifact."
description: "Update the terraform state artifact. We use this to either delete an artifact if the e2e test was cleaned up successfully or to update the artifact with the latest terraform state."
inputs:
name:
@ -11,33 +11,29 @@ inputs:
encryptionSecret:
description: "The encryption secret for the artifacts."
required: true
skipDeletion:
description: "Don't try to delete the artifact before updating. You should only use this if you know that no artifact exists."
default: "false"
required: false
runs:
using: "composite"
steps:
- name: Check if tfstate should be deleted
if: always() && inputs.skipDeletion == 'false'
- name: Check if uploaded tfstate can be deleted
if: always()
shell: bash
run: |
if [[ -d constellation-terraform ]] || [[ -d constellation-iam-terraform ]]; then
if [[ ! -d constellation-terraform ]] && [[ ! -d constellation-iam-terraform ]]; then
echo "DELETE_TF_STATE=true" >> "$GITHUB_ENV"
else
echo "DELETE_TF_STATE=false" >> "$GITHUB_ENV"
fi
- name: Delete tfstate artifact if necessary
if: always() && env.DELETE_TF_STATE == 'true' && inputs.skipDeletion == 'false'
if: always() && env.DELETE_TF_STATE == 'true'
uses: ./.github/actions/artifact_delete
with:
name: ${{ inputs.name }}
workflowID: ${{ inputs.runID }}
- name: Prepare terraform state folders
if: always()
- name: Prepare left over terraform state folders
if: always() && env.DELETE_TF_STATE == 'false'
shell: bash
run: |
rm -rf to-zip/*

2
.github/actions/upload_terraform_module/action.yml vendored
View File

@ -15,7 +15,7 @@ runs:
zip -r terraform-module.zip terraform-module
- name: Upload artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: terraform-module
path: terraform-module.zip

2
.github/actions/versionsapi/Dockerfile vendored
View File

@ -1,4 +1,4 @@
FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf as builder
FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 as builder
# Download project root dependencies
WORKDIR /workspace

2
.github/workflows/assign_reviewer.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event.label.name == 'dependencies'}}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Pick assignee
id: pick-assignee
uses: ./.github/actions/pick_assignee

6
.github/workflows/aws-snp-launchmeasurement.yml vendored
View File

@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.head_ref }}
path: constellation
@ -27,7 +27,7 @@ jobs:
- name: Download Firmware release
id: download-firmware
uses: robinraju/release-downloader@368754b9c6f47c345fcfbf42bcb577c2f0f5f395 # v1.9
uses: robinraju/release-downloader@c39a3b234af58f0cf85888573d361fb6fa281534 # v1.10
with:
repository: aws/uefi
latest: true
@ -50,7 +50,7 @@ jobs:
echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
popd || exit 1
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: virtee/sev-snp-measure-go.git
ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8

2
.github/workflows/build-binaries.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
runs-on: [arc-runner-set]
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

14
.github/workflows/build-ccm-gcp.yml vendored
View File

@ -19,19 +19,19 @@ jobs:
latest: ${{ steps.find-latest.outputs.latest }}
steps:
- name: Checkout Constellation
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Checkout kubernetes/cloud-provider-gcp
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: "kubernetes/cloud-provider-gcp"
path: "cloud-provider-gcp"
fetch-depth: 0
- name: Setup Go environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "1.22.2"
go-version: "1.22.3"
cache: false
- name: Install Crane
@ -65,10 +65,10 @@ jobs:
version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
steps:
- name: Checkout Constellation
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Checkout kubernetes/cloud-provider-gcp
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: "kubernetes/cloud-provider-gcp"
path: "cloud-provider-gcp"
@ -113,7 +113,7 @@ jobs:
- name: Build and push container image
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: ./cloud-provider-gcp
push: ${{ github.ref_name == 'main' }}

6
.github/workflows/build-gcp-guest-agent.yml vendored
View File

@ -69,7 +69,7 @@ jobs:
- name: Checkout GoogleCloudPlatform/guest-agent
if: steps.needs-build.outputs.out == 'true'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: "GoogleCloudPlatform/guest-agent"
ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@ -77,7 +77,7 @@ jobs:
- name: Checkout Constellation
if: steps.needs-build.outputs.out == 'true'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
path: "constellation"
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -114,7 +114,7 @@ jobs:
- name: Build and push container image
if: steps.needs-build.outputs.out == 'true'
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: ./guest-agent
file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile

2
.github/workflows/build-libvirt-container.yml vendored
View File

@ -19,7 +19,7 @@ jobs:
packages: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Setup bazel
uses: ./.github/actions/setup_bazel_nix

2
.github/workflows/build-logcollector-images.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

10
.github/workflows/build-os-image-scheduled.yml vendored
View File

@ -62,14 +62,14 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "1.22.2"
go-version: "1.22.3"
cache: false
- name: Determine version
@ -99,7 +99,7 @@ jobs:
run: rm -f internal/attestation/measurements/measurement-generator/generate
- name: Create pull request
uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
branch: "image/automated/update-measurements-${{ github.run_number }}"
base: main
@ -121,7 +121,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.head_ref }}

4
.github/workflows/build-os-image.yml vendored
View File

@ -59,7 +59,7 @@ jobs:
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -138,7 +138,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}

2
.github/workflows/build-versionsapi-ci-image.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

4
.github/workflows/check-links.yml vendored
View File

@ -20,12 +20,12 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Link Checker
uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3
uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
with:
args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
fail: true

10
.github/workflows/codeql.yml vendored
View File

@ -34,17 +34,17 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Setup Go environment
if: matrix.language == 'go'
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "1.22.2"
go-version: "1.22.3"
cache: false
- name: Initialize CodeQL
uses: github/codeql-action/init@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
with:
languages: ${{ matrix.language }}
@ -63,6 +63,6 @@ jobs:
echo "::endgroup::"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
with:
category: "/language:${{ matrix.language }}"

4
.github/workflows/docs-vale.yml vendored
View File

@ -16,12 +16,12 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Vale
uses: errata-ai/vale-action@3f7188c866bcb3259339a09f517d7c4a8838303c # tag=reviewdog
uses: errata-ai/vale-action@38bf078c328061f59879b347ca344a718a736018 # tag=reviewdog
with:
files: docs/docs
fail_on_error: true

38
.github/workflows/draft-release.yml vendored
View File

@ -72,7 +72,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -92,7 +92,7 @@ jobs:
cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload CLI as artifact (unix)
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if : ${{ matrix.os != 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -101,7 +101,7 @@ jobs:
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
- name: Upload CLI as artifact (windows)
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if : ${{ matrix.os == 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -133,7 +133,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -149,7 +149,7 @@ jobs:
targetArch: ${{ matrix.arch }}
- name: Upload Terraform Provider Binary as artifact (unix)
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if : ${{ matrix.os != 'windows' }}
with:
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -157,7 +157,7 @@ jobs:
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
- name: Upload Terraform Provider Binary as artifact (windows)
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if : ${{ matrix.os == 'windows' }}
with:
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -169,7 +169,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -187,7 +187,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -219,7 +219,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -227,7 +227,7 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation.spdx.sbom
@ -256,12 +256,12 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype
@ -296,13 +296,13 @@ jobs:
COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload Constellation CLI SBOM
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: constellation.spdx.sbom
path: constellation.spdx.sbom
- name: Upload Constellation CLI SBOM's signature
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: constellation.spdx.sbom.sig
path: constellation.spdx.sbom.sig
@ -332,7 +332,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -340,7 +340,7 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation.spdx.sbom
@ -407,7 +407,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.head_ref }}
@ -420,12 +420,12 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation.spdx.sbom
- name: Download Constellation CLI SBOM's signature
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation.spdx.sbom.sig

7
.github/workflows/e2e-attestationconfigapi.yml vendored
View File

@ -10,11 +10,6 @@ on:
- "internal/api/**"
- ".github/workflows/e2e-attestationconfigapi.yml"
- "go.mod"
pull_request:
paths:
- "internal/api/**"
- ".github/workflows/e2e-attestationconfigapi.yml"
- "go.mod"
jobs:
e2e-api:
@ -31,7 +26,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
# Don't trigger in forks, use head on pull requests, use default otherwise.
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}

2
.github/workflows/e2e-cleanup-weekly.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Cleanup
uses: ./.github/actions/e2e_cleanup_timeframe

2
.github/workflows/e2e-mini.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}

6
.github/workflows/e2e-test-daily.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -65,7 +65,7 @@ jobs:
needs: [find-latest-image]
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -165,7 +165,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

2
.github/workflows/e2e-test-release.yml vendored
View File

@ -311,7 +311,7 @@ jobs:
run: brew install coreutils kubectl bash
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ inputs.ref || github.head_ref }}

6
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -313,7 +313,7 @@ jobs:
needs: [find-latest-image]
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -438,7 +438,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

8
.github/workflows/e2e-test.yml vendored
View File

@ -174,13 +174,13 @@ jobs:
steps:
- name: Checkout head
if: inputs.git-ref == 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.git-ref != 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.git-ref }}
@ -211,13 +211,13 @@ jobs:
- name: Checkout head
if: inputs.git-ref == 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.git-ref != 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.git-ref }}

22
.github/workflows/e2e-upgrade.yml vendored
View File

@ -135,14 +135,14 @@ jobs:
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
@ -173,7 +173,7 @@ jobs:
push: true
- name: Upload CLI binary
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build/constellation
@ -193,14 +193,14 @@ jobs:
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
@ -281,14 +281,14 @@ jobs:
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
@ -336,7 +336,7 @@ jobs:
azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
- name: Download CLI
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build
@ -448,20 +448,20 @@ jobs:
steps:
- name: Checkout
if: inputs.gitRef == 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref
if: inputs.gitRef != 'head'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
ref: ${{ inputs.gitRef }}
- name: Download CLI
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build

10
.github/workflows/e2e-windows.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
packages: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -48,7 +48,7 @@ jobs:
push: true
- name: Upload CLI artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
path: build/constellation.exe
name: "constell-exe"
@ -59,12 +59,12 @@ jobs:
needs: build-cli
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download CLI artifact
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: "constell-exe"
@ -189,7 +189,7 @@ jobs:
inputs.scheduled
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

8
.github/workflows/on-release.yml vendored
View File

@ -26,7 +26,7 @@ jobs:
WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0 # fetch all history
@ -49,7 +49,7 @@ jobs:
latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Override latest
if: github.event.inputs.latest == 'true'
@ -123,7 +123,7 @@ jobs:
contents: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Remove temporary branch
run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
@ -137,7 +137,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: ./.github/actions/setup_bazel_nix
with:

2
.github/workflows/purge-main.yml vendored
View File

@ -18,7 +18,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.head_ref }}

16
.github/workflows/release.yml vendored
View File

@ -33,7 +33,7 @@ jobs:
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Working branch
run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@ -85,7 +85,7 @@ jobs:
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: main
@ -96,7 +96,7 @@ jobs:
npm run docusaurus docs:version "${MAJOR_MINOR}"
- name: Create docs pull request
uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
branch: ${{ env.BRANCH }}
base: main
@ -123,7 +123,7 @@ jobs:
WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -161,7 +161,7 @@ jobs:
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -226,14 +226,14 @@ jobs:
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
- name: Setup Go environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "1.22.2"
go-version: "1.22.3"
cache: true
- name: Build generateMeasurements tool

16
.github/workflows/reproducible-builds.yml vendored
View File

@ -31,7 +31,7 @@ jobs:
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -60,13 +60,13 @@ jobs:
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}"
- name: Upload hash artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}.sha256"
@ -87,7 +87,7 @@ jobs:
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -116,13 +116,13 @@ jobs:
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}"
- name: Upload hash artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}.sha256"
@ -145,7 +145,7 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download binaries
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
pattern: "binaries-${{ matrix.target }}-*"
merge-multiple: true
@ -179,7 +179,7 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download os images
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
pattern: "osimages-${{ matrix.target }}-*"
merge-multiple: true

6
.github/workflows/scorecard.yml vendored
View File

@ -18,7 +18,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
persist-credentials: false
@ -30,13 +30,13 @@ jobs:
publish_results: true
- name: Upload artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
with:
sarif_file: results.sarif

6
.github/workflows/sync-terraform-docs.yml vendored
View File

@ -18,14 +18,14 @@ jobs:
pull-requests: write
steps:
- name: Checkout constellation repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
fetch-depth: 0
path: constellation
- name: Checkout terraform-provider-constellation repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: edgelesssys/terraform-provider-constellation
ref: main
@ -40,7 +40,7 @@ jobs:
- name: Create pull request
id: create-pull-request
uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
path: terraform-provider-constellation
branch: "feat/docs/update"

2
.github/workflows/test-integration.yml vendored
View File

@ -25,7 +25,7 @@ jobs:
CTEST_OUTPUT_ON_FAILURE: True
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

6
.github/workflows/test-operator-codegen.yml vendored
View File

@ -21,14 +21,14 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "1.22.2"
go-version: "1.22.3"
cache: true
- name: Run code generation

2
.github/workflows/test-tfsec.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

2
.github/workflows/test-tidy.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
# No token available for forks, so we can't push changes

2
.github/workflows/test-unittest.yml vendored
View File

@ -30,7 +30,7 @@ jobs:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
fetch-depth: 0

4
.github/workflows/update-rpms.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Assume AWS role to upload Bazel dependencies to S3
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
@ -40,7 +40,7 @@ jobs:
fi
- name: Create pull request
uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
branch: "image/automated/update-rpms-${{ github.run_number }}"
base: main

2
.github/workflows/versionsapi.yml vendored
View File

@ -115,7 +115,7 @@ jobs:
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

2
3rdparty/gcp-guest-agent/Dockerfile vendored
View File

@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
git
# Install Go
ARG GO_VER=1.22.2
ARG GO_VER=1.22.3
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
rm go${GO_VER}.linux-amd64.tar.gz

2
WORKSPACE.bazel
View File

@ -170,7 +170,7 @@ load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchai
go_download_sdk(
name = "go_sdk",
patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
version = "1.22.2",
version = "1.22.3",
)
go_rules_dependencies()

1480
bazel/toolchains/go_module_deps.bzl
View File

File diff suppressed because it is too large Load Diff

2
bootstrapper/initproto/init.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: bootstrapper/initproto/init.proto

2
cli/internal/libvirt/BUILD.bazel
View File

@ -7,9 +7,9 @@ go_library(
visibility = ["//:__subpackages__"],
deps = [
"//internal/file",
"@com_github_docker_docker//api/types",
"@com_github_docker_docker//api/types/container",
"@com_github_docker_docker//api/types/filters",
"@com_github_docker_docker//api/types/image",
"@com_github_docker_docker//client",
"@com_github_spf13_afero//:afero",
],

6
cli/internal/libvirt/libvirt.go
View File

@ -17,9 +17,9 @@ import (
"fmt"
"io"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/api/types/image"
docker "github.com/docker/docker/client"
"github.com/edgelesssys/constellation/v2/internal/file"
"github.com/spf13/afero"
@ -101,7 +101,7 @@ func (r *Runner) Start(ctx context.Context, name, imageName string) error {
func (r *Runner) startNewContainer(ctx context.Context, docker *docker.Client, containerName, imageName string) error {
// check if image exists locally, if not pull it
// this allows us to use a custom image without having to push it to a registry
images, err := docker.ImageList(ctx, types.ImageListOptions{
images, err := docker.ImageList(ctx, image.ListOptions{
Filters: filters.NewArgs(
filters.KeyValuePair{
Key: "reference",
@ -113,7 +113,7 @@ func (r *Runner) startNewContainer(ctx context.Context, docker *docker.Client, c
return err
}
if len(images) == 0 {
reader, err := docker.ImagePull(ctx, imageName, types.ImagePullOptions{})
reader, err := docker.ImagePull(ctx, imageName, image.PullOptions{})
if err != nil {
return fmt.Errorf("failed to pull image %q: %w", imageName, err)
}

2
debugd/service/debugd.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: debugd/service/debugd.proto

11
dev-docs/workflows/bump-go-version.md
View File

@ -1,4 +1,5 @@
# Bump Go version
`govulncheck` from the bazel `check` target will fail if our code is vulnerable, which is often the case when a patch version was released with security fixes.
## Steps
@ -6,5 +7,13 @@
Replace "1.xx.x" with the new version in [WORKSPACE.bazel](/WORKSPACE.bazel):
```starlark
go_register_toolchains(version = "1.xx.x")
load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchains", "go_rules_dependencies")
go_download_sdk(
name = "go_sdk",
patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
version = "1.xx.x", <--- Replace this one
~~~~~~~~
)
```

2
disk-mapper/recoverproto/recover.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: disk-mapper/recoverproto/recover.proto

17
docs/docs/workflows/lb.md
View File

@ -4,12 +4,25 @@ Constellation integrates the native load balancers of each CSP. Therefore, to ex
## Internet-facing LB service on AWS
To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancing Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS.
To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS.
Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/nlb/).
Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/).
For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html).
:::caution
Before terminating the cluster, all LB backed services should be deleted, so that the controller can cleanup the related resources.
:::
## Ingress on AWS
The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`.
AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type).
The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation.
If a service can be exposed on a `NodePort`, the target type `instance` can be used.
See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information.
:::caution
Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they shouldn't be handling sensitive traffic!
:::

294
go.mod
View File

@ -1,6 +1,6 @@
module github.com/edgelesssys/constellation/v2
go 1.22
go 1.22.3
replace (
k8s.io/api v0.0.0 => k8s.io/api v0.29.0
@ -41,126 +41,132 @@ replace (
)
require (
cloud.google.com/go/compute v1.24.0
cloud.google.com/go/compute/metadata v0.2.3
cloud.google.com/go/kms v1.15.7
cloud.google.com/go/secretmanager v1.11.5
cloud.google.com/go/storage v1.38.0
cloud.google.com/go/compute v1.26.0
cloud.google.com/go/compute/metadata v0.3.0
cloud.google.com/go/kms v1.15.9
cloud.google.com/go/secretmanager v1.13.0
cloud.google.com/go/storage v1.40.0
dario.cat/mergo v1.0.0
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.5.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5 v5.0.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5 v5.1.1
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.0
github.com/aws/aws-sdk-go v1.50.22
github.com/aws/aws-sdk-go-v2 v1.25.0
github.com/aws/aws-sdk-go-v2/config v1.27.1
github.com/aws/aws-sdk-go-v2/credentials v1.17.1
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.0
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.3
github.com/aws/aws-sdk-go-v2/service/autoscaling v1.39.1
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.34.1
github.com/aws/aws-sdk-go-v2/service/ec2 v1.148.1
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.29.1
github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.20.2
github.com/aws/aws-sdk-go-v2/service/s3 v1.50.2
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.27.2
github.com/aws/smithy-go v1.20.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
github.com/BurntSushi/toml v1.3.2
github.com/aws/aws-sdk-go v1.52.4
github.com/aws/aws-sdk-go-v2 v1.26.1
github.com/aws/aws-sdk-go-v2/config v1.27.11
github.com/aws/aws-sdk-go-v2/credentials v1.17.11
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15
github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.5
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.36.0
github.com/aws/aws-sdk-go-v2/service/ec2 v1.160.0
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.5
github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.21.4
github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6
github.com/aws/smithy-go v1.20.2
github.com/bazelbuild/buildtools v0.0.0-20230317132445-9c3c1fc0106e
github.com/bazelbuild/rules_go v0.42.0
github.com/bazelbuild/rules_go v0.47.1
github.com/coreos/go-systemd/v22 v22.5.0
github.com/docker/docker v25.0.5+incompatible
github.com/docker/docker v26.1.1+incompatible
github.com/edgelesssys/go-azguestattestation v0.0.0-20230707101700-a683be600fcf
github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f
github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2
github.com/fsnotify/fsnotify v1.7.0
github.com/go-playground/locales v0.14.1
github.com/go-playground/universal-translator v0.18.1
github.com/go-playground/validator/v10 v10.14.1
github.com/golang-jwt/jwt/v5 v5.2.0
github.com/go-playground/validator/v10 v10.20.0
github.com/golang-jwt/jwt/v5 v5.2.1
github.com/google/go-sev-guest v0.9.3
github.com/google/go-tdx-guest v0.3.1
github.com/google/go-tpm v0.9.0
github.com/google/go-tpm-tools v0.4.3-0.20240112165732-912a43636883
github.com/google/go-tpm-tools v0.4.4
github.com/google/uuid v1.6.0
github.com/googleapis/gax-go/v2 v2.12.1
github.com/gophercloud/gophercloud v1.9.0
github.com/googleapis/gax-go/v2 v2.12.4
github.com/gophercloud/gophercloud v1.11.0
github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.1
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0
github.com/hashicorp/go-kms-wrapping/v2 v2.0.16
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.11
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12
github.com/hashicorp/go-version v1.6.0
github.com/hashicorp/hc-install v0.6.3
github.com/hashicorp/hcl/v2 v2.19.1
github.com/hashicorp/hc-install v0.6.4
github.com/hashicorp/hcl/v2 v2.20.1
github.com/hashicorp/terraform-exec v0.20.0
github.com/hashicorp/terraform-json v0.21.0
github.com/hashicorp/terraform-plugin-framework v1.5.0
github.com/hashicorp/terraform-plugin-framework v1.8.0
github.com/hashicorp/terraform-plugin-framework-validators v0.12.0
github.com/hashicorp/terraform-plugin-go v0.21.0
github.com/hashicorp/terraform-plugin-go v0.23.0
github.com/hashicorp/terraform-plugin-log v0.9.0
github.com/hashicorp/terraform-plugin-testing v1.6.0
github.com/hashicorp/terraform-plugin-testing v1.7.0
github.com/hexops/gotextdiff v1.0.3
github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6
github.com/mattn/go-isatty v0.0.20
github.com/onsi/ginkgo/v2 v2.14.0
github.com/onsi/gomega v1.30.0
github.com/mitchellh/go-homedir v1.1.0
github.com/onsi/ginkgo/v2 v2.17.3
github.com/onsi/gomega v1.33.1
github.com/pkg/errors v0.9.1
github.com/regclient/regclient v0.5.7
github.com/regclient/regclient v0.6.0
github.com/rogpeppe/go-internal v1.12.0
github.com/samber/slog-multi v1.0.2
github.com/schollz/progressbar/v3 v3.14.1
github.com/siderolabs/talos/pkg/machinery v1.6.4
github.com/sigstore/rekor v1.3.5
github.com/sigstore/sigstore v1.8.1
github.com/schollz/progressbar/v3 v3.14.2
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/siderolabs/talos/pkg/machinery v1.7.1
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.3
github.com/spf13/afero v1.11.0
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.8.4
github.com/stretchr/testify v1.9.0
github.com/tink-crypto/tink-go/v2 v2.0.0
github.com/vincent-petithory/dataurl v1.0.0
go.etcd.io/etcd/api/v3 v3.5.12
go.etcd.io/etcd/client/pkg/v3 v3.5.12
go.etcd.io/etcd/client/v3 v3.5.12
go.etcd.io/etcd/api/v3 v3.5.13
go.etcd.io/etcd/client/pkg/v3 v3.5.13
go.etcd.io/etcd/client/v3 v3.5.13
go.uber.org/goleak v1.3.0
golang.org/x/crypto v0.22.0
golang.org/x/exp v0.0.0-20240213143201-ec583247a57a
golang.org/x/mod v0.15.0
golang.org/x/sys v0.19.0
golang.org/x/text v0.14.0
golang.org/x/tools v0.18.0
google.golang.org/api v0.165.0
google.golang.org/grpc v1.61.1
google.golang.org/protobuf v1.33.0
golang.org/x/crypto v0.23.0
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
golang.org/x/mod v0.17.0
golang.org/x/sys v0.20.0
golang.org/x/text v0.15.0
golang.org/x/tools v0.21.0
google.golang.org/api v0.178.0
google.golang.org/grpc v1.63.2
google.golang.org/protobuf v1.34.1
gopkg.in/yaml.v3 v3.0.1
helm.sh/helm v2.17.0+incompatible
helm.sh/helm/v3 v3.14.2
k8s.io/api v0.29.0
k8s.io/apiextensions-apiserver v0.29.0
k8s.io/apimachinery v0.29.0
k8s.io/apiserver v0.29.0
k8s.io/client-go v0.29.0
helm.sh/helm/v3 v3.14.4
k8s.io/api v0.30.0
k8s.io/apiextensions-apiserver v0.30.0
k8s.io/apimachinery v0.30.0
k8s.io/apiserver v0.30.0
k8s.io/client-go v0.30.0
k8s.io/cluster-bootstrap v0.29.0
k8s.io/kubelet v0.29.0
k8s.io/kubernetes v1.29.4
k8s.io/mount-utils v0.29.0
k8s.io/utils v0.0.0-20240102154912-e7106e64919e
libvirt.org/go/libvirt v1.10000.0
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0
libvirt.org/go/libvirt v1.10003.0
sigs.k8s.io/controller-runtime v0.18.2
sigs.k8s.io/yaml v1.4.0
)
require (
cloud.google.com/go v0.112.0 // indirect
cloud.google.com/go/iam v1.1.6 // indirect
cloud.google.com/go v0.112.2 // indirect
cloud.google.com/go/auth v0.3.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
cloud.google.com/go/iam v1.1.7 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.6.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.29 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
@ -170,7 +176,6 @@ require (
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
github.com/BurntSushi/toml v1.3.2
github.com/MakeNowJust/heredoc v1.0.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.2.1 // indirect
@ -178,68 +183,68 @@ require (
github.com/Masterminds/squirrel v1.5.4 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/Microsoft/hcsshim v0.11.4 // indirect
github.com/ProtonMail/go-crypto v1.1.0-alpha.0-proton // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
github.com/agext/levenshtein v1.2.2 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.0 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.19.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.27.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.3.7 // indirect
github.com/containerd/containerd v1.7.13 // indirect
github.com/containerd/containerd v1.7.12 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/coreos/go-semver v0.3.1 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/distribution/reference v0.5.0 // indirect
github.com/docker/cli v25.0.3+incompatible // indirect
github.com/docker/cli v25.0.1+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.1 // indirect
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/docker/go-connections v0.5.0 // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
github.com/emicklei/go-restful/v3 v3.11.2 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
github.com/fatih/color v1.16.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/gabriel-vasile/mimetype v1.4.3 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-errors/errors v1.5.1 // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
github.com/go-openapi/analysis v0.22.2 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/loads v0.21.5 // indirect
github.com/go-openapi/runtime v0.27.1 // indirect
github.com/go-openapi/spec v0.20.14 // indirect
github.com/go-openapi/strfmt v0.22.0 // indirect
github.com/go-openapi/swag v0.22.9 // indirect
github.com/go-openapi/validate v0.23.0 // indirect
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
github.com/go-openapi/errors v0.22.0 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/godbus/dbus/v5 v5.1.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
@ -247,23 +252,23 @@ require (
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/certificate-transparency-go v1.1.7 // indirect
github.com/google/certificate-transparency-go v1.1.6 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-attestation v0.5.1 // indirect
github.com/google/go-attestation v0.5.0 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-configfs-tsm v0.2.2 // indirect
github.com/google/go-containerregistry v0.19.0 // indirect
github.com/google/go-tspi v0.3.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/logger v1.1.1 // indirect
github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/gorilla/websocket v1.5.1 // indirect
github.com/gorilla/mux v1.8.0 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/gosuri/uitable v0.0.4 // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-checkpoint v0.5.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@ -272,71 +277,70 @@ require (
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-plugin v1.6.0 // indirect
github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect
github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/hashicorp/logutils v1.0.0 // indirect
github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0 // indirect
github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 // indirect
github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
github.com/hashicorp/terraform-svchost v0.1.1 // indirect
github.com/hashicorp/yamux v0.1.1 // indirect
github.com/huandu/xstrings v1.4.0 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/jmoiron/sqlx v1.3.5 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.17.6 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/leodido/go-urn v1.4.0 // indirect
github.com/letsencrypt/boulder v0.0.0-20240216200101-4eb5e3caa228 // indirect
github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
github.com/lib/pq v1.10.9 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/mattn/go-runewidth v0.0.13 // indirect
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/moby/spdystream v0.2.0 // indirect
github.com/moby/sys/mountinfo v0.7.1 // indirect
github.com/moby/sys/mountinfo v0.6.2 // indirect
github.com/moby/term v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/oklog/run v1.1.0 // indirect
github.com/oklog/run v1.0.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc6 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pborman/uuid v1.2.1 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.18.0 // indirect
github.com/prometheus/client_model v0.6.0 // indirect
github.com/prometheus/common v0.47.0 // indirect
github.com/prometheus/client_golang v1.19.0 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.48.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/rubenv/sql-migrate v1.6.1 // indirect
github.com/rubenv/sql-migrate v1.5.2 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/samber/lo v1.38.1 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/shopspring/decimal v1.3.1 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/spf13/cast v1.6.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
@ -349,40 +353,38 @@ require (
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
github.com/zclconf/go-cty v1.14.2 // indirect
github.com/zclconf/go-cty v1.14.3 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 // indirect
go.opentelemetry.io/otel v1.23.1 // indirect
go.opentelemetry.io/otel/metric v1.23.1 // indirect
go.opentelemetry.io/otel/trace v1.23.1 // indirect
go.starlark.net v0.0.0-20240123142251-f86470692795 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
go.opentelemetry.io/otel v1.24.0 // indirect
go.opentelemetry.io/otel/metric v1.24.0 // indirect
go.opentelemetry.io/otel/trace v1.24.0 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/oauth2 v0.17.0 // indirect
golang.org/x/sync v0.6.0 // indirect
golang.org/x/term v0.19.0 // indirect
golang.org/x/net v0.25.0 // indirect
golang.org/x/oauth2 v0.20.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/term v0.20.0 // indirect
golang.org/x/time v0.5.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20240221002015-b0ce06bbee7c // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240221002015-b0ce06bbee7c // indirect
gopkg.in/evanphx/json-patch.v5 v5.9.0 // indirect
google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/cli-runtime v0.29.0 // indirect
k8s.io/component-base v0.29.0 // indirect
k8s.io/component-base v0.30.0 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/kube-openapi v0.0.0-20240220201932-37d671a357a5 // indirect
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
k8s.io/kubectl v0.29.0 // indirect
oras.land/oras-go v1.2.5 // indirect
sigs.k8s.io/controller-runtime v0.17.2
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/kustomize/api v0.16.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
)

673
go.sum
View File

File diff suppressed because it is too large Load Diff

4
go.work
View File

@ -1,6 +1,6 @@
go 1.22.2
go 1.22.3
toolchain go1.22.2
toolchain go1.22.3
use (
.

34
internal/config/config.go
View File

@ -93,13 +93,13 @@ type Config struct {
Tags cloudprovider.Tags `yaml:"tags" validate:"omitempty"`
// description: |
// Supported cloud providers and their specific configurations.
Provider ProviderConfig `yaml:"provider" validate:"dive"`
Provider ProviderConfig `yaml:"provider"`
// description: |
// Node groups to be created in the cluster.
NodeGroups map[string]NodeGroup `yaml:"nodeGroups" validate:"required,dive"`
// description: |
// Configuration for attestation validation. This configuration provides sensible defaults for the Constellation version it was created for.\nSee the docs for an overview on attestation: https://docs.edgeless.systems/constellation/architecture/attestation
Attestation AttestationConfig `yaml:"attestation" validate:"dive"`
Attestation AttestationConfig `yaml:"attestation"`
}
// ProviderConfig are cloud-provider specific configuration values used by the CLI.
@ -108,19 +108,19 @@ type Config struct {
type ProviderConfig struct {
// description: |
// Configuration for AWS as provider.
AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty,dive"`
AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty"`
// description: |
// Configuration for Azure as provider.
Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty,dive"`
Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty"`
// description: |
// Configuration for Google Cloud as provider.
GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty,dive"`
GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty"`
// description: |
// Configuration for OpenStack as provider.
OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty,dive"`
OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty"`
// description: |
// Configuration for QEMU as provider.
QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty,dive"`
QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty"`
}
// AWSConfig are AWS specific configuration values used by the CLI.
@ -264,31 +264,31 @@ type QEMUConfig struct {
type AttestationConfig struct {
// description: |
// AWS SEV-SNP attestation.
AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty,dive"`
AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty"`
// description: |
// AWS Nitro TPM attestation.
AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty,dive"`
AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty"`
// description: |
// Azure SEV-SNP attestation.\nFor details see: https://docs.edgeless.systems/constellation/architecture/attestation#cvm-verification
AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty,dive"`
AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty"`
// description: |
// Azure TDX attestation.
AzureTDX *AzureTDX `yaml:"azureTDX,omitempty" validate:"omitempty,dive"`
AzureTDX *AzureTDX `yaml:"azureTDX,omitempty" validate:"omitempty"`
// description: |
// Azure TPM attestation (Trusted Launch).
AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty,dive"`
AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty"`
// description: |
// GCP SEV-ES attestation.
GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty,dive"`
GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty"`
// description: |
// GCP SEV-SNP attestation.
GCPSEVSNP *GCPSEVSNP `yaml:"gcpSEVSNP,omitempty" validate:"omitempty,dive"`
GCPSEVSNP *GCPSEVSNP `yaml:"gcpSEVSNP,omitempty" validate:"omitempty"`
// description: |
// QEMU tdx attestation.
QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty,dive"`
QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty"`
// description: |
// QEMU vTPM attestation.
QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty,dive"`
QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty"`
}
// NodeGroup defines a group of nodes with the same role and configuration.
@ -1130,7 +1130,7 @@ type AzureSEVSNP struct {
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
// description: |
// AMD Signing Key certificate used to verify the SEV-SNP VCEK / VLEK certificate.
AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty" validate:"len=0"`
AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty"`
}
// AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.

2
internal/versions/components/components.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: internal/versions/components/components.proto

2
joinservice/joinproto/join.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: joinservice/joinproto/join.proto

2
keyservice/keyserviceproto/keyservice.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: keyservice/keyserviceproto/keyservice.proto

70
renovate.json5
View File

@ -42,49 +42,29 @@
"prPriority": -30,
},
{
"matchPackagePatterns": ["^k8s.io", "^sigs.k8s.io"],
"groupName": "K8s dependencies",
},
{
"matchPackagePatterns": ["^go.etcd.io/etcd"],
"groupName": "etcd dependencies",
},
{
"matchPackagePatterns": ["^github.com/hashicorp/go-kms-wrapping"],
"groupName": "github.com/hashicorp/go-kms-wrapping",
},
{
"matchPackagePatterns": ["^github.com/aws/aws-sdk-go-v2"],
"groupName": "AWS SDK",
"prPriority": -10,
},
{
"matchPackagePatterns": [
"^github.com/Azure/",
"^github.com/AzureAD/microsoft-authentication-library-for-go",
// Group update of direct Go dependencies.
"groupName": "Go dependencies",
"matchManagers": ["gomod"],
"matchDepTypes": ["require"],
"matchUpdateTypes": [
"bump",
"digest",
"lockFileMaintenance",
"minor",
"patch",
"pin",
"pinDigest",
"rollback",
],
"groupName": "Azure SDK",
},
{
"matchPackagePatterns": ["^cloud.google.com/go"],
"groupName": "Google SDK",
},
{
"matchPackagePatterns": ["^google.golang.org/genproto"],
"prPriority": -10,
},
{
"matchPackagePatterns": ["^libvirt.org/go"],
"groupName": "libvirt.org/go",
},
{
"matchManagers": ["bazelisk", "bazel", "bazel-module"],
"matchPackageNames": ["bazel", "io_bazel_rules_go", "bazel_gazelle"],
"matchDepNames": ["bazel", "io_bazel_rules_go", "bazel_gazelle"],
"groupName": "bazel (core)",
},
{
"matchDatasources": ["golang-version"],
"allowedVersions": "1.19",
"allowedVersions": "1.22",
},
{
"matchManagers": ["pip_requirements"],
@ -105,14 +85,14 @@
],
},
{
"matchPackageNames": ["kubernetes/kubernetes"],
"matchDepNames": ["kubernetes/kubernetes"],
// example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
"versioning": "regex:^(?<compatibility>v?\\d+\\.\\d+\\.)(?<patch>\\d+)$",
"groupName": "Kubernetes versions",
"prPriority": 15,
},
{
"matchPackageNames": [
"matchDepNames": [
"registry.k8s.io/provider-aws/cloud-controller-manager",
],
// example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
@ -121,7 +101,7 @@
"prPriority": 15,
},
{
"matchPackageNames": [
"matchDepNames": [
"mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager",
"mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager",
],
@ -131,7 +111,7 @@
"prPriority": 15,
},
{
"matchPackageNames": [
"matchDepNames": [
"docker.io/k8scloudprovider/openstack-cloud-controller-manager",
],
// example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
@ -140,14 +120,14 @@
"prPriority": 15,
},
{
"matchPackageNames": ["registry.k8s.io/autoscaling/cluster-autoscaler"],
"matchDepNames": ["registry.k8s.io/autoscaling/cluster-autoscaler"],
// example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
"versioning": "regex:^(?<compatibility>v?\\d+\\.\\d+\\.)(?<patch>\\d+)$",
"groupName": "K8s constrained GCP versions",
"prPriority": 15,
},
{
"matchPackageNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"],
"matchDepNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"],
// example match: v1.2.3 (1. -> compatibility, 2 -> minor, 3 -> patch)
"versioning": "regex:^(?<compatibility>v\\d+\\.)(?<minor>\\d+)\\.(?<patch>\\d+)$",
"groupName": "cloud-provider-gcp (K8s version constrained)",
@ -166,7 +146,7 @@
"prPriority": 20,
},
{
"matchPackageNames": [
"matchDepNames": [
"registry.k8s.io/kas-network-proxy/proxy-agent",
"registry.k8s.io/kas-network-proxy/proxy-server",
],
@ -175,7 +155,7 @@
"prPriority": 15,
},
{
"matchPackageNames": ["^k8s.io/client-go"],
"matchDepNames": ["^k8s.io/client-go"],
"matchUpdateTypes": ["major"],
"enabled": false,
},
@ -185,11 +165,11 @@
},
{
"matchManagers": ["github-actions"],
"matchPackageNames": ["slsa-framework/slsa-github-generator"],
"matchDepNames": ["slsa-framework/slsa-github-generator"],
"pinDigests": false,
},
{
"matchPackagePatterns": ["_(darwin|linux)_(arm64|amd64)$"],
"matchDepPatterns": ["_(darwin|linux)_(arm64|amd64)$"],
"additionalBranchPrefix": "{{packageName}}-",
"groupName": "{{packageName}}",
},

1
terraform/BUILD.bazel
View File

@ -77,6 +77,7 @@ go_library(
"infrastructure/aws/modules/public_private_subnet/output.tf",
"infrastructure/openstack/modules/stackit_loadbalancer/main.tf",
"infrastructure/openstack/modules/stackit_loadbalancer/variables.tf",
"infrastructure/iam/aws/alb_policy.json",
],
importpath = "github.com/edgelesssys/constellation/v2/terraform",
visibility = ["//visibility:public"],

242
terraform/infrastructure/iam/aws/alb_policy.json Normal file
View File

@ -0,0 +1,242 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTrustStores"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}

17
terraform/infrastructure/iam/aws/main.tf
View File

@ -242,3 +242,20 @@ resource "aws_iam_role_policy_attachment" "csi_driver_policy_control_plane" {
role = aws_iam_role.control_plane_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
}
// This policy is required by the AWS load balancer controller and can be found at
// https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/b44633a/docs/install/iam_policy.json.
resource "aws_iam_policy" "lb_policy" {
name = "${var.name_prefix}_lb_policy"
policy = file("${path.module}/alb_policy.json")
}
resource "aws_iam_role_policy_attachment" "attach_lb_policy_worker" {
role = aws_iam_role.worker_node_role.name
policy_arn = aws_iam_policy.lb_policy.arn
}
resource "aws_iam_role_policy_attachment" "attach_lb_policy_control_plane" {
role = aws_iam_role.control_plane_role.name
policy_arn = aws_iam_policy.lb_policy.arn
}

2
upgrade-agent/upgradeproto/upgrade.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: upgrade-agent/upgradeproto/upgrade.proto

2
verify/verifyproto/verify.pb.go
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc-gen-go v1.34.1
// protoc v4.22.1
// source: verify/verifyproto/verify.proto