Merge a542a4d141 into 0325483504

helm: disable cilium ipmasq agent when in conformance mode (#3062 )
deps: update all Go dependencies (#3071 )
2024-05-09 07:54:12 +02:00 · 2024-05-08 18:51:12 +02:00 · 2024-05-08 17:31:47 +02:00 · 2024-05-07 12:02:51 +00:00 · 2024-05-07 11:42:11 +00:00 · 2024-05-07 13:38:56 +02:00
18 changed files with 1389 additions and 1253 deletions
--- a/bazel/toolchains/go_module_deps.bzl
+++ b/bazel/toolchains/go_module_deps.bzl
--- a/bootstrapper/initproto/init.pb.go
+++ b/bootstrapper/initproto/init.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: bootstrapper/initproto/init.proto

--- a/cli/internal/libvirt/BUILD.bazel
+++ b/cli/internal/libvirt/BUILD.bazel
@ -7,9 +7,9 @@ go_library(
    visibility = ["//:__subpackages__"],
    deps = [
        "//internal/file",
-        "@com_github_docker_docker//api/types",
        "@com_github_docker_docker//api/types/container",
        "@com_github_docker_docker//api/types/filters",
+        "@com_github_docker_docker//api/types/image",
        "@com_github_docker_docker//client",
        "@com_github_spf13_afero//:afero",
    ],
--- a/cli/internal/libvirt/libvirt.go
+++ b/cli/internal/libvirt/libvirt.go
@ -17,9 +17,9 @@ import (
 	"fmt"
 	"io"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
 	docker "github.com/docker/docker/client"
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/spf13/afero"
@ -101,7 +101,7 @@ func (r *Runner) Start(ctx context.Context, name, imageName string) error {
 func (r *Runner) startNewContainer(ctx context.Context, docker *docker.Client, containerName, imageName string) error {
 	// check if image exists locally, if not pull it
 	// this allows us to use a custom image without having to push it to a registry
-	images, err := docker.ImageList(ctx, types.ImageListOptions{
+	images, err := docker.ImageList(ctx, image.ListOptions{
 		Filters: filters.NewArgs(
 			filters.KeyValuePair{
 				Key:   "reference",
@ -113,7 +113,7 @@ func (r *Runner) startNewContainer(ctx context.Context, docker *docker.Client, c
 		return err
 	}
 	if len(images) == 0 {
-		reader, err := docker.ImagePull(ctx, imageName, types.ImagePullOptions{})
+		reader, err := docker.ImagePull(ctx, imageName, image.PullOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to pull image %q: %w", imageName, err)
 		}
--- a/debugd/service/debugd.pb.go
+++ b/debugd/service/debugd.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: debugd/service/debugd.proto

--- a/disk-mapper/recoverproto/recover.pb.go
+++ b/disk-mapper/recoverproto/recover.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: disk-mapper/recoverproto/recover.proto

--- a/docs/docs/architecture/attestation.md
+++ b/docs/docs/architecture/attestation.md
@ -78,15 +78,15 @@ The idea is that Constellation nodes should have verifiable integrity from the C
 The solution is a verifiable boot chain and an integrity-protected runtime environment.

 Constellation uses measured boot within CVMs, measuring each component in the boot process before executing it.
-Outside of CC, it's usually implemented via TPMs.
+Outside of CC, this is usually implemented via TPMs.
 CVM technologies differ in how they implement runtime measurements, but the general concepts are similar to those of a TPM.
 For simplicity, TPM terminology like *PCR* is used in the following.

-When a Constellation node image boots inside a CVM, it uses measured boot for all stages and components of the boot chain.
+When a Constellation node image boots inside a CVM, measured boot is used for all stages and components of the boot chain.
 This process goes up to the root filesystem.
-The root filesystem is mounted read-only with integrity protection, guaranteeing forward integrity.
+The root filesystem is mounted read-only with integrity protection.
 For the details on the image and boot stages see the [image architecture](../architecture/images.md) documentation.
-Any changes to the image will inevitably also change the measured boot's PCR values.
+Any changes to the image will inevitably also change the corresponding PCR values.
 To create a node attestation statement, the Constellation image obtains a CVM attestation statement from the hardware.
 This includes the runtime measurements and thereby binds the measured boot results to the CVM hardware measurement.

@ -341,32 +341,50 @@ When an initialized node tries to join another cluster, its measurements inevita
 The [*VerificationService*](microservices.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements.
 A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy.

-## Chain of trust
+## Putting it all together
+In this section, we put the aforementioned concepts together and illustrate how trust into a Constellation cluster is established and maintained.

-So far, this page described how an entire Constellation cluster can be verified using hardware attestation capabilities and runtime measurements.
-The last missing link is how the ground truth in the form of runtime measurements can be securely distributed to the verifying party.
+### CLI and node images

-The build process of Constellation images also creates the ground truth runtime measurements. The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone.
-With every release, Edgeless Systems publishes signed runtime measurements.
+It all starts with the CLI executable. The CLI is signed by Edgeless Systems. To ensure non-repudiability for CLI releases, Edgeless Systems publishes corresponding signatures to the public ledger of the [sigstore project](https://www.sigstore.dev/). There's a [step-by-step guide](../workflows/verify-cli.md) on how to verify CLI signatures based on sigstore.

-The CLI executable is also signed by Edgeless Systems.
-You can [verify its signature](../workflows/verify-cli.md).
+The CLI contains the latest runtime measurements of the Constellation node image for all supported cloud platforms. In case a different version of the node image is to be used, the corresponding runtime measurements can be fetched using the CLI's [fetch-measurements command](../reference/cli.md#constellation-config-fetch-measurements). This command downloads the runtime measurements and the corresponding signature from cdn.confidential.cloud. See for example the following files corresponding to node image v2.16.3:
+* [Measurements](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json)
+* [Signature](https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.16.3/image/measurements.json.sig)

-The CLI contains the public key required to verify signed runtime measurements from Edgeless Systems.
-When a cluster is [created](../workflows/create.md) or [upgraded](../workflows/upgrade.md), the CLI automatically verifies the measurements for the selected image.
+The CLI contains the long-term public key of Edgeless Systems to verify the signature of downloaded runtime measurements.

-Thus, there's a chain of trust based on cryptographic signatures, which goes from CLI to runtime measurements to images. This is illustrated in the following diagram.
+### Cluster creation
+
+When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for three things:
+1. The CLI sends the runtime measurements for the applicable node image to the first node.
+2. The first node sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. 
+3. The first node sends a [kubeconfig file](https://www.redhat.com/sysadmin/kubeconfig) with Kubernetes credentials to the CLI.
+
+After this, the aTLS connection is closed. All subsequent interactions between the CLI and the cluster go via the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) server running inside the cluster. The CLI (and other tools like kubectl) use the credentials referenced by the kubeconfig file to authenticate themselves towards the Kubernetes API server and to establish a mTLS connection.
+
+The first node bootstraps the Kubernetes cluster and provisions the cluster's JoinService with the runtime measurements received from the CLI. The JoinService verifies the runtime measurements of all subsequent nodes that join the cluster accordingly.
+
+### Chain of trust
+
+In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the cluster via the CLI. This is illustrated in the following diagram.

 ```mermaid
 flowchart LR
-  A[Edgeless]-- "signs (cosign)" -->B[CLI]
-  C[User]-- "verifies (cosign)" -->B[CLI]
-  B[CLI]-- "contains" -->D["Public Key"]
-  A[Edgeless]-- "signs" -->E["Runtime measurements"]
-  D["Public key"]-- "verifies" -->E["Runtime measurements"]
-  E["Runtime measurements"]-- "verify" -->F["Constellation cluster"]
+  A[User]-- "verifies" -->B[CLI]
+  B[CLI]-- "verifies" -->C([Runtime measurements])
+  D[Edgeless Systems]-- "signs" -->B[CLI]
+  D[Edgeless Systems]-- "signs" -->C([Runtime measurements])
+  B[CLI]-- "verifies (remote attestation)" -->E[First node]
+  E[First node]-- "verifies (remote attestation)" -->F[Other nodes]
+  C([Runtime measurements]) -.-> E[First node]
+  C([Runtime measurements]) -.-> F[Other nodes]
 ```

+### Upgrades
+
+Whenever a cluster is [upgraded](../workflows/upgrade.md) to a new version of the node image, the CLI sends the corresponding runtime measurements via the Kubernetes API server. The new runtime measurements are stored in etcd within the cluster and replace any previous runtime measurements. The new runtime measurements are then used automatically by the JoinService for the verification of new nodes. 
+
 ## References

 [^1]: Linux IMA produces runtime measurements of user-space binaries.
--- a/docs/styles/config/vocabularies/edgeless/accept.txt
+++ b/docs/styles/config/vocabularies/edgeless/accept.txt
@ -11,6 +11,7 @@ backend
 Bazel
 bootloader
 Bootstrapper
+CLI
 cloud
 config
 CPU
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/edgelesssys/constellation/v2

-go 1.22
+go 1.22.3

 replace (
 	k8s.io/api v0.0.0 => k8s.io/api v0.29.0
@ -41,126 +41,132 @@ replace (
 )

 require (
-	cloud.google.com/go/compute v1.24.0
-	cloud.google.com/go/compute/metadata v0.2.3
-	cloud.google.com/go/kms v1.15.7
-	cloud.google.com/go/secretmanager v1.11.5
-	cloud.google.com/go/storage v1.38.0
+	cloud.google.com/go/compute v1.26.0
+	cloud.google.com/go/compute/metadata v0.3.0
+	cloud.google.com/go/kms v1.15.9
+	cloud.google.com/go/secretmanager v1.13.0
+	cloud.google.com/go/storage v1.40.0
 	dario.cat/mergo v1.0.0
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.5.0
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5 v5.0.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5 v5.1.1
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.0
-	github.com/aws/aws-sdk-go v1.50.22
-	github.com/aws/aws-sdk-go-v2 v1.25.0
-	github.com/aws/aws-sdk-go-v2/config v1.27.1
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.1
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.0
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.3
-	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.39.1
-	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.34.1
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.148.1
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.29.1
-	github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.20.2
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.50.2
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.27.2
-	github.com/aws/smithy-go v1.20.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
+	github.com/BurntSushi/toml v1.3.2
+	github.com/aws/aws-sdk-go v1.52.4
+	github.com/aws/aws-sdk-go-v2 v1.26.1
+	github.com/aws/aws-sdk-go-v2/config v1.27.11
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.11
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15
+	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.5
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.36.0
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.160.0
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.5
+	github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.21.4
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6
+	github.com/aws/smithy-go v1.20.2
 	github.com/bazelbuild/buildtools v0.0.0-20230317132445-9c3c1fc0106e
-	github.com/bazelbuild/rules_go v0.42.0
+	github.com/bazelbuild/rules_go v0.47.1
 	github.com/coreos/go-systemd/v22 v22.5.0
-	github.com/docker/docker v25.0.5+incompatible
+	github.com/docker/docker v26.1.1+incompatible
 	github.com/edgelesssys/go-azguestattestation v0.0.0-20230707101700-a683be600fcf
 	github.com/edgelesssys/go-tdx-qpl v0.0.0-20240123150912-dcad3c41ec5f
 	github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/go-playground/locales v0.14.1
 	github.com/go-playground/universal-translator v0.18.1
-	github.com/go-playground/validator/v10 v10.14.1
-	github.com/golang-jwt/jwt/v5 v5.2.0
+	github.com/go-playground/validator/v10 v10.20.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/go-sev-guest v0.9.3
 	github.com/google/go-tdx-guest v0.3.1
 	github.com/google/go-tpm v0.9.0
-	github.com/google/go-tpm-tools v0.4.3-0.20240112165732-912a43636883
+	github.com/google/go-tpm-tools v0.4.4
 	github.com/google/uuid v1.6.0
-	github.com/googleapis/gax-go/v2 v2.12.1
-	github.com/gophercloud/gophercloud v1.9.0
+	github.com/googleapis/gax-go/v2 v2.12.4
+	github.com/gophercloud/gophercloud v1.11.0
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56
-	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.1
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0
 	github.com/hashicorp/go-kms-wrapping/v2 v2.0.16
 	github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9
 	github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11
-	github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.11
+	github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12
 	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/hc-install v0.6.3
-	github.com/hashicorp/hcl/v2 v2.19.1
+	github.com/hashicorp/hc-install v0.6.4
+	github.com/hashicorp/hcl/v2 v2.20.1
 	github.com/hashicorp/terraform-exec v0.20.0
 	github.com/hashicorp/terraform-json v0.21.0
-	github.com/hashicorp/terraform-plugin-framework v1.5.0
+	github.com/hashicorp/terraform-plugin-framework v1.8.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.12.0
-	github.com/hashicorp/terraform-plugin-go v0.21.0
+	github.com/hashicorp/terraform-plugin-go v0.23.0
 	github.com/hashicorp/terraform-plugin-log v0.9.0
-	github.com/hashicorp/terraform-plugin-testing v1.6.0
+	github.com/hashicorp/terraform-plugin-testing v1.7.0
 	github.com/hexops/gotextdiff v1.0.3
 	github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6
 	github.com/mattn/go-isatty v0.0.20
-	github.com/onsi/ginkgo/v2 v2.14.0
-	github.com/onsi/gomega v1.30.0
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/onsi/ginkgo/v2 v2.17.3
+	github.com/onsi/gomega v1.33.1
 	github.com/pkg/errors v0.9.1
-	github.com/regclient/regclient v0.5.7
+	github.com/regclient/regclient v0.6.0
 	github.com/rogpeppe/go-internal v1.12.0
 	github.com/samber/slog-multi v1.0.2
-	github.com/schollz/progressbar/v3 v3.14.1
-	github.com/siderolabs/talos/pkg/machinery v1.6.4
-	github.com/sigstore/rekor v1.3.5
-	github.com/sigstore/sigstore v1.8.1
+	github.com/schollz/progressbar/v3 v3.14.2
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0
+	github.com/siderolabs/talos/pkg/machinery v1.7.1
+	github.com/sigstore/rekor v1.3.6
+	github.com/sigstore/sigstore v1.8.3
 	github.com/spf13/afero v1.11.0
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/tink-crypto/tink-go/v2 v2.0.0
 	github.com/vincent-petithory/dataurl v1.0.0
-	go.etcd.io/etcd/api/v3 v3.5.12
-	go.etcd.io/etcd/client/pkg/v3 v3.5.12
-	go.etcd.io/etcd/client/v3 v3.5.12
+	go.etcd.io/etcd/api/v3 v3.5.13
+	go.etcd.io/etcd/client/pkg/v3 v3.5.13
+	go.etcd.io/etcd/client/v3 v3.5.13
 	go.uber.org/goleak v1.3.0
-	golang.org/x/crypto v0.22.0
-	golang.org/x/exp v0.0.0-20240213143201-ec583247a57a
-	golang.org/x/mod v0.15.0
-	golang.org/x/sys v0.19.0
-	golang.org/x/text v0.14.0
-	golang.org/x/tools v0.18.0
-	google.golang.org/api v0.165.0
-	google.golang.org/grpc v1.61.1
-	google.golang.org/protobuf v1.33.0
+	golang.org/x/crypto v0.23.0
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
+	golang.org/x/mod v0.17.0
+	golang.org/x/sys v0.20.0
+	golang.org/x/text v0.15.0
+	golang.org/x/tools v0.21.0
+	google.golang.org/api v0.178.0
+	google.golang.org/grpc v1.63.2
+	google.golang.org/protobuf v1.34.1
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm v2.17.0+incompatible
-	helm.sh/helm/v3 v3.14.2
-	k8s.io/api v0.29.0
-	k8s.io/apiextensions-apiserver v0.29.0
-	k8s.io/apimachinery v0.29.0
-	k8s.io/apiserver v0.29.0
-	k8s.io/client-go v0.29.0
+	helm.sh/helm/v3 v3.14.4
+	k8s.io/api v0.30.0
+	k8s.io/apiextensions-apiserver v0.30.0
+	k8s.io/apimachinery v0.30.0
+	k8s.io/apiserver v0.30.0
+	k8s.io/client-go v0.30.0
 	k8s.io/cluster-bootstrap v0.29.0
 	k8s.io/kubelet v0.29.0
 	k8s.io/kubernetes v1.29.4
 	k8s.io/mount-utils v0.29.0
-	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
-	libvirt.org/go/libvirt v1.10000.0
+	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0
+	libvirt.org/go/libvirt v1.10003.0
+	sigs.k8s.io/controller-runtime v0.18.2
 	sigs.k8s.io/yaml v1.4.0
 )

 require (
-	cloud.google.com/go v0.112.0 // indirect
-	cloud.google.com/go/iam v1.1.6 // indirect
+	cloud.google.com/go v0.112.2 // indirect
+	cloud.google.com/go/auth v0.3.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
+	cloud.google.com/go/iam v1.1.7 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.6.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
@ -170,7 +176,6 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
-	github.com/BurntSushi/toml v1.3.2
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
@ -178,68 +183,68 @@ require (
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Microsoft/hcsshim v0.11.4 // indirect
-	github.com/ProtonMail/go-crypto v1.1.0-alpha.0-proton // indirect
-	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
+	github.com/agext/levenshtein v1.2.2 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.19.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.22.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.27.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/containerd/containerd v1.7.13 // indirect
+	github.com/containerd/containerd v1.7.12 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
-	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.5.0 // indirect
-	github.com/docker/cli v25.0.3+incompatible // indirect
+	github.com/docker/cli v25.0.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.1 // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.2 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
-	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
-	github.com/go-openapi/analysis v0.22.2 // indirect
-	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.2 // indirect
-	github.com/go-openapi/jsonreference v0.20.4 // indirect
-	github.com/go-openapi/loads v0.21.5 // indirect
-	github.com/go-openapi/runtime v0.27.1 // indirect
-	github.com/go-openapi/spec v0.20.14 // indirect
-	github.com/go-openapi/strfmt v0.22.0 // indirect
-	github.com/go-openapi/swag v0.22.9 // indirect
-	github.com/go-openapi/validate v0.23.0 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@ -247,23 +252,23 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/certificate-transparency-go v1.1.7 // indirect
+	github.com/google/certificate-transparency-go v1.1.6 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-attestation v0.5.1 // indirect
+	github.com/google/go-attestation v0.5.0 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-configfs-tsm v0.2.2 // indirect
 	github.com/google/go-containerregistry v0.19.0 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/logger v1.1.1 // indirect
-	github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect
+	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/gorilla/websocket v1.5.1 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
-	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@ -272,71 +277,70 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.6.0 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
-	github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
-	github.com/hashicorp/terraform-plugin-sdk/v2 v2.30.0 // indirect
+	github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.6 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20240216200101-4eb5e3caa228 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/sys/mountinfo v0.7.1 // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/oklog/run v1.1.0 // indirect
+	github.com/oklog/run v1.0.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc6 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.18.0 // indirect
-	github.com/prometheus/client_model v0.6.0 // indirect
-	github.com/prometheus/common v0.47.0 // indirect
+	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rubenv/sql-migrate v1.6.1 // indirect
+	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/samber/lo v1.38.1 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.8.0
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
@ -349,40 +353,38 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
-	github.com/zclconf/go-cty v1.14.2 // indirect
+	github.com/zclconf/go-cty v1.14.3 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 // indirect
-	go.opentelemetry.io/otel v1.23.1 // indirect
-	go.opentelemetry.io/otel/metric v1.23.1 // indirect
-	go.opentelemetry.io/otel/trace v1.23.1 // indirect
-	go.starlark.net v0.0.0-20240123142251-f86470692795 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/oauth2 v0.17.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/term v0.19.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20240221002015-b0ce06bbee7c // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240221002015-b0ce06bbee7c // indirect
-	gopkg.in/evanphx/json-patch.v5 v5.9.0 // indirect
+	google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/cli-runtime v0.29.0 // indirect
-	k8s.io/component-base v0.29.0 // indirect
+	k8s.io/component-base v0.30.0 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20240220201932-37d671a357a5 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/kubectl v0.29.0 // indirect
 	oras.land/oras-go v1.2.5 // indirect
-	sigs.k8s.io/controller-runtime v0.17.2
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/kustomize/api v0.16.0 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
+	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -93,13 +93,13 @@ type Config struct {
 	Tags cloudprovider.Tags `yaml:"tags" validate:"omitempty"`
 	// description: |
 	//   Supported cloud providers and their specific configurations.
-	Provider ProviderConfig `yaml:"provider" validate:"dive"`
+	Provider ProviderConfig `yaml:"provider"`
 	// description: |
 	//   Node groups to be created in the cluster.
 	NodeGroups map[string]NodeGroup `yaml:"nodeGroups" validate:"required,dive"`
 	// description: |
 	//   Configuration for attestation validation. This configuration provides sensible defaults for the Constellation version it was created for.\nSee the docs for an overview on attestation: https://docs.edgeless.systems/constellation/architecture/attestation
-	Attestation AttestationConfig `yaml:"attestation" validate:"dive"`
+	Attestation AttestationConfig `yaml:"attestation"`
 }

 // ProviderConfig are cloud-provider specific configuration values used by the CLI.
@ -108,19 +108,19 @@ type Config struct {
 type ProviderConfig struct {
 	// description: |
 	//   Configuration for AWS as provider.
-	AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty,dive"`
+	AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty"`
 	// description: |
 	//   Configuration for Azure as provider.
-	Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty,dive"`
+	Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty"`
 	// description: |
 	//   Configuration for Google Cloud as provider.
-	GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty,dive"`
+	GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty"`
 	// description: |
 	//   Configuration for OpenStack as provider.
-	OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty,dive"`
+	OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty"`
 	// description: |
 	//   Configuration for QEMU as provider.
-	QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty,dive"`
+	QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty"`
 }

 // AWSConfig are AWS specific configuration values used by the CLI.
@ -264,31 +264,31 @@ type QEMUConfig struct {
 type AttestationConfig struct {
 	// description: |
 	//   AWS SEV-SNP attestation.
-	AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty,dive"`
+	AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty"`
 	// description: |
 	//   AWS Nitro TPM attestation.
-	AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty,dive"`
+	AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty"`
 	// description: |
 	//   Azure SEV-SNP attestation.\nFor details see: https://docs.edgeless.systems/constellation/architecture/attestation#cvm-verification
-	AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty,dive"`
+	AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty"`
 	// description: |
 	//   Azure TDX attestation.
-	AzureTDX *AzureTDX `yaml:"azureTDX,omitempty" validate:"omitempty,dive"`
+	AzureTDX *AzureTDX `yaml:"azureTDX,omitempty" validate:"omitempty"`
 	// description: |
 	//   Azure TPM attestation (Trusted Launch).
-	AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty,dive"`
+	AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty"`
 	// description: |
 	//   GCP SEV-ES attestation.
-	GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty,dive"`
+	GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty"`
 	// description: |
 	// 	 GCP SEV-SNP attestation.
-	GCPSEVSNP *GCPSEVSNP `yaml:"gcpSEVSNP,omitempty" validate:"omitempty,dive"`
+	GCPSEVSNP *GCPSEVSNP `yaml:"gcpSEVSNP,omitempty" validate:"omitempty"`
 	// description: |
 	//   QEMU tdx attestation.
-	QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty,dive"`
+	QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty"`
 	// description: |
 	//   QEMU vTPM attestation.
-	QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty,dive"`
+	QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty"`
 }

 // NodeGroup defines a group of nodes with the same role and configuration.
@ -1130,7 +1130,7 @@ type AzureSEVSNP struct {
 	AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
 	// description: |
 	//   AMD Signing Key certificate used to verify the SEV-SNP VCEK / VLEK certificate.
-	AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty" validate:"len=0"`
+	AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty"`
 }

 // AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.
--- a/internal/constellation/helm/overrides.go
+++ b/internal/constellation/helm/overrides.go
@ -33,14 +33,6 @@ import (
 // Also, the charts are not rendered correctly without all of these values.
 func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, output state.Infrastructure) map[string]any {
 	extraVals := map[string]any{}
-	if conformanceMode {
-		extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
-		extraVals["kubeProxyReplacement"] = "partial"
-		extraVals["sessionAffinity"] = true
-		extraVals["cni"] = map[string]any{
-			"chainingMode": "portmap",
-		}
-	}

 	strictMode := map[string]any{}
 	// TODO(@3u13r): Once we are able to set the subnet of the load balancer VMs
@ -75,6 +67,28 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 		},
 	}

+	// When --conformance is set, we try to mitigate https://github.com/cilium/cilium/issues/9207
+	// Users are discouraged of ever using this mode, except if they truly
+	// require protocol differentiation to work and cannot mitigate that any other way.
+	// Since there should always be workarounds, we only support this mode to
+	// pass the K8s conformance tests. It is not supported to switch to or from
+	// this mode after Constellation has been initialized.
+	// This only works for the K8s conformance tests up to K8s 1.28.
+	if conformanceMode {
+		extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
+		extraVals["kubeProxyReplacement"] = "false"
+		extraVals["sessionAffinity"] = true
+		extraVals["cni"] = map[string]any{
+			"chainingMode": "portmap",
+		}
+		extraVals["ipMasqAgent"] = map[string]any{
+			"enabled": false,
+		}
+		extraVals["bpf"] = map[string]any{
+			"masquerade": false,
+		}
+	}
+
 	return extraVals
 }

--- a/internal/versions/components/components.pb.go
+++ b/internal/versions/components/components.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: internal/versions/components/components.proto

--- a/joinservice/joinproto/join.pb.go
+++ b/joinservice/joinproto/join.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: joinservice/joinproto/join.proto

--- a/keyservice/keyserviceproto/keyservice.pb.go
+++ b/keyservice/keyserviceproto/keyservice.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: keyservice/keyserviceproto/keyservice.proto

--- a/renovate.json5
+++ b/renovate.json5
@ -42,40 +42,20 @@
      "prPriority": -30,
    },
    {
-      "matchDepPatterns": ["^k8s.io", "^sigs.k8s.io"],
-      "groupName": "K8s dependencies",
-    },
-    {
-      "matchDepPatterns": ["^go.etcd.io/etcd"],
-      "groupName": "etcd dependencies",
-    },
-    {
-      "matchDepPatterns": ["^github.com/hashicorp/go-kms-wrapping"],
-      "groupName": "github.com/hashicorp/go-kms-wrapping",
-    },
-    {
-      "matchDepPatterns": ["^github.com/aws/aws-sdk-go-v2"],
-      "groupName": "AWS SDK",
-      "prPriority": -10,
-    },
-    {
-      "matchDepPatterns": [
-        "^github.com/Azure/",
-        "^github.com/AzureAD/microsoft-authentication-library-for-go",
+      // Group update of direct Go dependencies.
+      "groupName": "Go dependencies",
+      "matchManagers": ["gomod"],
+      "matchDepTypes": ["require"],
+      "matchUpdateTypes": [
+        "bump",
+        "digest",
+        "lockFileMaintenance",
+        "minor",
+        "patch",
+        "pin",
+        "pinDigest",
+        "rollback",
      ],
-      "groupName": "Azure SDK",
-    },
-    {
-      "matchDepPatterns": ["^cloud.google.com/go"],
-      "groupName": "Google SDK",
-    },
-    {
-      "matchDepPatterns": ["^google.golang.org/genproto"],
-      "prPriority": -10,
-    },
-    {
-      "matchDepPatterns": ["^libvirt.org/go"],
-      "groupName": "libvirt.org/go",
    },
    {
      "matchManagers": ["bazelisk", "bazel", "bazel-module"],
@ -84,7 +64,7 @@
    },
    {
      "matchDatasources": ["golang-version"],
-      "allowedVersions": "1.19",
+      "allowedVersions": "1.22",
    },
    {
      "matchManagers": ["pip_requirements"],
--- a/upgrade-agent/upgradeproto/upgrade.pb.go
+++ b/upgrade-agent/upgradeproto/upgrade.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: upgrade-agent/upgradeproto/upgrade.proto

--- a/verify/verifyproto/verify.pb.go
+++ b/verify/verifyproto/verify.pb.go
@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
+// 	protoc-gen-go v1.34.1
 // 	protoc        v4.22.1
 // source: verify/verifyproto/verify.proto
Author	SHA1	Message	Date
Felix Schuster	4ba4849407	Merge `a542a4d141` into `0325483504`	2024-05-09 07:54:12 +02:00
3u13r	0325483504	helm: disable cilium ipmasq agent when in conformance mode (#3062 )	2024-05-08 18:51:12 +02:00
Daniel Weiße	9def35ed06	deps: update all Go dependencies (#3071 ) * Upgrade Go dependencies Signed-off-by: Daniel Weiße <dw@edgeless.systems> * Group Go dependency upgrades Signed-off-by: Daniel Weiße <dw@edgeless.systems> * Remove usage of deprecated docker types Signed-off-by: Daniel Weiße <dw@edgeless.systems> * Fix usage of invalid validation tags Signed-off-by: Daniel Weiße <dw@edgeless.systems> * Regenerate bazel files Signed-off-by: Daniel Weiße <dw@edgeless.systems> * Keep github.com/bazelbuild/buildtools at old version to not break other dependencies Signed-off-by: Daniel Weiße <dw@edgeless.systems> --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2024-05-08 17:31:47 +02:00
Felix Schuster	a542a4d141	Fix link	2024-05-07 12:02:51 +00:00
Felix Schuster	1e8ac6c7a8	Address comments	2024-05-07 11:42:11 +00:00
Felix Schuster	c227019833	Update docs/docs/architecture/attestation.md Co-authored-by: 3u13r <lc@edgeless.systems>	2024-05-07 13:38:56 +02:00
Felix Schuster	1578b5820b	Update docs/docs/architecture/attestation.md Co-authored-by: 3u13r <lc@edgeless.systems>	2024-05-07 13:37:03 +02:00
Felix Schuster	5fdba7ad0d	Rewrite "chain of trust" section	2024-05-06 16:03:09 +00:00