Compare commits
8 Commits
e634ff9bf7
...
4ba4849407
Author | SHA1 | Date |
---|---|---|
Felix Schuster | 4ba4849407 | |
3u13r | 0325483504 | |
Daniel Weiße | 9def35ed06 | |
Felix Schuster | a542a4d141 | |
Felix Schuster | 1e8ac6c7a8 | |
Felix Schuster | c227019833 | |
Felix Schuster | 1578b5820b | |
Felix Schuster | 5fdba7ad0d |
File diff suppressed because it is too large
Load Diff
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: bootstrapper/initproto/init.proto
|
||||
|
||||
|
|
|
@ -7,9 +7,9 @@ go_library(
|
|||
visibility = ["//:__subpackages__"],
|
||||
deps = [
|
||||
"//internal/file",
|
||||
"@com_github_docker_docker//api/types",
|
||||
"@com_github_docker_docker//api/types/container",
|
||||
"@com_github_docker_docker//api/types/filters",
|
||||
"@com_github_docker_docker//api/types/image",
|
||||
"@com_github_docker_docker//client",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
],
|
||||
|
|
|
@ -17,9 +17,9 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
|
||||
"github.com/docker/docker/api/types"
|
||||
"github.com/docker/docker/api/types/container"
|
||||
"github.com/docker/docker/api/types/filters"
|
||||
"github.com/docker/docker/api/types/image"
|
||||
docker "github.com/docker/docker/client"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/spf13/afero"
|
||||
|
@ -101,7 +101,7 @@ func (r *Runner) Start(ctx context.Context, name, imageName string) error {
|
|||
func (r *Runner) startNewContainer(ctx context.Context, docker *docker.Client, containerName, imageName string) error {
|
||||
// check if image exists locally, if not pull it
|
||||
// this allows us to use a custom image without having to push it to a registry
|
||||
images, err := docker.ImageList(ctx, types.ImageListOptions{
|
||||
images, err := docker.ImageList(ctx, image.ListOptions{
|
||||
Filters: filters.NewArgs(
|
||||
filters.KeyValuePair{
|
||||
Key: "reference",
|
||||
|
@ -113,7 +113,7 @@ func (r *Runner) startNewContainer(ctx context.Context, docker *docker.Client, c
|
|||
return err
|
||||
}
|
||||
if len(images) == 0 {
|
||||
reader, err := docker.ImagePull(ctx, imageName, types.ImagePullOptions{})
|
||||
reader, err := docker.ImagePull(ctx, imageName, image.PullOptions{})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to pull image %q: %w", imageName, err)
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: debugd/service/debugd.proto
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: disk-mapper/recoverproto/recover.proto
|
||||
|
||||
|
|
|
@ -78,15 +78,15 @@ The idea is that Constellation nodes should have verifiable integrity from the C
|
|||
The solution is a verifiable boot chain and an integrity-protected runtime environment.
|
||||
|
||||
Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it.
|
||||
Outside of CC, it's usually implemented via TPMs.
|
||||
Outside of CC, this is usually implemented via TPMs.
|
||||
CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM.
|
||||
For simplicity, TPM terminology like *PCR* is used in the following.
|
||||
|
||||
When a Constellation node image boots inside a CVM, it uses measured boot for all stages and components of the boot chain.
|
||||
When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain.
|
||||
This process goes up to the root filesystem.
|
||||
The root filesystem is mounted read-only with integrity protection, guaranteeing forward integrity.
|
||||
The root filesystem is mounted read-only with integrity protection.
|
||||
For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation.
|
||||
Any changes to the image will inevitably also change the measured boot's PCR values.
|
||||
Any changes to the image will inevitably also change the corresponding PCR values.
|
||||
To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware.
|
||||
This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement.
|
||||
|
||||
|
@ -341,32 +341,50 @@ When an initialized node tries to join another cluster, its measurements inevita
|
|||
The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements.
|
||||
A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy.
|
||||
|
||||
## Chain of trust
|
||||
## Putting it all together
|
||||
In this section, we put the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained.
|
||||
|
||||
So far, this page described how an entire Constellation cluster can be verified using hardware attestation capabilities and runtime measurements.
|
||||
The last missing link is how the ground truth in the form of runtime measurements can be securely distributed to the verifying party.
|
||||
### CLI and node images
|
||||
|
||||
The build process of Constellation images also creates the ground truth runtime measurements. The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone.
|
||||
With every release, Edgeless Systems publishes signed runtime measurements.
|
||||
It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore.
|
||||
|
||||
The CLI executable is also signed by Edgeless Systems.
|
||||
You can [verify its signature](../workflows/verify-cli.md).
|
||||
The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3:
|
||||
* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json)
|
||||
* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig)
|
||||
|
||||
The CLI contains the public key required to verify signed runtime measurements from Edgeless Systems.
|
||||
When a cluster is [created](../workflows/create.md) or [upgraded](../workflows/upgrade.md), the CLI automatically verifies the measurements for the selected image.
|
||||
The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements.
|
||||
|
||||
Thus, there's a chain of trust based on cryptographic signatures, which goes from CLI to runtime measurements to images. This is illustrated in the following diagram.
|
||||
### Cluster creation
|
||||
|
||||
When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for three things:
|
||||
1. The CLI sends the runtime measurements for the applicable node image to the first node.
|
||||
2. The first node sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node.
|
||||
3. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI.
|
||||
|
||||
After this, the aTLS connection is closed. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection.
|
||||
|
||||
The first node bootstraps the Kubernetes cluster and provisions the cluster's JoinService with the runtime measurements received from the CLI. The JoinService verifies the runtime measurements of all subsequent nodes that join the cluster accordingly.
|
||||
|
||||
### Chain of trust
|
||||
|
||||
In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram.
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
A[Edgeless]-- "signs (cosign)" -->B[CLI]
|
||||
C[User]-- "verifies (cosign)" -->B[CLI]
|
||||
B[CLI]-- "contains" -->D["Public Key"]
|
||||
A[Edgeless]-- "signs" -->E["Runtime measurements"]
|
||||
D["Public key"]-- "verifies" -->E["Runtime measurements"]
|
||||
E["Runtime measurements"]-- "verify" -->F["Constellation cluster"]
|
||||
A[User]-- "verifies" -->B[CLI]
|
||||
B[CLI]-- "verifies" -->C([Runtime measurements])
|
||||
D[Edgeless Systems]-- "signs" -->B[CLI]
|
||||
D[Edgeless Systems]-- "signs" -->C([Runtime measurements])
|
||||
B[CLI]-- "verifies (remote attestation)" -->E[First node]
|
||||
E[First node]-- "verifies (remote attestation)" -->F[Other nodes]
|
||||
C([Runtime measurements]) -.-> E[First node]
|
||||
C([Runtime measurements]) -.-> F[Other nodes]
|
||||
```
|
||||
|
||||
### Upgrades
|
||||
|
||||
Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes.
|
||||
|
||||
## References
|
||||
|
||||
[^1]: Linux IMA produces runtime measurements of user-space binaries.
|
||||
|
|
|
@ -11,6 +11,7 @@ backend
|
|||
Bazel
|
||||
bootloader
|
||||
Bootstrapper
|
||||
CLI
|
||||
cloud
|
||||
config
|
||||
CPU
|
||||
|
|
294
go.mod
294
go.mod
|
@ -1,6 +1,6 @@
|
|||
module github.com/edgelesssys/constellation/v2
|
||||
|
||||
go 1.22
|
||||
go 1.22.3
|
||||
|
||||
replace (
|
||||
k8s.io/api v0.0.0 => k8s.io/api v0.29.0
|
||||
|
@ -41,126 +41,132 @@ replace (
|
|||
)
|
||||
|
||||
require (
|
||||
cloud.google.com/go/compute v1.24.0
|
||||
cloud.google.com/go/compute/metadata v0.2.3
|
||||
cloud.google.com/go/kms v1.15.7
|
||||
cloud.google.com/go/secretmanager v1.11.5
|
||||
cloud.google.com/go/storage v1.38.0
|
||||
cloud.google.com/go/compute v1.26.0
|
||||
cloud.google.com/go/compute/metadata v0.3.0
|
||||
cloud.google.com/go/kms v1.15.9
|
||||
cloud.google.com/go/secretmanager v1.13.0
|
||||
cloud.google.com/go/storage v1.40.0
|
||||
dario.cat/mergo v1.0.0
|
||||
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
|
||||
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.5.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5 v5.0.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
|
||||
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5 v5.1.1
|
||||
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.0
|
||||
github.com/aws/aws-sdk-go v1.50.22
|
||||
github.com/aws/aws-sdk-go-v2 v1.25.0
|
||||
github.com/aws/aws-sdk-go-v2/config v1.27.1
|
||||
github.com/aws/aws-sdk-go-v2/credentials v1.17.1
|
||||
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.0
|
||||
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.3
|
||||
github.com/aws/aws-sdk-go-v2/service/autoscaling v1.39.1
|
||||
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.34.1
|
||||
github.com/aws/aws-sdk-go-v2/service/ec2 v1.148.1
|
||||
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.29.1
|
||||
github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.20.2
|
||||
github.com/aws/aws-sdk-go-v2/service/s3 v1.50.2
|
||||
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.27.2
|
||||
github.com/aws/smithy-go v1.20.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
|
||||
github.com/BurntSushi/toml v1.3.2
|
||||
github.com/aws/aws-sdk-go v1.52.4
|
||||
github.com/aws/aws-sdk-go-v2 v1.26.1
|
||||
github.com/aws/aws-sdk-go-v2/config v1.27.11
|
||||
github.com/aws/aws-sdk-go-v2/credentials v1.17.11
|
||||
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1
|
||||
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15
|
||||
github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.5
|
||||
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.36.0
|
||||
github.com/aws/aws-sdk-go-v2/service/ec2 v1.160.0
|
||||
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.5
|
||||
github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.21.4
|
||||
github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
|
||||
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6
|
||||
github.com/aws/smithy-go v1.20.2
|
||||
github.com/bazelbuild/buildtools v0.0.0-20230317132445-9c3c1fc0106e
|
||||
github.com/bazelbuild/rules_go v0.42.0
|
||||
github.com/bazelbuild/rules_go v0.47.1
|
||||
github.com/coreos/go-systemd/v22 v22.5.0
|
||||
github.com/docker/docker v25.0.5+incompatible
|
||||
github.com/docker/docker v26.1.1+incompatible
|
||||
github.com/edgelesssys/go-azguestattestation v0.0.0-20230707101700-a683be600fcf
|
||||
github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f
|
||||
github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2
|
||||
github.com/fsnotify/fsnotify v1.7.0
|
||||
github.com/go-playground/locales v0.14.1
|
||||
github.com/go-playground/universal-translator v0.18.1
|
||||
github.com/go-playground/validator/v10 v10.14.1
|
||||
github.com/golang-jwt/jwt/v5 v5.2.0
|
||||
github.com/go-playground/validator/v10 v10.20.0
|
||||
github.com/golang-jwt/jwt/v5 v5.2.1
|
||||
github.com/google/go-sev-guest v0.9.3
|
||||
github.com/google/go-tdx-guest v0.3.1
|
||||
github.com/google/go-tpm v0.9.0
|
||||
github.com/google/go-tpm-tools v0.4.3-0.20240112165732-912a43636883
|
||||
github.com/google/go-tpm-tools v0.4.4
|
||||
github.com/google/uuid v1.6.0
|
||||
github.com/googleapis/gax-go/v2 v2.12.1
|
||||
github.com/gophercloud/gophercloud v1.9.0
|
||||
github.com/googleapis/gax-go/v2 v2.12.4
|
||||
github.com/gophercloud/gophercloud v1.11.0
|
||||
github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56
|
||||
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.1
|
||||
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0
|
||||
github.com/hashicorp/go-kms-wrapping/v2 v2.0.16
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.11
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12
|
||||
github.com/hashicorp/go-version v1.6.0
|
||||
github.com/hashicorp/hc-install v0.6.3
|
||||
github.com/hashicorp/hcl/v2 v2.19.1
|
||||
github.com/hashicorp/hc-install v0.6.4
|
||||
github.com/hashicorp/hcl/v2 v2.20.1
|
||||
github.com/hashicorp/terraform-exec v0.20.0
|
||||
github.com/hashicorp/terraform-json v0.21.0
|
||||
github.com/hashicorp/terraform-plugin-framework v1.5.0
|
||||
github.com/hashicorp/terraform-plugin-framework v1.8.0
|
||||
github.com/hashicorp/terraform-plugin-framework-validators v0.12.0
|
||||
github.com/hashicorp/terraform-plugin-go v0.21.0
|
||||
github.com/hashicorp/terraform-plugin-go v0.23.0
|
||||
github.com/hashicorp/terraform-plugin-log v0.9.0
|
||||
github.com/hashicorp/terraform-plugin-testing v1.6.0
|
||||
github.com/hashicorp/terraform-plugin-testing v1.7.0
|
||||
github.com/hexops/gotextdiff v1.0.3
|
||||
github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6
|
||||
github.com/mattn/go-isatty v0.0.20
|
||||
github.com/onsi/ginkgo/v2 v2.14.0
|
||||
github.com/onsi/gomega v1.30.0
|
||||
github.com/mitchellh/go-homedir v1.1.0
|
||||
github.com/onsi/ginkgo/v2 v2.17.3
|
||||
github.com/onsi/gomega v1.33.1
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/regclient/regclient v0.5.7
|
||||
github.com/regclient/regclient v0.6.0
|
||||
github.com/rogpeppe/go-internal v1.12.0
|
||||
github.com/samber/slog-multi v1.0.2
|
||||
github.com/schollz/progressbar/v3 v3.14.1
|
||||
github.com/siderolabs/talos/pkg/machinery v1.6.4
|
||||
github.com/sigstore/rekor v1.3.5
|
||||
github.com/sigstore/sigstore v1.8.1
|
||||
github.com/schollz/progressbar/v3 v3.14.2
|
||||
github.com/secure-systems-lab/go-securesystemslib v0.8.0
|
||||
github.com/siderolabs/talos/pkg/machinery v1.7.1
|
||||
github.com/sigstore/rekor v1.3.6
|
||||
github.com/sigstore/sigstore v1.8.3
|
||||
github.com/spf13/afero v1.11.0
|
||||
github.com/spf13/cobra v1.8.0
|
||||
github.com/spf13/pflag v1.0.5
|
||||
github.com/stretchr/testify v1.8.4
|
||||
github.com/stretchr/testify v1.9.0
|
||||
github.com/tink-crypto/tink-go/v2 v2.0.0
|
||||
github.com/vincent-petithory/dataurl v1.0.0
|
||||
go.etcd.io/etcd/api/v3 v3.5.12
|
||||
go.etcd.io/etcd/client/pkg/v3 v3.5.12
|
||||
go.etcd.io/etcd/client/v3 v3.5.12
|
||||
go.etcd.io/etcd/api/v3 v3.5.13
|
||||
go.etcd.io/etcd/client/pkg/v3 v3.5.13
|
||||
go.etcd.io/etcd/client/v3 v3.5.13
|
||||
go.uber.org/goleak v1.3.0
|
||||
golang.org/x/crypto v0.22.0
|
||||
golang.org/x/exp v0.0.0-20240213143201-ec583247a57a
|
||||
golang.org/x/mod v0.15.0
|
||||
golang.org/x/sys v0.19.0
|
||||
golang.org/x/text v0.14.0
|
||||
golang.org/x/tools v0.18.0
|
||||
google.golang.org/api v0.165.0
|
||||
google.golang.org/grpc v1.61.1
|
||||
google.golang.org/protobuf v1.33.0
|
||||
golang.org/x/crypto v0.23.0
|
||||
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
|
||||
golang.org/x/mod v0.17.0
|
||||
golang.org/x/sys v0.20.0
|
||||
golang.org/x/text v0.15.0
|
||||
golang.org/x/tools v0.21.0
|
||||
google.golang.org/api v0.178.0
|
||||
google.golang.org/grpc v1.63.2
|
||||
google.golang.org/protobuf v1.34.1
|
||||
gopkg.in/yaml.v3 v3.0.1
|
||||
helm.sh/helm v2.17.0+incompatible
|
||||
helm.sh/helm/v3 v3.14.2
|
||||
k8s.io/api v0.29.0
|
||||
k8s.io/apiextensions-apiserver v0.29.0
|
||||
k8s.io/apimachinery v0.29.0
|
||||
k8s.io/apiserver v0.29.0
|
||||
k8s.io/client-go v0.29.0
|
||||
helm.sh/helm/v3 v3.14.4
|
||||
k8s.io/api v0.30.0
|
||||
k8s.io/apiextensions-apiserver v0.30.0
|
||||
k8s.io/apimachinery v0.30.0
|
||||
k8s.io/apiserver v0.30.0
|
||||
k8s.io/client-go v0.30.0
|
||||
k8s.io/cluster-bootstrap v0.29.0
|
||||
k8s.io/kubelet v0.29.0
|
||||
k8s.io/kubernetes v1.29.4
|
||||
k8s.io/mount-utils v0.29.0
|
||||
k8s.io/utils v0.0.0-20240102154912-e7106e64919e
|
||||
libvirt.org/go/libvirt v1.10000.0
|
||||
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0
|
||||
libvirt.org/go/libvirt v1.10003.0
|
||||
sigs.k8s.io/controller-runtime v0.18.2
|
||||
sigs.k8s.io/yaml v1.4.0
|
||||
)
|
||||
|
||||
require (
|
||||
cloud.google.com/go v0.112.0 // indirect
|
||||
cloud.google.com/go/iam v1.1.6 // indirect
|
||||
cloud.google.com/go v0.112.2 // indirect
|
||||
cloud.google.com/go/auth v0.3.0 // indirect
|
||||
cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
|
||||
cloud.google.com/go/iam v1.1.7 // indirect
|
||||
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.6.0 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
|
||||
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
|
||||
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
|
||||
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
|
||||
github.com/Azure/go-autorest/autorest v0.11.29 // indirect
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
|
||||
|
@ -170,7 +176,6 @@ require (
|
|||
github.com/Azure/go-autorest/logger v0.2.1 // indirect
|
||||
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
|
||||
github.com/BurntSushi/toml v1.3.2
|
||||
github.com/MakeNowJust/heredoc v1.0.0 // indirect
|
||||
github.com/Masterminds/goutils v1.1.1 // indirect
|
||||
github.com/Masterminds/semver/v3 v3.2.1 // indirect
|
||||
|
@ -178,68 +183,68 @@ require (
|
|||
github.com/Masterminds/squirrel v1.5.4 // indirect
|
||||
github.com/Microsoft/go-winio v0.6.1 // indirect
|
||||
github.com/Microsoft/hcsshim v0.11.4 // indirect
|
||||
github.com/ProtonMail/go-crypto v1.1.0-alpha.0-proton // indirect
|
||||
github.com/agext/levenshtein v1.2.3 // indirect
|
||||
github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
|
||||
github.com/agext/levenshtein v1.2.2 // indirect
|
||||
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
|
||||
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.19.1 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.22.1 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.27.1 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
|
||||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
github.com/blang/semver v3.5.1+incompatible // indirect
|
||||
github.com/blang/semver/v4 v4.0.0 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.2.0 // indirect
|
||||
github.com/chai2010/gettext-go v1.0.2 // indirect
|
||||
github.com/cloudflare/circl v1.3.7 // indirect
|
||||
github.com/containerd/containerd v1.7.13 // indirect
|
||||
github.com/containerd/containerd v1.7.12 // indirect
|
||||
github.com/containerd/log v0.1.0 // indirect
|
||||
github.com/coreos/go-semver v0.3.1 // indirect
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
|
||||
github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
|
||||
github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
|
||||
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
|
||||
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
|
||||
github.com/distribution/reference v0.5.0 // indirect
|
||||
github.com/docker/cli v25.0.3+incompatible // indirect
|
||||
github.com/docker/cli v25.0.1+incompatible // indirect
|
||||
github.com/docker/distribution v2.8.3+incompatible // indirect
|
||||
github.com/docker/docker-credential-helpers v0.8.1 // indirect
|
||||
github.com/docker/docker-credential-helpers v0.7.0 // indirect
|
||||
github.com/docker/go-connections v0.5.0 // indirect
|
||||
github.com/docker/go-metrics v0.0.1 // indirect
|
||||
github.com/docker/go-units v0.5.0 // indirect
|
||||
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
|
||||
github.com/emicklei/go-restful/v3 v3.11.2 // indirect
|
||||
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
|
||||
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
|
||||
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
|
||||
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
|
||||
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
|
||||
github.com/fatih/color v1.16.0 // indirect
|
||||
github.com/felixge/httpsnoop v1.0.4 // indirect
|
||||
github.com/gabriel-vasile/mimetype v1.4.3 // indirect
|
||||
github.com/go-chi/chi v4.1.2+incompatible // indirect
|
||||
github.com/go-errors/errors v1.5.1 // indirect
|
||||
github.com/go-errors/errors v1.4.2 // indirect
|
||||
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
|
||||
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
|
||||
github.com/go-logr/logr v1.4.1 // indirect
|
||||
github.com/go-logr/stdr v1.2.2 // indirect
|
||||
github.com/go-logr/zapr v1.3.0 // indirect
|
||||
github.com/go-openapi/analysis v0.22.2 // indirect
|
||||
github.com/go-openapi/errors v0.21.0 // indirect
|
||||
github.com/go-openapi/jsonpointer v0.20.2 // indirect
|
||||
github.com/go-openapi/jsonreference v0.20.4 // indirect
|
||||
github.com/go-openapi/loads v0.21.5 // indirect
|
||||
github.com/go-openapi/runtime v0.27.1 // indirect
|
||||
github.com/go-openapi/spec v0.20.14 // indirect
|
||||
github.com/go-openapi/strfmt v0.22.0 // indirect
|
||||
github.com/go-openapi/swag v0.22.9 // indirect
|
||||
github.com/go-openapi/validate v0.23.0 // indirect
|
||||
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
|
||||
github.com/go-openapi/analysis v0.23.0 // indirect
|
||||
github.com/go-openapi/errors v0.22.0 // indirect
|
||||
github.com/go-openapi/jsonpointer v0.21.0 // indirect
|
||||
github.com/go-openapi/jsonreference v0.21.0 // indirect
|
||||
github.com/go-openapi/loads v0.22.0 // indirect
|
||||
github.com/go-openapi/runtime v0.28.0 // indirect
|
||||
github.com/go-openapi/spec v0.21.0 // indirect
|
||||
github.com/go-openapi/strfmt v0.23.0 // indirect
|
||||
github.com/go-openapi/swag v0.23.0 // indirect
|
||||
github.com/go-openapi/validate v0.24.0 // indirect
|
||||
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
|
||||
github.com/gobwas/glob v0.2.3 // indirect
|
||||
github.com/godbus/dbus/v5 v5.1.0 // indirect
|
||||
github.com/gogo/protobuf v1.3.2 // indirect
|
||||
|
@ -247,23 +252,23 @@ require (
|
|||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
|
||||
github.com/golang/protobuf v1.5.4 // indirect
|
||||
github.com/google/btree v1.1.2 // indirect
|
||||
github.com/google/certificate-transparency-go v1.1.7 // indirect
|
||||
github.com/google/certificate-transparency-go v1.1.6 // indirect
|
||||
github.com/google/gnostic-models v0.6.8 // indirect
|
||||
github.com/google/go-attestation v0.5.1 // indirect
|
||||
github.com/google/go-attestation v0.5.0 // indirect
|
||||
github.com/google/go-cmp v0.6.0 // indirect
|
||||
github.com/google/go-configfs-tsm v0.2.2 // indirect
|
||||
github.com/google/go-containerregistry v0.19.0 // indirect
|
||||
github.com/google/go-tspi v0.3.0 // indirect
|
||||
github.com/google/gofuzz v1.2.0 // indirect
|
||||
github.com/google/logger v1.1.1 // indirect
|
||||
github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect
|
||||
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
|
||||
github.com/google/s2a-go v0.1.7 // indirect
|
||||
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
|
||||
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
|
||||
github.com/gorilla/mux v1.8.1 // indirect
|
||||
github.com/gorilla/websocket v1.5.1 // indirect
|
||||
github.com/gorilla/mux v1.8.0 // indirect
|
||||
github.com/gorilla/websocket v1.5.0 // indirect
|
||||
github.com/gosuri/uitable v0.0.4 // indirect
|
||||
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
|
||||
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
|
||||
github.com/hashicorp/errwrap v1.1.0 // indirect
|
||||
github.com/hashicorp/go-checkpoint v0.5.0 // indirect
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
|
||||
|
@ -272,71 +277,70 @@ require (
|
|||
github.com/hashicorp/go-multierror v1.1.1 // indirect
|
||||
github.com/hashicorp/go-plugin v1.6.0 // indirect
|
||||
github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
|
||||
github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect
|
||||
github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 // indirect
|
||||
github.com/hashicorp/go-uuid v1.0.3 // indirect
|
||||
github.com/hashicorp/logutils v1.0.0 // indirect
|
||||
github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0 // indirect
|
||||
github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 // indirect
|
||||
github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
|
||||
github.com/hashicorp/terraform-svchost v0.1.1 // indirect
|
||||
github.com/hashicorp/yamux v0.1.1 // indirect
|
||||
github.com/huandu/xstrings v1.4.0 // indirect
|
||||
github.com/imdario/mergo v0.3.16 // indirect
|
||||
github.com/imdario/mergo v0.3.15 // indirect
|
||||
github.com/inconshreveable/mousetrap v1.1.0 // indirect
|
||||
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
|
||||
github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
|
||||
github.com/jmespath/go-jmespath v0.4.0 // indirect
|
||||
github.com/jmoiron/sqlx v1.3.5 // indirect
|
||||
github.com/josharian/intern v1.0.0 // indirect
|
||||
github.com/json-iterator/go v1.1.12 // indirect
|
||||
github.com/klauspost/compress v1.17.6 // indirect
|
||||
github.com/klauspost/compress v1.17.4 // indirect
|
||||
github.com/kylelemons/godebug v1.1.0 // indirect
|
||||
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
|
||||
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
|
||||
github.com/leodido/go-urn v1.4.0 // indirect
|
||||
github.com/letsencrypt/boulder v0.0.0-20240216200101-4eb5e3caa228 // indirect
|
||||
github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
|
||||
github.com/lib/pq v1.10.9 // indirect
|
||||
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
|
||||
github.com/mailru/easyjson v0.7.7 // indirect
|
||||
github.com/mattn/go-colorable v0.1.13 // indirect
|
||||
github.com/mattn/go-runewidth v0.0.15 // indirect
|
||||
github.com/mattn/go-runewidth v0.0.13 // indirect
|
||||
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
|
||||
github.com/mitchellh/copystructure v1.2.0 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0
|
||||
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
|
||||
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
|
||||
github.com/mitchellh/mapstructure v1.5.0 // indirect
|
||||
github.com/mitchellh/reflectwalk v1.0.2 // indirect
|
||||
github.com/moby/docker-image-spec v1.3.1 // indirect
|
||||
github.com/moby/locker v1.0.1 // indirect
|
||||
github.com/moby/spdystream v0.2.0 // indirect
|
||||
github.com/moby/sys/mountinfo v0.7.1 // indirect
|
||||
github.com/moby/sys/mountinfo v0.6.2 // indirect
|
||||
github.com/moby/term v0.5.0 // indirect
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
|
||||
github.com/modern-go/reflect2 v1.0.2 // indirect
|
||||
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
|
||||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
|
||||
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
|
||||
github.com/oklog/run v1.1.0 // indirect
|
||||
github.com/oklog/run v1.0.0 // indirect
|
||||
github.com/oklog/ulid v1.3.1 // indirect
|
||||
github.com/opencontainers/go-digest v1.0.0 // indirect
|
||||
github.com/opencontainers/image-spec v1.1.0 // indirect
|
||||
github.com/opencontainers/image-spec v1.1.0-rc6 // indirect
|
||||
github.com/opentracing/opentracing-go v1.2.0 // indirect
|
||||
github.com/pborman/uuid v1.2.1 // indirect
|
||||
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
|
||||
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
github.com/prometheus/client_golang v1.18.0 // indirect
|
||||
github.com/prometheus/client_model v0.6.0 // indirect
|
||||
github.com/prometheus/common v0.47.0 // indirect
|
||||
github.com/prometheus/client_golang v1.19.0 // indirect
|
||||
github.com/prometheus/client_model v0.5.0 // indirect
|
||||
github.com/prometheus/common v0.48.0 // indirect
|
||||
github.com/prometheus/procfs v0.12.0 // indirect
|
||||
github.com/rivo/uniseg v0.4.7 // indirect
|
||||
github.com/rubenv/sql-migrate v1.6.1 // indirect
|
||||
github.com/rubenv/sql-migrate v1.5.2 // indirect
|
||||
github.com/russross/blackfriday/v2 v2.1.0 // indirect
|
||||
github.com/samber/lo v1.38.1 // indirect
|
||||
github.com/sassoftware/relic v7.2.1+incompatible // indirect
|
||||
github.com/secure-systems-lab/go-securesystemslib v0.8.0
|
||||
github.com/shopspring/decimal v1.3.1 // indirect
|
||||
github.com/sirupsen/logrus v1.9.3 // indirect
|
||||
github.com/spf13/cast v1.6.0 // indirect
|
||||
github.com/stretchr/objx v0.5.0 // indirect
|
||||
github.com/stretchr/objx v0.5.2 // indirect
|
||||
github.com/theupdateframework/go-tuf v0.7.0 // indirect
|
||||
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
|
||||
github.com/transparency-dev/merkle v0.0.2 // indirect
|
||||
|
@ -349,40 +353,38 @@ require (
|
|||
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
|
||||
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
|
||||
github.com/xlab/treeprint v1.2.0 // indirect
|
||||
github.com/zclconf/go-cty v1.14.2 // indirect
|
||||
github.com/zclconf/go-cty v1.14.3 // indirect
|
||||
go.mongodb.org/mongo-driver v1.14.0 // indirect
|
||||
go.opencensus.io v0.24.0 // indirect
|
||||
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 // indirect
|
||||
go.opentelemetry.io/otel v1.23.1 // indirect
|
||||
go.opentelemetry.io/otel/metric v1.23.1 // indirect
|
||||
go.opentelemetry.io/otel/trace v1.23.1 // indirect
|
||||
go.starlark.net v0.0.0-20240123142251-f86470692795 // indirect
|
||||
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
|
||||
go.opentelemetry.io/otel v1.24.0 // indirect
|
||||
go.opentelemetry.io/otel/metric v1.24.0 // indirect
|
||||
go.opentelemetry.io/otel/trace v1.24.0 // indirect
|
||||
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
|
||||
go.uber.org/multierr v1.11.0 // indirect
|
||||
go.uber.org/zap v1.27.0 // indirect
|
||||
golang.org/x/net v0.23.0 // indirect
|
||||
golang.org/x/oauth2 v0.17.0 // indirect
|
||||
golang.org/x/sync v0.6.0 // indirect
|
||||
golang.org/x/term v0.19.0 // indirect
|
||||
golang.org/x/net v0.25.0 // indirect
|
||||
golang.org/x/oauth2 v0.20.0 // indirect
|
||||
golang.org/x/sync v0.7.0 // indirect
|
||||
golang.org/x/term v0.20.0 // indirect
|
||||
golang.org/x/time v0.5.0 // indirect
|
||||
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
|
||||
google.golang.org/appengine v1.6.8 // indirect
|
||||
google.golang.org/genproto v0.0.0-20240221002015-b0ce06bbee7c // indirect
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240221002015-b0ce06bbee7c // indirect
|
||||
gopkg.in/evanphx/json-patch.v5 v5.9.0 // indirect
|
||||
google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
|
||||
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
|
||||
gopkg.in/inf.v0 v0.9.1 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
k8s.io/cli-runtime v0.29.0 // indirect
|
||||
k8s.io/component-base v0.29.0 // indirect
|
||||
k8s.io/component-base v0.30.0 // indirect
|
||||
k8s.io/klog/v2 v2.120.1 // indirect
|
||||
k8s.io/kube-openapi v0.0.0-20240220201932-37d671a357a5 // indirect
|
||||
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
|
||||
k8s.io/kubectl v0.29.0 // indirect
|
||||
oras.land/oras-go v1.2.5 // indirect
|
||||
sigs.k8s.io/controller-runtime v0.17.2
|
||||
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
|
||||
sigs.k8s.io/kustomize/api v0.16.0 // indirect
|
||||
sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
|
||||
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
|
||||
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
|
||||
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
|
||||
)
|
||||
|
|
|
@ -93,13 +93,13 @@ type Config struct {
|
|||
Tags cloudprovider.Tags `yaml:"tags" validate:"omitempty"`
|
||||
// description: |
|
||||
// Supported cloud providers and their specific configurations.
|
||||
Provider ProviderConfig `yaml:"provider" validate:"dive"`
|
||||
Provider ProviderConfig `yaml:"provider"`
|
||||
// description: |
|
||||
// Node groups to be created in the cluster.
|
||||
NodeGroups map[string]NodeGroup `yaml:"nodeGroups" validate:"required,dive"`
|
||||
// description: |
|
||||
// Configuration for attestation validation. This configuration provides sensible defaults for the Constellation version it was created for.\nSee the docs for an overview on attestation: https://docs.edgeless.systems/constellation/architecture/attestation
|
||||
Attestation AttestationConfig `yaml:"attestation" validate:"dive"`
|
||||
Attestation AttestationConfig `yaml:"attestation"`
|
||||
}
|
||||
|
||||
// ProviderConfig are cloud-provider specific configuration values used by the CLI.
|
||||
|
@ -108,19 +108,19 @@ type Config struct {
|
|||
type ProviderConfig struct {
|
||||
// description: |
|
||||
// Configuration for AWS as provider.
|
||||
AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty,dive"`
|
||||
AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// Configuration for Azure as provider.
|
||||
Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty,dive"`
|
||||
Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// Configuration for Google Cloud as provider.
|
||||
GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty,dive"`
|
||||
GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// Configuration for OpenStack as provider.
|
||||
OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty,dive"`
|
||||
OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// Configuration for QEMU as provider.
|
||||
QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty,dive"`
|
||||
QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty"`
|
||||
}
|
||||
|
||||
// AWSConfig are AWS specific configuration values used by the CLI.
|
||||
|
@ -264,31 +264,31 @@ type QEMUConfig struct {
|
|||
type AttestationConfig struct {
|
||||
// description: |
|
||||
// AWS SEV-SNP attestation.
|
||||
AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty,dive"`
|
||||
AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// AWS Nitro TPM attestation.
|
||||
AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty,dive"`
|
||||
AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// Azure SEV-SNP attestation.\nFor details see: https://docs.edgeless.systems/constellation/architecture/attestation#cvm-verification
|
||||
AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty,dive"`
|
||||
AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// Azure TDX attestation.
|
||||
AzureTDX *AzureTDX `yaml:"azureTDX,omitempty" validate:"omitempty,dive"`
|
||||
AzureTDX *AzureTDX `yaml:"azureTDX,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// Azure TPM attestation (Trusted Launch).
|
||||
AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty,dive"`
|
||||
AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// GCP SEV-ES attestation.
|
||||
GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty,dive"`
|
||||
GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// GCP SEV-SNP attestation.
|
||||
GCPSEVSNP *GCPSEVSNP `yaml:"gcpSEVSNP,omitempty" validate:"omitempty,dive"`
|
||||
GCPSEVSNP *GCPSEVSNP `yaml:"gcpSEVSNP,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// QEMU tdx attestation.
|
||||
QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty,dive"`
|
||||
QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty"`
|
||||
// description: |
|
||||
// QEMU vTPM attestation.
|
||||
QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty,dive"`
|
||||
QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty"`
|
||||
}
|
||||
|
||||
// NodeGroup defines a group of nodes with the same role and configuration.
|
||||
|
@ -1130,7 +1130,7 @@ type AzureSEVSNP struct {
|
|||
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
|
||||
// description: |
|
||||
// AMD Signing Key certificate used to verify the SEV-SNP VCEK / VLEK certificate.
|
||||
AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty" validate:"len=0"`
|
||||
AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty"`
|
||||
}
|
||||
|
||||
// AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.
|
||||
|
|
|
@ -33,14 +33,6 @@ import (
|
|||
// Also, the charts are not rendered correctly without all of these values.
|
||||
func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, output state.Infrastructure) map[string]any {
|
||||
extraVals := map[string]any{}
|
||||
if conformanceMode {
|
||||
extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
|
||||
extraVals["kubeProxyReplacement"] = "partial"
|
||||
extraVals["sessionAffinity"] = true
|
||||
extraVals["cni"] = map[string]any{
|
||||
"chainingMode": "portmap",
|
||||
}
|
||||
}
|
||||
|
||||
strictMode := map[string]any{}
|
||||
// TODO(@3u13r): Once we are able to set the subnet of the load balancer VMs
|
||||
|
@ -75,6 +67,28 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
|
|||
},
|
||||
}
|
||||
|
||||
// When --conformance is set, we try to mitigate https://github.com/cilium/cilium/issues/9207
|
||||
// Users are discouraged of ever using this mode, except if they truly
|
||||
// require protocol differentiation to work and cannot mitigate that any other way.
|
||||
// Since there should always be workarounds, we only support this mode to
|
||||
// pass the K8s conformance tests. It is not supported to switch to or from
|
||||
// this mode after Constellation has been initialized.
|
||||
// This only works for the K8s conformance tests up to K8s 1.28.
|
||||
if conformanceMode {
|
||||
extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
|
||||
extraVals["kubeProxyReplacement"] = "false"
|
||||
extraVals["sessionAffinity"] = true
|
||||
extraVals["cni"] = map[string]any{
|
||||
"chainingMode": "portmap",
|
||||
}
|
||||
extraVals["ipMasqAgent"] = map[string]any{
|
||||
"enabled": false,
|
||||
}
|
||||
extraVals["bpf"] = map[string]any{
|
||||
"masquerade": false,
|
||||
}
|
||||
}
|
||||
|
||||
return extraVals
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: internal/versions/components/components.proto
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: joinservice/joinproto/join.proto
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: keyservice/keyserviceproto/keyservice.proto
|
||||
|
||||
|
|
|
@ -42,40 +42,20 @@
|
|||
"prPriority": -30,
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": ["^k8s.io", "^sigs.k8s.io"],
|
||||
"groupName": "K8s dependencies",
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": ["^go.etcd.io/etcd"],
|
||||
"groupName": "etcd dependencies",
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": ["^github.com/hashicorp/go-kms-wrapping"],
|
||||
"groupName": "github.com/hashicorp/go-kms-wrapping",
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": ["^github.com/aws/aws-sdk-go-v2"],
|
||||
"groupName": "AWS SDK",
|
||||
"prPriority": -10,
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": [
|
||||
"^github.com/Azure/",
|
||||
"^github.com/AzureAD/microsoft-authentication-library-for-go",
|
||||
// Group update of direct Go dependencies.
|
||||
"groupName": "Go dependencies",
|
||||
"matchManagers": ["gomod"],
|
||||
"matchDepTypes": ["require"],
|
||||
"matchUpdateTypes": [
|
||||
"bump",
|
||||
"digest",
|
||||
"lockFileMaintenance",
|
||||
"minor",
|
||||
"patch",
|
||||
"pin",
|
||||
"pinDigest",
|
||||
"rollback",
|
||||
],
|
||||
"groupName": "Azure SDK",
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": ["^cloud.google.com/go"],
|
||||
"groupName": "Google SDK",
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": ["^google.golang.org/genproto"],
|
||||
"prPriority": -10,
|
||||
},
|
||||
{
|
||||
"matchDepPatterns": ["^libvirt.org/go"],
|
||||
"groupName": "libvirt.org/go",
|
||||
},
|
||||
{
|
||||
"matchManagers": ["bazelisk", "bazel", "bazel-module"],
|
||||
|
@ -84,7 +64,7 @@
|
|||
},
|
||||
{
|
||||
"matchDatasources": ["golang-version"],
|
||||
"allowedVersions": "1.19",
|
||||
"allowedVersions": "1.22",
|
||||
},
|
||||
{
|
||||
"matchManagers": ["pip_requirements"],
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: upgrade-agent/upgradeproto/upgrade.proto
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc-gen-go v1.34.1
|
||||
// protoc v4.22.1
|
||||
// source: verify/verifyproto/verify.proto
|
||||
|
||||
|
|
Loading…
Reference in New Issue