ci: rename nixpkgs input (#3741)

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

.github/actions/artifact_download/action.yml

@@ -28,7 +28,7 @@ runs:
       run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
 
     - name: Download the artifact
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: ${{ inputs.name }}
         path: ${{ steps.tempdir.outputs.directory }}

.github/actions/artifact_upload/action.yml

@@ -69,7 +69,7 @@ runs:
         done
 
     - name: Upload archive as artifact
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ inputs.name }}
         path: ${{ steps.tempdir.outputs.directory }}/archive.7z

.github/actions/build_cli/action.yml

@@ -79,7 +79,7 @@ runs:
     # once it has the functionality
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Install Rekor
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

.github/actions/build_micro_service/action.yml

@@ -42,7 +42,7 @@ runs:
 
     - name: Docker metadata
       id: meta
-      uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
       with:
         images: |
           ghcr.io/${{ github.repository }}/${{ inputs.name }}
@@ -62,7 +62,7 @@ runs:
 
     - name: Build and push container image
       id: build-micro-service
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
       with:
         context: .
         file: ${{ inputs.dockerfile }}

.github/actions/cdbg_deploy/action.yml

@@ -61,7 +61,7 @@ runs:
 
     - name: Login to AWS (IAM service principal)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1
@@ -80,7 +80,7 @@ runs:
 
     - name: Login to AWS (Cluster service principal)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1

.github/actions/check_measurements_reproducibility/action.yml

@@ -0,0 +1,58 @@
+name: Check measurements reproducibility
+description: Check if the measurements of a given release are reproducible.
+
+inputs:
+  version:
+    type: string
+    description: The version of the measurements that are downloaded from the CDN.
+    required: true
+  ref:
+    type: string
+    description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ inputs.ref }}
+        path: ./release
+
+    - name: Set up bazel
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        useCache: "false"
+        nixTools: |
+          systemdUkify
+          jq
+          jd-diff-patch
+          moreutils
+
+    - name: Build images
+      id: build-images
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Build required binaries
+        pushd release
+        bazel build //image/system:stable
+        echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
+        popd
+
+    - name: Download measurements
+      shell: bash
+      run: |
+        curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
+    
+    - name: Cleanup release measurements and generate our own
+      shell: bash
+      run: |
+        ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
+        
+    - name: Compare measurements
+      shell: bash
+      run: |
+        ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"

.github/actions/check_measurements_reproducibility/compare_measurements.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# no -e since we need to collect errors later
+# no -u since it interferes with checking associative arrays
+set -o pipefail
+shopt -s extglob
+
+declare -A errors
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  echo "Their measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_their-measurements.json
+  echo "Own measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_own-measurements.json
+
+  diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
+  if [[ -n $diff ]]; then
+    errors["$attestationVariant"]="$diff"
+  fi
+done
+
+for attestationVariant in "${!errors[@]}"; do
+  echo "Failed to reproduce measurements for $attestationVariant:"
+  echo "${errors["$attestationVariant"]}" | ts "  "
+done
+
+if [[ ${#errors[@]} -ne 0 ]]; then
+  exit 1
+fi

.github/actions/check_measurements_reproducibility/create_measurements.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+shopt -s extglob
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  csp="$(echo "$dirname" | cut -d_ -f1)"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  # This jq filter selects the measurements for the correct CSP and attestation variant
+  # and then removes all `warnOnly: true` measurements.
+  jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
+    '
+      .list.[]
+      | select(
+        .attestationVariant == $attestation_variant
+        and (.csp | ascii_downcase) == $csp
+      )
+      | .measurements
+      | to_entries
+      | map(select(.value.warnOnly | not))
+      | from_entries
+      | del(.[] .warnOnly)
+  ' \
+    measurements.json > "$attestationVariant"_their-measurements.json
+
+  bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
+done

.github/actions/constellation_destroy/action.yml

@@ -67,7 +67,7 @@ runs:
 
     - name: Login to AWS (Cluster role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1

.github/actions/constellation_iam_create/action.yml

@@ -102,6 +102,7 @@ runs:
           --tf-log=DEBUG \
           --yes ${extraFlags}
 
+    # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
     - name: Constellation iam create gcp
       shell: bash
       if: inputs.cloudProvider == 'gcp'

.github/actions/constellation_iam_destroy/action.yml

@@ -23,7 +23,7 @@ runs:
 
     - name: Login to AWS (IAM role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1

.github/actions/container_registry_login/action.yml

@@ -17,7 +17,7 @@ runs:
   steps:
     - name: Use docker for logging in
       if: runner.os != 'macOS'
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
       with:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}

.github/actions/container_sbom/action.yml

@@ -19,7 +19,7 @@ runs:
   steps:
     - name: Install Cosign
       if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
     - name: Download Syft & Grype
       uses: ./.github/actions/install_syft_grype

.github/actions/deploy_logcollection/action.yml

@@ -67,7 +67,7 @@ runs:
     # Make sure that helm is installed
     # This is not always the case, e.g. on MacOS runners
     - name: Install Helm
-      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+      uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
       with:
         version: v3.9.0
 

.github/actions/download_release_binaries/action.yml

@@ -5,51 +5,51 @@ runs:
   using: "composite"
   steps:
     - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-darwin-amd64
 
     - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-darwin-arm64
 
     - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-linux-amd64
 
     - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-linux-arm64
 
     - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: constellation-windows-amd64
 
     - name: Download Terraform module
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-module
 
     - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-darwin-amd64
 
     - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-darwin-arm64
 
     - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-linux-amd64
 
     - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: terraform-provider-constellation-linux-arm64

.github/actions/e2e_attestationconfigapi/action.yml

@@ -19,7 +19,7 @@ runs:
       uses: ./.github/actions/setup_bazel_nix
 
     - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
         aws-region: eu-west-1

.github/actions/e2e_benchmark/action.yml

@@ -32,7 +32,7 @@ runs:
 
   steps:
     - name: Setup python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: "3.10"
 
@@ -166,7 +166,7 @@ runs:
         encryptionSecret: ${{ inputs.encryptionSecret }}
 
     - name: Assume AWS role to retrieve and update benchmarks in S3
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
         aws-region: us-east-2

.github/actions/e2e_benchmark/evaluate/requirements.txt

@@ -1,3 +1,3 @@
-numpy ==2.2.2
-matplotlib ==3.10.0
+numpy ==2.2.4
+matplotlib ==3.10.1
 Pillow ==11.1.0

.github/actions/e2e_cleanup_timeframe/action.yml

@@ -22,7 +22,7 @@ runs:
   using: "composite"
   steps:
     - name: Authenticate AWS
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
         aws-region: eu-central-1

.github/actions/e2e_emergency_ssh/action.yml

@@ -0,0 +1,68 @@
+name: Emergency ssh
+description: "Verify that an emergency ssh connection can be established."
+
+inputs:
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Test emergency ssh
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        set -euo pipefail
+
+        # Activate emergency ssh access to the cluster
+        pushd ./constellation-terraform
+        echo "emergency_ssh = true" >> terraform.tfvars
+        terraform apply -auto-approve
+        lb="$(terraform output -raw loadbalancer_address)"
+        popd
+
+        # write ssh config
+        cat > ssh_config <<EOF
+        Host $lb
+          ProxyJump none
+
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile=/dev/null
+          IdentityFile ./access-key
+          PreferredAuthentications publickey
+          CertificateFile=constellation_cert.pub
+          User root
+          ProxyJump $lb
+        EOF
+
+        for i in {1..26}; do
+          if [[ "$i" -eq 26 ]]; then
+            echo "Port 22 never became reachable"
+            exit 1
+          fi
+          echo "Waiting until port 22 is reachable: $i/25"
+          if nc -z -w 25 "$lb" 22; then
+            break
+          fi
+        done
+
+        # generate and try keypair
+        ssh-keygen -t ecdsa -q -N "" -f ./access-key
+        constellation ssh --debug --key ./access-key.pub
+        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
+        for ip in $internalIPs; do
+          for i in {1..26}; do
+            if [[ "$i" -eq 26 ]]; then
+              echo "Failed to connect to $ip over $lb"
+              exit 1
+            fi
+            echo "Trying connection to $ip over $lb: $i/25"
+            if ssh -F ssh_config -o BatchMode=yes $ip true; then
+              echo "Connected to $ip successfully"
+              break
+            fi
+          done
+        done

.github/actions/e2e_sonobuoy/action.yml

@@ -70,7 +70,7 @@ runs:
 
     - name: Publish test results
       if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@ee6b445351cd81e2f73a16a0e52d598aeac2197f # v5.3.0
+      uses: mikepenz/action-junit-report@97744eca465b8df9e6e33271cb155003f85327f1 # v5.5.0
       with:
         report_paths: "**/junit_01.xml"
         fail_on_failure: true

.github/actions/e2e_test/action.yml

@@ -56,7 +56,7 @@ inputs:
     description: "Azure credentials authorized to create an IAM configuration."
     required: true
   test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
     required: true
   sonobuoyTestSuiteCmd:
     description: "The sonobuoy test suite to run."
@@ -115,7 +115,7 @@ runs:
   using: "composite"
   steps:
     - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
       shell: bash
       run: |
         echo "::error::Invalid input for test field: ${{ inputs.test }}"
@@ -149,6 +149,8 @@ runs:
 
     - name: Setup bazel
       uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: terraform
 
     - name: Log in to the Container registry
       uses: ./.github/actions/container_registry_login
@@ -225,7 +227,7 @@ runs:
 
     - name: Login to AWS (IAM role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
         aws-region: eu-central-1
@@ -256,6 +258,12 @@ runs:
       run: |
         uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
         uuid=${uuid%%-*}
+
+        # GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
+        if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
+          uuid=${uuid:0:6}
+        fi
+
         echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
         echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
 
@@ -290,7 +298,7 @@ runs:
 
     - name: Login to AWS (Cluster role)
       if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
         aws-region: eu-central-1
@@ -444,3 +452,9 @@ runs:
         s3AccessKey: ${{ inputs.s3AccessKey }}
         s3SecretKey: ${{ inputs.s3SecretKey }}
         githubToken: ${{ inputs.githubToken }}
+    
+    - name: Run emergency ssh test
+      if: inputs.test == 'emergency ssh'
+      uses: ./.github/actions/e2e_emergency_ssh
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}

.github/actions/e2e_verify/action.yml

@@ -82,7 +82,7 @@ runs:
 
     - name: Login to AWS
       if: github.ref_name == 'main'
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
         aws-region: eu-central-1

.github/actions/find_latest_image/action.yml

@@ -38,7 +38,7 @@ runs:
 
     - name: Login to AWS
       if: inputs.imageVersion == ''
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
         aws-region: eu-central-1

.github/actions/publish_helmchart/action.yml

@@ -29,7 +29,7 @@ runs:
         echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
 
     - name: Create pull request
-      uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       with:
         path: helm
         branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"

.github/actions/select_image/action.yml

@@ -18,7 +18,7 @@ runs:
   using: "composite"
   steps:
     - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
       with:
         role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
         aws-region: eu-central-1

.github/actions/setup_bazel_nix/action.yml

@@ -75,6 +75,7 @@ runs:
             echo "$RUNNER_ARCH not supported"
             exit 1
         fi
+        echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
         echo "::endgroup::"
 
     - name: Install current Bash on macOS
@@ -115,7 +116,7 @@ runs:
       if: steps.check_inputs.outputs.nixPreinstalled == 'false'
       uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       with:
-        install_url: "https://releases.nixos.org/nix/nix-2.25.2/install"
+        install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
 
     - name: Set $USER if not set
       shell: bash
@@ -220,7 +221,7 @@ runs:
         { tools, repository, rev }:
         let
           repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
-          nixpkgs = repoFlake.inputs.nixpkgsUnstable;
+          nixpkgs = repoFlake.inputs.nixpkgs;
           pkgs = import nixpkgs { system = builtins.currentSystem; };
           toolPkgs = map (p: pkgs.${p}) tools;
         in

.github/actions/upload_terraform_module/action.yml

@@ -15,7 +15,7 @@ runs:
         zip -r terraform-module.zip terraform-module
 
     - name: Upload artifact
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: terraform-module
         path: terraform-module.zip

.github/workflows/aws-snp-launchmeasurement.yml

@@ -21,7 +21,7 @@ jobs:
 
     - name: Download Firmware release
       id: download-firmware
-      uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
+      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
       with:
         repository: aws/uefi
         latest: true

.github/workflows/build-ccm-gcp.yml

@@ -29,9 +29,9 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Go environment
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.23.6"
+          go-version: "1.24.1"
           cache: false
 
       - name: Install Crane
@@ -76,7 +76,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             ghcr.io/edgelesssys/cloud-provider-gcp
@@ -113,7 +113,7 @@ jobs:
 
       - name: Build and push container image
         id: build
-        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: ./cloud-provider-gcp
           push: ${{ github.ref_name == 'main' }}

.github/workflows/build-gcp-guest-agent.yml

@@ -85,7 +85,7 @@ jobs:
       - name: Docker meta
         id: meta
         if: steps.needs-build.outputs.out == 'true'
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@@ -114,7 +114,7 @@ jobs:
       - name: Build and push container image
         if: steps.needs-build.outputs.out == 'true'
         id: build
-        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: ./guest-agent
           file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile

.github/workflows/build-os-image-scheduled.yml

@@ -65,9 +65,9 @@ jobs:
           token: ${{ secrets.CI_COMMIT_PUSH_PR }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.23.6"
+          go-version: "1.24.1"
           cache: false
 
       - name: Determine version
@@ -97,7 +97,7 @@ jobs:
         run: rm -f internal/attestation/measurements/measurement-generator/generate
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           branch: "image/automated/update-measurements-${{ github.run_number }}"
           base: main

.github/workflows/build-os-image.yml

@@ -147,7 +147,7 @@ jobs:
           useCache: "false"
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
           aws-region: eu-central-1

.github/workflows/check-links.yml

@@ -25,7 +25,7 @@ jobs:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@f796c8b7d468feb9b8c0a46da3fac0af6874d374 # v2.2.0
+        uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0
         with:
           args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
           fail: true

.github/workflows/check-measurements-reproducibility.yml

@@ -0,0 +1,25 @@
+name: Check measurements reproducibility
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        type: string
+        description: The version of the measurements that are downloaded from the CDN.
+        required: true
+      ref:
+        type: string
+        description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+        required: true
+
+jobs:
+  check-reproducibility:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        
+      - name: Check reproducibility
+        uses: ./.github/actions/check_measurements_reproducibility
+        with:
+          version: ${{ github.event.inputs.version }}
+          ref: ${{ github.event.inputs.ref }}

.github/workflows/codeql.yml

@@ -38,13 +38,13 @@ jobs:
 
       - name: Setup Go environment
         if: matrix.language == 'go'
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.23.6"
+          go-version: "1.24.1"
           cache: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
         with:
           languages: ${{ matrix.language }}
 
@@ -63,6 +63,6 @@ jobs:
           echo "::endgroup::"
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/draft-release.yml

@@ -92,8 +92,8 @@ jobs:
           cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
 
       - name: Upload CLI as artifact (unix)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
         with:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -101,8 +101,8 @@ jobs:
             build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
 
       - name: Upload CLI as artifact (windows)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
         with:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -149,16 +149,16 @@ jobs:
           targetArch: ${{ matrix.arch }}
 
       - name: Upload Terraform Provider Binary as artifact (unix)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
         with:
           name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
             build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
 
       - name: Upload Terraform Provider Binary as artifact (windows)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
         with:
           name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -227,7 +227,7 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
@@ -261,7 +261,7 @@ jobs:
           ref: ${{ inputs.ref || github.head_ref }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
       - name: Download Syft & Grype
         uses: ./.github/actions/install_syft_grype
@@ -296,13 +296,13 @@ jobs:
           COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
 
       - name: Upload Constellation CLI SBOM
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: constellation.spdx.sbom
           path: constellation.spdx.sbom
 
       - name: Upload Constellation CLI SBOM's signature
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: constellation.spdx.sbom.sig
           path: constellation.spdx.sbom.sig
@@ -316,14 +316,14 @@ jobs:
       - provenance-subjects
     # This must not be pinned to digest. See:
     # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
 
   provenance-verify:
     runs-on: ubuntu-24.04
     env:
-      SLSA_VERIFIER_VERSION: "2.5.1"
+      SLSA_VERIFIER_VERSION: "2.7.0"
     needs:
       - build-cli
       - provenance
@@ -340,12 +340,12 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
       - name: Download provenance
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
 
@@ -418,17 +418,17 @@ jobs:
         uses: ./.github/actions/download_release_binaries
 
       - name: Download CLI SBOM
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom
 
       - name: Download Constellation CLI SBOM's signature
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation.spdx.sbom.sig
 
       - name: Download Constellation provenance
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
 

.github/workflows/e2e-test-provider-example.yml

@@ -154,7 +154,7 @@ jobs:
 
       - name: Login to AWS (IAM + Cluster role)
         if: steps.determine.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
           aws-region: eu-central-1

.github/workflows/e2e-test-release.yml

@@ -409,7 +409,7 @@ jobs:
       fail-fast: false
       max-parallel: 1
       matrix:
-        fromVersion: ["v2.20.1"]
+        fromVersion: ["v2.22.0"]
         attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
     name: Run upgrade tests
     secrets: inherit

.github/workflows/e2e-test-stackit.yml

@@ -40,7 +40,7 @@ jobs:
       fail-fast: false
       max-parallel: 6
       matrix:
-        kubernetesVersion: [ "1.28", "1.29", "1.30" ]
+        kubernetesVersion: [ "1.29", "1.30", "1.31" ]
         clusterCreation: [ "cli", "terraform" ]
         test: [ "sonobuoy quick" ]
     runs-on: ubuntu-24.04

.github/workflows/e2e-test-weekly.yml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
+        refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
     name: Find latest image
     runs-on: ubuntu-24.04
     permissions:
@@ -51,6 +51,33 @@ jobs:
           # Tests on main-debug refStream
           #
 
+          # Emergency SSH test on latest k8s version
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+
           # Sonobuoy full test on latest k8s version
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
@@ -138,7 +165,6 @@ jobs:
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
 
-
           # verify test on latest k8s version
           - test: "verify"
             refStream: "ref/main/stream/debug/?"
@@ -420,7 +446,7 @@ jobs:
       fail-fast: false
       max-parallel: 1
       matrix:
-        fromVersion: ["v2.20.1"]
+        fromVersion: ["v2.22.0"]
         attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
     name: Run upgrade tests
     secrets: inherit

.github/workflows/e2e-test.yml

@@ -40,6 +40,7 @@ on:
           - "recover"
           - "malicious join"
           - "s3proxy"
+          - "emergency ssh"
           - "nop"
         required: true
       kubernetesVersion:

.github/workflows/e2e-upgrade.yml

@@ -268,13 +268,13 @@ jobs:
           push: true
 
       - name: Upload CLI binary # is needed for the cleanup step
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: constellation-upgrade-${{ inputs.attestationVariant }}
           path: build/constellation
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
           aws-region: eu-central-1
@@ -296,7 +296,7 @@ jobs:
 
       - name: Login to AWS (IAM role)
         if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
           aws-region: eu-central-1
@@ -347,7 +347,7 @@ jobs:
 
       - name: Login to AWS (Cluster role)
         if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
           aws-region: eu-central-1
@@ -424,7 +424,7 @@ jobs:
           ref: ${{ inputs.gitRef }}
 
       - name: Download CLI
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: constellation-upgrade-${{ inputs.attestationVariant }}
           path: build

.github/workflows/e2e-windows.yml

@@ -45,7 +45,7 @@ jobs:
           push: true
 
       - name: Upload CLI artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           path: build/constellation.exe
           name: "constell-exe"
@@ -61,7 +61,7 @@ jobs:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download CLI artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: "constell-exe"
 

.github/workflows/on-release.yml

@@ -142,7 +142,7 @@ jobs:
       - uses: ./.github/actions/setup_bazel_nix
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
           aws-region: eu-central-1

.github/workflows/purge-main.yml

@@ -23,7 +23,7 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
           aws-region: eu-central-1

.github/workflows/release.yml

@@ -118,7 +118,7 @@ jobs:
           sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml
 
       - name: Create docs pull request
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           branch: ${{ env.BRANCH }}
           base: main
@@ -239,6 +239,17 @@ jobs:
       stream: "stable"
       ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
 
+  check-measurements-reproducibility:
+    name: Check measurements reproducibility
+    needs: [verify-inputs, os-image]
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check reproducibility
+        uses: ./.github/actions/check_measurements_reproducibility
+        with:
+          version: ${{ inputs.version }}
+          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
+
   update-hardcoded-measurements:
     name: Update hardcoded measurements (in the CLI)
     needs: [verify-inputs, os-image]
@@ -255,9 +266,9 @@ jobs:
           ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.23.6"
+          go-version: "1.24.1"
           cache: true
 
       - name: Build generateMeasurements tool

.github/workflows/reproducible-builds.yml

@@ -51,15 +51,16 @@ jobs:
       - name: Setup dependencies (eccentric)
         if: matrix.deps == 'eccentric'
         run: |
-          version=$(cat .bazelversion)
+          bazelVersion=$(cat .bazelversion)
           mkdir -p "$HOME/.local/bin"
-          curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$version/bazel-$version-linux-x86_64"
+          curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64"
           chmod a+x "$HOME/.local/bin/bazel"
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
 
-          curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v0.34.0/nix-installer-x86_64-linux # renovate:github-release
+          curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.2.1/nix-installer-x86_64-linux # renovate:github-release
+          nixVersion=$(cat .nixversion)
           chmod a+x "$HOME/.local/bin/nix-installer"
-          "$HOME/.local/bin/nix-installer" install --no-confirm
+          "$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz"
 
       - name: Build
         shell: bash
@@ -80,13 +81,13 @@ jobs:
         run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
 
       - name: Upload binary artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
           path: "${{ env.binary }}"
 
       - name: Upload hash artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
           path: "${{ env.binary }}.sha256"
@@ -145,13 +146,13 @@ jobs:
         run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
 
       - name: Upload binary artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
           path: "${{ env.binary }}"
 
       - name: Upload hash artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
           path: "${{ env.binary }}.sha256"
@@ -174,7 +175,7 @@ jobs:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download binaries
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           pattern: "binaries-${{ matrix.target }}-*"
           merge-multiple: true
@@ -208,7 +209,7 @@ jobs:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Download os images
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           pattern: "osimages-${{ matrix.target }}-*"
           merge-multiple: true

.github/workflows/scorecard.yml

@@ -23,20 +23,20 @@ jobs:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: Upload artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
         with:
           sarif_file: results.sarif

.github/workflows/sync-terraform-docs.yml

@@ -40,7 +40,7 @@ jobs:
 
       - name: Create pull request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           path: terraform-provider-constellation
           branch: "feat/docs/update"

.github/workflows/test-operator-codegen.yml

@@ -26,9 +26,9 @@ jobs:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.23.6"
+          go-version: "1.24.1"
           cache: true
 
       - name: Run code generation

.github/workflows/test-tidy.yml

@@ -37,7 +37,7 @@ jobs:
 
       - name: Assume AWS role to upload Bazel dependencies to S3
         if: startsWith(github.head_ref, 'renovate/')
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
           aws-region: eu-central-1

.github/workflows/test-unittest.yml

@@ -49,7 +49,7 @@ jobs:
           rm -rf awscliv2.zip aws
 
       - name: Login to AWS (IAM role)
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage
           aws-region: eu-central-1

.github/workflows/update-rpms.yml

@@ -18,7 +18,7 @@ jobs:
           token: ${{ secrets.CI_COMMIT_PUSH_PR }}
 
       - name: Assume AWS role to upload Bazel dependencies to S3
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
           aws-region: eu-central-1
@@ -39,7 +39,7 @@ jobs:
           fi
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           branch: "image/automated/update-rpms-${{ github.run_number }}"
           base: main

.github/workflows/versionsapi.yml

@@ -149,21 +149,21 @@ jobs:
 
       - name: Login to AWS without write access
         if: steps.check-rights.outputs.write == 'false'
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
           aws-region: eu-central-1
 
       - name: Login to AWS with write access
         if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
           aws-region: eu-central-1
 
       - name: Login to AWS with write and image remove access
         if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
-        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
           aws-region: eu-central-1

.golangci.yml

@@ -1,53 +1,65 @@
+version: "2"
 run:
-  timeout: 10m
   build-tags:
     - integration
     - e2e
   modules-download-mode: readonly
-
 output:
   formats:
-    - format: tab
+    tab:
       path: stdout
-  sort-results: true
-
+      colors: false
 linters:
   enable:
-    # Default linters
-    - errcheck
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
-    - typecheck
-    - unused
-    # Additional linters
     - bodyclose
-    - errname
     - copyloopvar
+    - errname
     - godot
-    - gofmt
-    - gofumpt
     - misspell
     - noctx
     - revive
-    - tenv
     - unconvert
     - unparam
+    - usetesting
+  settings:
+    errcheck:
+      exclude-functions:
+        - (*go.uber.org/zap.Logger).Sync
+        - (*google.golang.org/grpc.Server).Serve
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - 3rdparty/node-maintenance-operator
+    rules:
+    # TODO(burgerdev): these exclusions have been added to ease migration to v2 and should eventually be addressed.
+    - linters: ["staticcheck"]
+      text: "QF1008: could remove embedded field"
+    - linters: ["staticcheck"]
+      text: "QF1001: could apply De Morgan's law"
+    - linters: ["staticcheck"]
+      text: "ST1005: error strings should not be capitalized"
+    - linters: ["revive"]
+      text: "package-comments: package comment should be of the form"
+    - linters: ["revive"]
+      text: "package-comments: should have a package comment"
+    - linters: ["staticcheck"]
+      text: "QF1012: Use fmt.Fprintf"
+    - linters: ["staticcheck"]
+      text: "ST1019"
 
+      
 issues:
   max-issues-per-linter: 0
   max-same-issues: 20
-  exclude-dirs:
-    - 3rdparty/node-maintenance-operator
-  include:
-    - EXC0012
-    - EXC0014
-
-linters-settings:
-  errcheck:
-    # List of functions to exclude from checking, where each entry is a single function to exclude.
-    # See https://github.com/kisielk/errcheck#excluding-functions for details.
-    exclude-functions:
-      - (*go.uber.org/zap.Logger).Sync
-      - (*google.golang.org/grpc.Server).Serve
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - 3rdparty/node-maintenance-operator

.nixversion

@@ -0,0 +1 @@
+2.25.2

3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel

@@ -0,0 +1,13 @@
+load("//bazel/sh:def.bzl", "sh_template")
+
+sh_template(
+    name = "pull_files",
+    data = [
+        "@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy",
+    ],
+    substitutions = {
+        "@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)",
+    },
+    template = "pull_files.sh",
+    visibility = ["//visibility:public"],
+)

3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+###### script header ######
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../../../bazel/sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+controller_policy_source="@@POLICY_SRC@@"
+
+###### script body ######
+
+controller_policy_real_source=$(realpath "${controller_policy_source}")
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath
+
+targetDir="terraform/infrastructure/iam/aws/alb_policy.json"
+
+cp "${controller_policy_real_source}" "${targetDir}"

3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl

@@ -0,0 +1,22 @@
+"""A module defining the source of the AWS load balancer controller."""
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+def aws_load_balancer_controller_deps():
+    http_archive(
+        name = "com_github_kubernetes_sigs_aws_load_balancer_controller",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
+            "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz",
+        ],
+        strip_prefix = "aws-load-balancer-controller-2.12.0",
+        build_file_content = """
+filegroup(
+    srcs = ["docs/install/iam_policy.json"],
+    name = "lb_policy",
+    visibility = ["//visibility:public"],
+)
+        """,
+        type = "tar.gz",
+        sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
+    )

MODULE.bazel

@@ -1,6 +1,6 @@
 module(name = "constellation")
 
-bazel_dep(name = "aspect_bazel_lib", version = "2.13.0")
+bazel_dep(name = "aspect_bazel_lib", version = "2.14.0")
 
 bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
 bazel_lib.yq()
@@ -9,12 +9,12 @@ use_repo(bazel_lib, "yq_toolchains")
 
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "gazelle", version = "0.42.0")
-bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1")
+bazel_dep(name = "hermetic_cc_toolchain", version = "3.2.0")
 bazel_dep(name = "rules_cc", version = "0.1.1")
-bazel_dep(name = "rules_go", version = "0.52.0", repo_name = "io_bazel_rules_go")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
+bazel_dep(name = "rules_go", version = "0.53.0", repo_name = "io_bazel_rules_go")
+bazel_dep(name = "rules_pkg", version = "1.1.0")
 bazel_dep(name = "rules_proto", version = "7.1.0")
-bazel_dep(name = "rules_python", version = "1.1.0")
+bazel_dep(name = "rules_python", version = "1.3.0")
 
 bazel_dep(name = "buildifier_prebuilt", version = "8.0.1", dev_dependency = True)
 

MODULE.bazel.lock

@@ -12,8 +12,8 @@
     "https://bcr.bazel.build/modules/abseil-cpp/20240116.1/source.json": "9be551b8d4e3ef76875c0d744b5d6a504a27e3ae67bc6b28f46415fd2d2957da",
     "https://bcr.bazel.build/modules/apple_support/1.5.0/MODULE.bazel": "50341a62efbc483e8a2a6aec30994a58749bd7b885e18dd96aa8c33031e558ef",
     "https://bcr.bazel.build/modules/apple_support/1.5.0/source.json": "eb98a7627c0bc486b57f598ad8da50f6625d974c8f723e9ea71bd39f709c9862",
-    "https://bcr.bazel.build/modules/aspect_bazel_lib/2.13.0/MODULE.bazel": "af4a546cb88c618f2e241721d2d76b70b7ecfaa1d58fe27b9187d3edb9e418da",
-    "https://bcr.bazel.build/modules/aspect_bazel_lib/2.13.0/source.json": "5538ef77a1ecff41c119e040d4bc0148c83e9e79464a165ec86a1aa3171a5535",
+    "https://bcr.bazel.build/modules/aspect_bazel_lib/2.14.0/MODULE.bazel": "2b31ffcc9bdc8295b2167e07a757dbbc9ac8906e7028e5170a3708cecaac119f",
+    "https://bcr.bazel.build/modules/aspect_bazel_lib/2.14.0/source.json": "0cf1826853b0bef8b5cd19c0610d717500f5521aa2b38b72b2ec302ac5e7526c",
     "https://bcr.bazel.build/modules/bazel_features/1.1.0/MODULE.bazel": "cfd42ff3b815a5f39554d97182657f8c4b9719568eb7fded2b9135f084bf760b",
     "https://bcr.bazel.build/modules/bazel_features/1.1.1/MODULE.bazel": "27b8c79ef57efe08efccbd9dd6ef70d61b4798320b8d3c134fd571f78963dbcd",
     "https://bcr.bazel.build/modules/bazel_features/1.11.0/MODULE.bazel": "f9382337dd5a474c3b7d334c2f83e50b6eaedc284253334cf823044a26de03e8",
@@ -21,6 +21,7 @@
     "https://bcr.bazel.build/modules/bazel_features/1.17.0/MODULE.bazel": "039de32d21b816b47bd42c778e0454217e9c9caac4a3cf8e15c7231ee3ddee4d",
     "https://bcr.bazel.build/modules/bazel_features/1.18.0/MODULE.bazel": "1be0ae2557ab3a72a57aeb31b29be347bcdc5d2b1eb1e70f39e3851a7e97041a",
     "https://bcr.bazel.build/modules/bazel_features/1.19.0/MODULE.bazel": "59adcdf28230d220f0067b1f435b8537dd033bfff8db21335ef9217919c7fb58",
+    "https://bcr.bazel.build/modules/bazel_features/1.20.0/MODULE.bazel": "8b85300b9c8594752e0721a37210e34879d23adc219ed9dc8f4104a4a1750920",
     "https://bcr.bazel.build/modules/bazel_features/1.21.0/MODULE.bazel": "675642261665d8eea09989aa3b8afb5c37627f1be178382c320d1b46afba5e3b",
     "https://bcr.bazel.build/modules/bazel_features/1.21.0/source.json": "3e8379efaaef53ce35b7b8ba419df829315a880cb0a030e5bb45c96d6d5ecb5f",
     "https://bcr.bazel.build/modules/bazel_features/1.4.1/MODULE.bazel": "e45b6bb2350aff3e442ae1111c555e27eac1d915e77775f6fdc4b351b758b5d7",
@@ -53,13 +54,14 @@
     "https://bcr.bazel.build/modules/googletest/1.14.0.bcr.1/MODULE.bazel": "22c31a561553727960057361aa33bf20fb2e98584bc4fec007906e27053f80c6",
     "https://bcr.bazel.build/modules/googletest/1.14.0.bcr.1/source.json": "41e9e129f80d8c8bf103a7acc337b76e54fad1214ac0a7084bf24f4cd924b8b4",
     "https://bcr.bazel.build/modules/googletest/1.14.0/MODULE.bazel": "cfbcbf3e6eac06ef9d85900f64424708cc08687d1b527f0ef65aa7517af8118f",
-    "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.1.1/MODULE.bazel": "164331a6e73093376a19eaa1eae45a94aad3245e9e79d8f31237f4a8eb6c1c41",
-    "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.1.1/source.json": "a2f67694b91ae575e2715fa2c5745c8c9879e7132852ef45c05b4e25a0d3b423",
+    "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.2.0/MODULE.bazel": "8e7faec81c1f0fb65fe277ecfc75ea3636ce7bf848f88037fedd58e6eeacc28f",
+    "https://bcr.bazel.build/modules/hermetic_cc_toolchain/3.2.0/source.json": "67c2b76edff27c3ec449a935fc9468996d1a730b52a9a6f97c40c8a06d381630",
     "https://bcr.bazel.build/modules/jsoncpp/1.9.5/MODULE.bazel": "31271aedc59e815656f5736f282bb7509a97c7ecb43e927ac1a37966e0578075",
     "https://bcr.bazel.build/modules/jsoncpp/1.9.5/source.json": "4108ee5085dd2885a341c7fab149429db457b3169b86eb081fa245eadf69169d",
     "https://bcr.bazel.build/modules/libpfm/4.11.0/MODULE.bazel": "45061ff025b301940f1e30d2c16bea596c25b176c8b6b3087e92615adbd52902",
     "https://bcr.bazel.build/modules/platforms/0.0.10/MODULE.bazel": "8cb8efaf200bdeb2150d93e162c40f388529a25852b332cec879373771e48ed5",
-    "https://bcr.bazel.build/modules/platforms/0.0.10/source.json": "f22828ff4cf021a6b577f1bf6341cb9dcd7965092a439f64fc1bb3b7a5ae4bd5",
+    "https://bcr.bazel.build/modules/platforms/0.0.11/MODULE.bazel": "0daefc49732e227caa8bfa834d65dc52e8cc18a2faf80df25e8caea151a9413f",
+    "https://bcr.bazel.build/modules/platforms/0.0.11/source.json": "f7e188b79ebedebfe75e9e1d098b8845226c7992b307e28e1496f23112e8fc29",
     "https://bcr.bazel.build/modules/platforms/0.0.4/MODULE.bazel": "9b328e31ee156f53f3c416a64f8491f7eb731742655a47c9eec4703a71644aee",
     "https://bcr.bazel.build/modules/platforms/0.0.5/MODULE.bazel": "5733b54ea419d5eaf7997054bb55f6a1d0b5ff8aedf0176fef9eea44f3acda37",
     "https://bcr.bazel.build/modules/platforms/0.0.6/MODULE.bazel": "ad6eeef431dc52aefd2d77ed20a4b353f8ebf0f4ecdd26a807d2da5aa8cd0615",
@@ -100,8 +102,8 @@
     "https://bcr.bazel.build/modules/rules_go/0.42.0/MODULE.bazel": "8cfa875b9aa8c6fce2b2e5925e73c1388173ea3c32a0db4d2b4804b453c14270",
     "https://bcr.bazel.build/modules/rules_go/0.46.0/MODULE.bazel": "3477df8bdcc49e698b9d25f734c4f3a9f5931ff34ee48a2c662be168f5f2d3fd",
     "https://bcr.bazel.build/modules/rules_go/0.50.1/MODULE.bazel": "b91a308dc5782bb0a8021ad4330c81fea5bda77f96b9e4c117b9b9c8f6665ee0",
-    "https://bcr.bazel.build/modules/rules_go/0.52.0/MODULE.bazel": "0cf080a2706aa8fc9abf64286cee60fdf0238db37b7f1793b0f7d550d59ea3ae",
-    "https://bcr.bazel.build/modules/rules_go/0.52.0/source.json": "441bc7591044993dce9fb0377fcadf3086d6afac621b909d17d53858a4a1b8d4",
+    "https://bcr.bazel.build/modules/rules_go/0.53.0/MODULE.bazel": "a4ed760d3ac0dbc0d7b967631a9a3fd9100d28f7d9fcf214b4df87d4bfff5f9a",
+    "https://bcr.bazel.build/modules/rules_go/0.53.0/source.json": "c6dc34fb5bb8838652221a167d8f35ca3c8fdcbff8568f13cc75719802f95cff",
     "https://bcr.bazel.build/modules/rules_java/4.0.0/MODULE.bazel": "5a78a7ae82cd1a33cef56dc578c7d2a46ed0dca12643ee45edbb8417899e6f74",
     "https://bcr.bazel.build/modules/rules_java/5.3.5/MODULE.bazel": "a4ec4f2db570171e3e5eb753276ee4b389bae16b96207e9d3230895c99644b86",
     "https://bcr.bazel.build/modules/rules_java/6.3.0/MODULE.bazel": "a97c7678c19f236a956ad260d59c86e10a463badb7eb2eda787490f4c969b963",
@@ -127,7 +129,8 @@
     "https://bcr.bazel.build/modules/rules_license/1.0.0/source.json": "a52c89e54cc311196e478f8382df91c15f7a2bfdf4c6cd0e2675cc2ff0b56efb",
     "https://bcr.bazel.build/modules/rules_pkg/0.7.0/MODULE.bazel": "df99f03fc7934a4737122518bb87e667e62d780b610910f0447665a7e2be62dc",
     "https://bcr.bazel.build/modules/rules_pkg/1.0.1/MODULE.bazel": "5b1df97dbc29623bccdf2b0dcd0f5cb08e2f2c9050aab1092fd39a41e82686ff",
-    "https://bcr.bazel.build/modules/rules_pkg/1.0.1/source.json": "bd82e5d7b9ce2d31e380dd9f50c111d678c3bdaca190cb76b0e1c71b05e1ba8a",
+    "https://bcr.bazel.build/modules/rules_pkg/1.1.0/MODULE.bazel": "9db8031e71b6ef32d1846106e10dd0ee2deac042bd9a2de22b4761b0c3036453",
+    "https://bcr.bazel.build/modules/rules_pkg/1.1.0/source.json": "fef768df13a92ce6067e1cd0cdc47560dace01354f1d921cfb1d632511f7d608",
     "https://bcr.bazel.build/modules/rules_proto/4.0.0/MODULE.bazel": "a7a7b6ce9bee418c1a760b3d84f83a299ad6952f9903c67f19e4edd964894e06",
     "https://bcr.bazel.build/modules/rules_proto/5.3.0-21.7/MODULE.bazel": "e8dff86b0971688790ae75528fe1813f71809b5afd57facb44dad9e8eca631b7",
     "https://bcr.bazel.build/modules/rules_proto/6.0.0/MODULE.bazel": "b531d7f09f58dce456cd61b4579ce8c86b38544da75184eadaf0a7cb7966453f",
@@ -142,8 +145,9 @@
     "https://bcr.bazel.build/modules/rules_python/0.28.0/MODULE.bazel": "cba2573d870babc976664a912539b320cbaa7114cd3e8f053c720171cde331ed",
     "https://bcr.bazel.build/modules/rules_python/0.31.0/MODULE.bazel": "93a43dc47ee570e6ec9f5779b2e64c1476a6ce921c48cc9a1678a91dd5f8fd58",
     "https://bcr.bazel.build/modules/rules_python/0.4.0/MODULE.bazel": "9208ee05fd48bf09ac60ed269791cf17fb343db56c8226a720fbb1cdf467166c",
-    "https://bcr.bazel.build/modules/rules_python/1.1.0/MODULE.bazel": "57e01abae22956eb96d891572490d20e07d983e0c065de0b2170cafe5053e788",
-    "https://bcr.bazel.build/modules/rules_python/1.1.0/source.json": "29f1fdfd23a40808c622f813bc93e29c3aae277333f03293f667e76159750a0f",
+    "https://bcr.bazel.build/modules/rules_python/1.0.0/MODULE.bazel": "898a3d999c22caa585eb062b600f88654bf92efb204fa346fb55f6f8edffca43",
+    "https://bcr.bazel.build/modules/rules_python/1.3.0/MODULE.bazel": "8361d57eafb67c09b75bf4bbe6be360e1b8f4f18118ab48037f2bd50aa2ccb13",
+    "https://bcr.bazel.build/modules/rules_python/1.3.0/source.json": "25932f917cd279c7baefa6cb1d3fa8750a7a29de522024449b19af6eab51f4a0",
     "https://bcr.bazel.build/modules/rules_shell/0.2.0/MODULE.bazel": "fda8a652ab3c7d8fee214de05e7a9916d8b28082234e8d2c0094505c5268ed3c",
     "https://bcr.bazel.build/modules/rules_shell/0.3.0/MODULE.bazel": "de4402cd12f4cc8fda2354fce179fdb068c0b9ca1ec2d2b17b3e21b24c1a937b",
     "https://bcr.bazel.build/modules/rules_shell/0.3.0/source.json": "c55ed591aa5009401ddf80ded9762ac32c358d2517ee7820be981e2de9756cf3",
@@ -340,72 +344,6 @@
         ]
       }
     },
-    "@@hermetic_cc_toolchain~//toolchain:ext.bzl%toolchains": {
-      "general": {
-        "bzlTransitiveDigest": "savfNVe5lHMf4Itncd4fhqgp41UPyKO5x7KBci6XiuM=",
-        "usagesDigest": "s8zOej8f/kCqZuhI0DSS+Y9oyZRfnXcEN6B/aAgjVHU=",
-        "recordedFileInputs": {},
-        "recordedDirentsInputs": {},
-        "envVariables": {},
-        "generatedRepoSpecs": {
-          "zig_sdk": {
-            "bzlFile": "@@hermetic_cc_toolchain~//toolchain:defs.bzl",
-            "ruleClassName": "zig_repository",
-            "attributes": {
-              "version": "0.12.0",
-              "url_formats": [
-                "https://mirror.bazel.build/ziglang.org/download/{version}/zig-{host_platform}-{version}.{_ext}",
-                "https://ziglang.org/download/{version}/zig-{host_platform}-{version}.{_ext}"
-              ],
-              "host_platform_sha256": {
-                "linux-aarch64": "754f1029484079b7e0ca3b913a0a2f2a6afd5a28990cb224fe8845e72f09de63",
-                "linux-x86_64": "c7ae866b8a76a568e2d5cfd31fe89cdb629bdd161fdd5018b29a4a0a17045cad",
-                "macos-aarch64": "294e224c14fd0822cfb15a35cf39aa14bd9967867999bf8bdfe3db7ddec2a27f",
-                "macos-x86_64": "4d411bf413e7667821324da248e8589278180dbc197f4f282b7dbb599a689311",
-                "windows-aarch64": "04c6b92689241ca7a8a59b5f12d2ca2820c09d5043c3c4808b7e93e41c7bf97b",
-                "windows-x86_64": "2199eb4c2000ddb1fba85ba78f1fcf9c1fb8b3e57658f6a627a8e513131893f5"
-              },
-              "host_platform_ext": {
-                "linux-aarch64": "tar.xz",
-                "linux-x86_64": "tar.xz",
-                "macos-aarch64": "tar.xz",
-                "macos-x86_64": "tar.xz",
-                "windows-x86_64": "zip"
-              }
-            }
-          }
-        },
-        "recordedRepoMappingEntries": [
-          [
-            "hermetic_cc_toolchain~",
-            "bazel_tools",
-            "bazel_tools"
-          ],
-          [
-            "hermetic_cc_toolchain~",
-            "hermetic_cc_toolchain",
-            "hermetic_cc_toolchain~"
-          ]
-        ]
-      }
-    },
-    "@@platforms//host:extension.bzl%host_platform": {
-      "general": {
-        "bzlTransitiveDigest": "xelQcPZH8+tmuOHVjL9vDxMnnQNMlwj0SlvgoqBkm4U=",
-        "usagesDigest": "8WuNbURwZrBrCS7egNs6hACAs9lW3nbF8SS2yX7+v9Y=",
-        "recordedFileInputs": {},
-        "recordedDirentsInputs": {},
-        "envVariables": {},
-        "generatedRepoSpecs": {
-          "host_platform": {
-            "bzlFile": "@@platforms//host:extension.bzl",
-            "ruleClassName": "host_platform_repo",
-            "attributes": {}
-          }
-        },
-        "recordedRepoMappingEntries": []
-      }
-    },
     "@@pybind11_bazel~//:python_configure.bzl%extension": {
       "general": {
         "bzlTransitiveDigest": "whINYge95GgPtysKDbNHQ0ZlWYdtKybHs5y2tLF+x7Q=",
@@ -627,8 +565,8 @@
     },
     "@@rules_python~//python/extensions:pip.bzl%pip": {
       "general": {
-        "bzlTransitiveDigest": "7isZ025eiUd/NnrGCxp8JXtjnxdOZNq/SglLxmU6ECo=",
-        "usagesDigest": "5gOu/rEipBiCefcMDC+RSD/hjMW+fRO2Sh6ij/fWupk=",
+        "bzlTransitiveDigest": "oxG8ogxHEbtSCgVhCDBRrjiTlucxn15T4guZ4/etTgo=",
+        "usagesDigest": "lABgNFDx2B8eu1/8FW60KMkCqsChEDxlIL/ERa0nIFc=",
         "recordedFileInputs": {
           "@@rules_python~//tools/publish/requirements_linux.txt": "d576e0d8542df61396a9b38deeaa183c24135ed5e8e73bb9622f298f2671811e",
           "@@rules_fuzzing~//fuzzing/requirements.txt": "ab04664be026b632a0d2a2446c4f65982b7654f5b6851d2f9d399a19b7242a5b",
@@ -1002,28 +940,6 @@
               ]
             }
           },
-          "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_ppc64le_46bf4316": {
-            "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
-            "ruleClassName": "whl_library",
-            "attributes": {
-              "dep_template": "@rules_python_publish_deps//{name}:{target}",
-              "experimental_target_platforms": [
-                "cp311_linux_aarch64",
-                "cp311_linux_arm",
-                "cp311_linux_ppc",
-                "cp311_linux_s390x",
-                "cp311_linux_x86_64"
-              ],
-              "filename": "cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl",
-              "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python",
-              "repo": "rules_python_publish_deps_311",
-              "requirement": "cffi==1.17.1",
-              "sha256": "46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1",
-              "urls": [
-                "https://files.pythonhosted.org/packages/1c/a0/a4fa9f4f781bda074c3ddd57a572b060fa0df7655d2a4247bbe277200146/cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl"
-              ]
-            }
-          },
           "rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_s390x_a24ed04c": {
             "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
             "ruleClassName": "whl_library",
@@ -1238,31 +1154,6 @@
               ]
             }
           },
-          "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_ppc64le_ce031db0": {
-            "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
-            "ruleClassName": "whl_library",
-            "attributes": {
-              "dep_template": "@rules_python_publish_deps//{name}:{target}",
-              "experimental_target_platforms": [
-                "cp311_linux_aarch64",
-                "cp311_linux_arm",
-                "cp311_linux_ppc",
-                "cp311_linux_s390x",
-                "cp311_linux_x86_64",
-                "cp311_osx_aarch64",
-                "cp311_osx_x86_64",
-                "cp311_windows_x86_64"
-              ],
-              "filename": "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl",
-              "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python",
-              "repo": "rules_python_publish_deps_311",
-              "requirement": "charset-normalizer==3.4.0",
-              "sha256": "ce031db0408e487fd2775d745ce30a7cd2923667cf3b69d48d219f1d8f5ddeb6",
-              "urls": [
-                "https://files.pythonhosted.org/packages/e2/29/d227805bff72ed6d6cb1ce08eec707f7cfbd9868044893617eb331f16295/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl"
-              ]
-            }
-          },
           "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_s390x_8ff4e7cd": {
             "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
             "ruleClassName": "whl_library",
@@ -1338,31 +1229,6 @@
               ]
             }
           },
-          "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_ppc64le_f1a2f519": {
-            "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
-            "ruleClassName": "whl_library",
-            "attributes": {
-              "dep_template": "@rules_python_publish_deps//{name}:{target}",
-              "experimental_target_platforms": [
-                "cp311_linux_aarch64",
-                "cp311_linux_arm",
-                "cp311_linux_ppc",
-                "cp311_linux_s390x",
-                "cp311_linux_x86_64",
-                "cp311_osx_aarch64",
-                "cp311_osx_x86_64",
-                "cp311_windows_x86_64"
-              ],
-              "filename": "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl",
-              "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python",
-              "repo": "rules_python_publish_deps_311",
-              "requirement": "charset-normalizer==3.4.0",
-              "sha256": "f1a2f519ae173b5b6a2c9d5fa3116ce16e48b3462c8b96dfdded11055e3d6365",
-              "urls": [
-                "https://files.pythonhosted.org/packages/75/d2/0ab54463d3410709c09266dfb416d032a08f97fd7d60e94b8c6ef54ae14b/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl"
-              ]
-            }
-          },
           "rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_s390x_63bc5c4a": {
             "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
             "ruleClassName": "whl_library",
@@ -2363,31 +2229,6 @@
               ]
             }
           },
-          "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64le_34c03fa7": {
-            "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
-            "ruleClassName": "whl_library",
-            "attributes": {
-              "dep_template": "@rules_python_publish_deps//{name}:{target}",
-              "experimental_target_platforms": [
-                "cp311_linux_aarch64",
-                "cp311_linux_arm",
-                "cp311_linux_ppc",
-                "cp311_linux_s390x",
-                "cp311_linux_x86_64",
-                "cp311_osx_aarch64",
-                "cp311_osx_x86_64",
-                "cp311_windows_x86_64"
-              ],
-              "filename": "nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl",
-              "python_interpreter_target": "@@rules_python~~python~python_3_11_host//:python",
-              "repo": "rules_python_publish_deps_311",
-              "requirement": "nh3==0.2.18",
-              "sha256": "34c03fa78e328c691f982b7c03d4423bdfd7da69cd707fe572f544cf74ac23ad",
-              "urls": [
-                "https://files.pythonhosted.org/packages/ab/a7/375afcc710dbe2d64cfbd69e31f82f3e423d43737258af01f6a56d844085/nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl"
-              ]
-            }
-          },
           "rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_s390x_19aaba96": {
             "bzlFile": "@@rules_python~//python/private/pypi:whl_library.bzl",
             "ruleClassName": "whl_library",
@@ -3286,8 +3127,8 @@
               "whl_map": {
                 "backports_tarfile": "{\"rules_python_publish_deps_311_backports_tarfile_py3_none_any_77e284d7\":[{\"filename\":\"backports.tarfile-1.2.0-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_backports_tarfile_sdist_d75e02c2\":[{\"filename\":\"backports_tarfile-1.2.0.tar.gz\",\"version\":\"3.11\"}]}",
                 "certifi": "{\"rules_python_publish_deps_311_certifi_py3_none_any_922820b5\":[{\"filename\":\"certifi-2024.8.30-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_certifi_sdist_bec941d2\":[{\"filename\":\"certifi-2024.8.30.tar.gz\",\"version\":\"3.11\"}]}",
-                "cffi": "{\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_aarch64_a1ed2dd2\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_ppc64le_46bf4316\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_s390x_a24ed04c\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_x86_64_610faea7\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_aarch64_a9b15d49\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_x86_64_fc48c783\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_sdist_1c39c601\":[{\"filename\":\"cffi-1.17.1.tar.gz\",\"version\":\"3.11\"}]}",
-                "charset_normalizer": "{\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_universal2_0d99dd8f\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_x86_64_c57516e5\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_11_0_arm64_6dba5d19\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_aarch64_bf4475b8\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_ppc64le_ce031db0\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_s390x_8ff4e7cd\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_x86_64_3710a975\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_aarch64_47334db7\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_ppc64le_f1a2f519\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_s390x_63bc5c4a\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_x86_64_bcb4f8ea\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_win_amd64_cee4373f\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_py3_none_any_fe9f97fe\":[{\"filename\":\"charset_normalizer-3.4.0-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_sdist_223217c3\":[{\"filename\":\"charset_normalizer-3.4.0.tar.gz\",\"version\":\"3.11\"}]}",
+                "cffi": "{\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_aarch64_a1ed2dd2\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_s390x_a24ed04c\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_manylinux_2_17_x86_64_610faea7\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_aarch64_a9b15d49\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_cp311_cp311_musllinux_1_1_x86_64_fc48c783\":[{\"filename\":\"cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cffi_sdist_1c39c601\":[{\"filename\":\"cffi-1.17.1.tar.gz\",\"version\":\"3.11\"}]}",
+                "charset_normalizer": "{\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_universal2_0d99dd8f\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_10_9_x86_64_c57516e5\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_macosx_11_0_arm64_6dba5d19\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_aarch64_bf4475b8\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_s390x_8ff4e7cd\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_manylinux_2_17_x86_64_3710a975\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_aarch64_47334db7\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_s390x_63bc5c4a\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_musllinux_1_2_x86_64_bcb4f8ea\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_cp311_cp311_win_amd64_cee4373f\":[{\"filename\":\"charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_py3_none_any_fe9f97fe\":[{\"filename\":\"charset_normalizer-3.4.0-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_charset_normalizer_sdist_223217c3\":[{\"filename\":\"charset_normalizer-3.4.0.tar.gz\",\"version\":\"3.11\"}]}",
                 "cryptography": "{\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_aarch64_846da004\":[{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_17_x86_64_0f996e72\":[{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_aarch64_f7b178f1\":[{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_28_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cryptography_cp39_abi3_manylinux_2_28_x86_64_c2e6fc39\":[{\"filename\":\"cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_aarch64_e1be4655\":[{\"filename\":\"cryptography-43.0.3-cp39-abi3-musllinux_1_2_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cryptography_cp39_abi3_musllinux_1_2_x86_64_df6b6c6d\":[{\"filename\":\"cryptography-43.0.3-cp39-abi3-musllinux_1_2_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_cryptography_sdist_315b9001\":[{\"filename\":\"cryptography-43.0.3.tar.gz\",\"version\":\"3.11\"}]}",
                 "docutils": "{\"rules_python_publish_deps_311_docutils_py3_none_any_dafca5b9\":[{\"filename\":\"docutils-0.21.2-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_docutils_sdist_3a6b1873\":[{\"filename\":\"docutils-0.21.2.tar.gz\",\"version\":\"3.11\"}]}",
                 "idna": "{\"rules_python_publish_deps_311_idna_py3_none_any_946d195a\":[{\"filename\":\"idna-3.10-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_idna_sdist_12f65c9b\":[{\"filename\":\"idna-3.10.tar.gz\",\"version\":\"3.11\"}]}",
@@ -3300,7 +3141,7 @@
                 "markdown_it_py": "{\"rules_python_publish_deps_311_markdown_it_py_py3_none_any_35521684\":[{\"filename\":\"markdown_it_py-3.0.0-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_markdown_it_py_sdist_e3f60a94\":[{\"filename\":\"markdown-it-py-3.0.0.tar.gz\",\"version\":\"3.11\"}]}",
                 "mdurl": "{\"rules_python_publish_deps_311_mdurl_py3_none_any_84008a41\":[{\"filename\":\"mdurl-0.1.2-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_mdurl_sdist_bb413d29\":[{\"filename\":\"mdurl-0.1.2.tar.gz\",\"version\":\"3.11\"}]}",
                 "more_itertools": "{\"rules_python_publish_deps_311_more_itertools_py3_none_any_037b0d32\":[{\"filename\":\"more_itertools-10.5.0-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_more_itertools_sdist_5482bfef\":[{\"filename\":\"more-itertools-10.5.0.tar.gz\",\"version\":\"3.11\"}]}",
-                "nh3": "{\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_14c5a72e\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_7b7c2a3c\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_aarch64_42c64511\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_armv7l_0411beb0\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64_5f36b271\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64le_34c03fa7\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_s390x_19aaba96\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_x86_64_de3ceed6\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_aarch64_f0eca9ca\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_armv7l_3a157ab1\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_x86_64_36c95d4b\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_win_amd64_8ce0f819\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-win_amd64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_sdist_94a16692\":[{\"filename\":\"nh3-0.2.18.tar.gz\",\"version\":\"3.11\"}]}",
+                "nh3": "{\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_14c5a72e\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_macosx_10_12_x86_64_7b7c2a3c\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-macosx_10_12_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_aarch64_42c64511\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_armv7l_0411beb0\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_ppc64_5f36b271\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_ppc64.manylinux2014_ppc64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_s390x_19aaba96\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_s390x.manylinux2014_s390x.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_manylinux_2_17_x86_64_de3ceed6\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_aarch64_f0eca9ca\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_aarch64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_armv7l_3a157ab1\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_armv7l.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_musllinux_1_2_x86_64_36c95d4b\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-musllinux_1_2_x86_64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_cp37_abi3_win_amd64_8ce0f819\":[{\"filename\":\"nh3-0.2.18-cp37-abi3-win_amd64.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_nh3_sdist_94a16692\":[{\"filename\":\"nh3-0.2.18.tar.gz\",\"version\":\"3.11\"}]}",
                 "pkginfo": "{\"rules_python_publish_deps_311_pkginfo_py3_none_any_889a6da2\":[{\"filename\":\"pkginfo-1.10.0-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_pkginfo_sdist_5df73835\":[{\"filename\":\"pkginfo-1.10.0.tar.gz\",\"version\":\"3.11\"}]}",
                 "pycparser": "{\"rules_python_publish_deps_311_pycparser_py3_none_any_c3702b6d\":[{\"filename\":\"pycparser-2.22-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_pycparser_sdist_491c8be9\":[{\"filename\":\"pycparser-2.22.tar.gz\",\"version\":\"3.11\"}]}",
                 "pygments": "{\"rules_python_publish_deps_311_pygments_py3_none_any_b8e6aca0\":[{\"filename\":\"pygments-2.18.0-py3-none-any.whl\",\"version\":\"3.11\"}],\"rules_python_publish_deps_311_pygments_sdist_786ff802\":[{\"filename\":\"pygments-2.18.0.tar.gz\",\"version\":\"3.11\"}]}",
@@ -3482,6 +3323,37 @@
           ]
         ]
       }
+    },
+    "@@rules_python~//python/uv:uv.bzl%uv": {
+      "general": {
+        "bzlTransitiveDigest": "Xpqjnjzy6zZ90Es9Wa888ZLHhn7IsNGbph/e6qoxzw8=",
+        "usagesDigest": "qI5PVlIum/YAnGJg5oXGHzDkMFWt2aNSUZY4G8PBbic=",
+        "recordedFileInputs": {},
+        "recordedDirentsInputs": {},
+        "envVariables": {},
+        "generatedRepoSpecs": {
+          "uv": {
+            "bzlFile": "@@rules_python~//python/uv/private:uv_toolchains_repo.bzl",
+            "ruleClassName": "uv_toolchains_repo",
+            "attributes": {
+              "toolchain_type": "'@@rules_python~//python/uv:uv_toolchain_type'",
+              "toolchain_names": [
+                "none"
+              ],
+              "toolchain_implementations": {
+                "none": "'@@rules_python~//python:none'"
+              },
+              "toolchain_compatible_with": {
+                "none": [
+                  "@platforms//:incompatible"
+                ]
+              },
+              "toolchain_target_settings": {}
+            }
+          }
+        },
+        "recordedRepoMappingEntries": []
+      }
     }
   }
 }

WORKSPACE.bzlmod

@@ -234,6 +234,10 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl"
 
 node_maintainance_operator_deps()
 
+load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps")
+
+aws_load_balancer_controller_deps()
+
 # CI deps
 load("//bazel/toolchains:ci_deps.bzl", "ci_deps")
 

bazel/ci/BUILD.bazel

@@ -558,6 +558,7 @@ multirun(
     commands = [
         ":terraform_gen",
         "//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files",
+        "//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files",
         ":go_generate",
         ":proto_generate",
     ],

bazel/ci/govulncheck.sh.in

@@ -27,11 +27,16 @@ submodules=$(${go} list -f '{{.Dir}}' -m)
 PATH=$(dirname "${go}"):${PATH}
 
 check_module() {
+  excluded_osvs=(
+    "GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access
+    "GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition
+  )
+
   # shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
   CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
-    "${jq}" -sr '
+    "${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr '
         (map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs | 
-        map(select( .finding and .finding.osv != "GO-2024-3166" and .finding.osv != "GO-2025-3408" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
+        map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
         group_by(.osv) | 
         map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
         if length > 0 then halt_error(1) else .[] end'

bazel/ci/terraform.sh.in

@@ -46,7 +46,6 @@ excludeDirs=(
 excludeLockDirs=(
   "build"
   "terraform-provider-constellation"
-  "terraform/legacy-module"
 )
 
 excludeCheckDirs=(

bazel/toolchains/ci_deps.bzl

@@ -223,45 +223,45 @@ def _golangci_lint_deps():
         name = "com_github_golangci_golangci_lint_linux_amd64",
         build_file = "//bazel/toolchains:BUILD.golangci.bazel",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/e6bd399a0479c5fd846dcf9f3990d20448b4f0d1e5027d82348eab9f80f7ac71",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.64.5/golangci-lint-1.64.5-linux-amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-amd64.tar.gz",
         ],
-        strip_prefix = "golangci-lint-1.64.5-linux-amd64",
+        strip_prefix = "golangci-lint-2.0.2-linux-amd64",
         type = "tar.gz",
-        sha256 = "e6bd399a0479c5fd846dcf9f3990d20448b4f0d1e5027d82348eab9f80f7ac71",
+        sha256 = "89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
     )
     http_archive(
         name = "com_github_golangci_golangci_lint_linux_arm64",
         build_file = "//bazel/toolchains:BUILD.golangci.bazel",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/59df27f9a82e461b00597c5f6d96c6a46bfdb4b7cddd9341502641d3d874a65a",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.64.5/golangci-lint-1.64.5-linux-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-arm64.tar.gz",
         ],
-        strip_prefix = "golangci-lint-1.64.5-linux-arm64",
+        strip_prefix = "golangci-lint-2.0.2-linux-arm64",
         type = "tar.gz",
-        sha256 = "59df27f9a82e461b00597c5f6d96c6a46bfdb4b7cddd9341502641d3d874a65a",
+        sha256 = "789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
     )
     http_archive(
         name = "com_github_golangci_golangci_lint_darwin_amd64",
         build_file = "//bazel/toolchains:BUILD.golangci.bazel",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/7681c3e919491030558ef39b6ccaf49be1b3d19de611d30c02aec828dad822c1",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.64.5/golangci-lint-1.64.5-darwin-amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-amd64.tar.gz",
         ],
-        strip_prefix = "golangci-lint-1.64.5-darwin-amd64",
+        strip_prefix = "golangci-lint-2.0.2-darwin-amd64",
         type = "tar.gz",
-        sha256 = "7681c3e919491030558ef39b6ccaf49be1b3d19de611d30c02aec828dad822c1",
+        sha256 = "a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
     )
     http_archive(
         name = "com_github_golangci_golangci_lint_darwin_arm64",
         build_file = "//bazel/toolchains:BUILD.golangci.bazel",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/8c4f11ef3a22d610dd5836a09c98e944b405624f932f20c7e72ae78abc552311",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.64.5/golangci-lint-1.64.5-darwin-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-arm64.tar.gz",
         ],
-        strip_prefix = "golangci-lint-1.64.5-darwin-arm64",
+        strip_prefix = "golangci-lint-2.0.2-darwin-arm64",
         type = "tar.gz",
-        sha256 = "8c4f11ef3a22d610dd5836a09c98e944b405624f932f20c7e72ae78abc552311",
+        sha256 = "664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
     )
 
 def _buf_deps():
@@ -270,44 +270,44 @@ def _buf_deps():
         strip_prefix = "buf/bin",
         build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/80c1211dfc4844499c6ddad341bb21206579883fd33cea0a2c40c82befd70602",
-            "https://github.com/bufbuild/buf/releases/download/v1.50.0/buf-Linux-x86_64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/3cf4aa139b289e09f76f3b506d0f48b5d27bd4a58b510af6b976e6a0fb4a0953",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Linux-x86_64.tar.gz",
         ],
         type = "tar.gz",
-        sha256 = "80c1211dfc4844499c6ddad341bb21206579883fd33cea0a2c40c82befd70602",
+        sha256 = "3cf4aa139b289e09f76f3b506d0f48b5d27bd4a58b510af6b976e6a0fb4a0953",
     )
     http_archive(
         name = "com_github_bufbuild_buf_linux_arm64",
         strip_prefix = "buf/bin",
         build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/4c920c5f96eb99ad13eb6f25cf740fdb42963401faa267bee03fbd3e163730b2",
-            "https://github.com/bufbuild/buf/releases/download/v1.50.0/buf-Linux-aarch64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/853f91722ab06e8e7d140b9693f6f6eafd4812636f193ab5dbae99ee1612f1b6",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Linux-aarch64.tar.gz",
         ],
         type = "tar.gz",
-        sha256 = "4c920c5f96eb99ad13eb6f25cf740fdb42963401faa267bee03fbd3e163730b2",
+        sha256 = "853f91722ab06e8e7d140b9693f6f6eafd4812636f193ab5dbae99ee1612f1b6",
     )
     http_archive(
         name = "com_github_bufbuild_buf_darwin_amd64",
         strip_prefix = "buf/bin",
         build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/fc64b4a16964d7ec49fb2d245159d57dbfb3dac947e2a86413f9685cf8de2ac5",
-            "https://github.com/bufbuild/buf/releases/download/v1.50.0/buf-Darwin-x86_64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/ed5873b81f80d2aa95f4534b51c3a9e0d382d807902706b4aee7a61be5516461",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Darwin-x86_64.tar.gz",
         ],
         type = "tar.gz",
-        sha256 = "fc64b4a16964d7ec49fb2d245159d57dbfb3dac947e2a86413f9685cf8de2ac5",
+        sha256 = "ed5873b81f80d2aa95f4534b51c3a9e0d382d807902706b4aee7a61be5516461",
     )
     http_archive(
         name = "com_github_bufbuild_buf_darwin_arm64",
         strip_prefix = "buf/bin",
         build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/c80f7f8a1d8ffd36c5db31a360c7e0b65c8cf671d60bd3c34e1558e54f84f4cc",
-            "https://github.com/bufbuild/buf/releases/download/v1.50.0/buf-Darwin-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/fc34097ddc95533b0d8065bdf9cf368c63f040ea9d96ffda4ab2805122fddbce",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Darwin-arm64.tar.gz",
         ],
         type = "tar.gz",
-        sha256 = "c80f7f8a1d8ffd36c5db31a360c7e0b65c8cf671d60bd3c34e1558e54f84f4cc",
+        sha256 = "fc34097ddc95533b0d8065bdf9cf368c63f040ea9d96ffda4ab2805122fddbce",
     )
 
 def _talos_docgen_deps():

bazel/toolchains/container_images.bzl

@@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull")
 def containter_image_deps():
     oci_pull(
         name = "distroless_static",
-        digest = "sha256:3f2b64ef97bd285e36132c684e6b2ae8f2723293d09aae046196cca64251acac",
+        digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9",
         image = "gcr.io/distroless/static",
         platforms = [
             "linux/amd64",

bazel/toolchains/oci_deps.bzl

@@ -7,13 +7,13 @@ def oci_deps():
     # Remove this override once https://github.com/bazel-contrib/rules_oci/issues/420 is fixed.
     http_archive(
         name = "rules_oci",
-        strip_prefix = "rules_oci-2.2.1",
+        strip_prefix = "rules_oci-2.2.5",
         type = "tar.gz",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/cfea16076ebbec1faea494882ab97d94b1a62d6bcd5aceabad8f95ea0d0a1361",
-            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.1/rules_oci-v2.2.1.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
+            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.5/rules_oci-v2.2.5.tar.gz",
         ],
-        sha256 = "cfea16076ebbec1faea494882ab97d94b1a62d6bcd5aceabad8f95ea0d0a1361",
+        sha256 = "361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
         patches = ["//bazel/toolchains:0001-disable-Windows-support.patch"],
         patch_args = ["-p1"],
     )

bootstrapper/initproto/init.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.4
+// 	protoc-gen-go v1.36.6
 // 	protoc        v5.29.1
 // source: bootstrapper/initproto/init.proto
 
@@ -458,83 +458,46 @@ func (x *KubernetesComponent) GetExtract() bool {
 
 var File_bootstrapper_initproto_init_proto protoreflect.FileDescriptor
 
-var file_bootstrapper_initproto_init_proto_rawDesc = string([]byte{
-	0x0a, 0x21, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69,
-	0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e, 0x69, 0x74, 0x1a, 0x2d, 0x69, 0x6e, 0x74, 0x65, 0x72,
-	0x6e, 0x61, 0x6c, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6d,
-	0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e,
-	0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd0, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69,
-	0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f,
-	0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x55, 0x72,
-	0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x5f, 0x75, 0x72, 0x69,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x55,
-	0x72, 0x69, 0x12, 0x29, 0x0a, 0x10, 0x6d, 0x65, 0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x5f, 0x73, 0x61, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x6d, 0x65,
-	0x61, 0x73, 0x75, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x61, 0x6c, 0x74, 0x12, 0x2d, 0x0a,
-	0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x76, 0x65, 0x72, 0x73,
-	0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72,
-	0x6e, 0x65, 0x74, 0x65, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x29, 0x0a, 0x10,
-	0x63, 0x6f, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x6d, 0x6f, 0x64, 0x65,
-	0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61,
-	0x6e, 0x63, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x4a, 0x0a, 0x15, 0x6b, 0x75, 0x62, 0x65, 0x72,
-	0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73,
-	0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65,
-	0x6e, 0x74, 0x73, 0x2e, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x52, 0x14, 0x6b,
-	0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65,
-	0x6e, 0x74, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x69, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72,
-	0x65, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x53, 0x65,
-	0x63, 0x72, 0x65, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f,
-	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73,
-	0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x13, 0x61, 0x70, 0x69, 0x73, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x61, 0x6e, 0x73, 0x18, 0x0a,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x61, 0x70, 0x69, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43,
-	0x65, 0x72, 0x74, 0x53, 0x61, 0x6e, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x5f, 0x63, 0x69, 0x64, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73,
-	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x43, 0x69, 0x64, 0x72, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05,
-	0x52, 0x19, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f,
-	0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x22, 0xc1, 0x01, 0x0a, 0x0c,
-	0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3e, 0x0a, 0x0c,
-	0x69, 0x6e, 0x69, 0x74, 0x5f, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x53, 0x75,
-	0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x00, 0x52,
-	0x0b, 0x69, 0x6e, 0x69, 0x74, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x3e, 0x0a, 0x0c,
-	0x69, 0x6e, 0x69, 0x74, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61,
-	0x69, 0x6c, 0x75, 0x72, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x00, 0x52,
-	0x0b, 0x69, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x12, 0x29, 0x0a, 0x03,
-	0x6c, 0x6f, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x69, 0x6e, 0x69, 0x74,
-	0x2e, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65,
-	0x48, 0x00, 0x52, 0x03, 0x6c, 0x6f, 0x67, 0x42, 0x06, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22,
-	0x6f, 0x0a, 0x13, 0x49, 0x6e, 0x69, 0x74, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65,
-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f,
-	0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49,
-	0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64,
-	0x22, 0x2b, 0x0a, 0x13, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x23, 0x0a,
-	0x0f, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65,
-	0x12, 0x10, 0x0a, 0x03, 0x6c, 0x6f, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6c,
-	0x6f, 0x67, 0x22, 0x78, 0x0a, 0x13, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73,
-	0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x68,
-	0x61, 0x73, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x12,
-	0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6c, 0x6c, 0x50, 0x61,
-	0x74, 0x68, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x32, 0x36, 0x0a, 0x03,
-	0x41, 0x50, 0x49, 0x12, 0x2f, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e,
-	0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12,
-	0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x30, 0x01, 0x42, 0x40, 0x5a, 0x3e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63,
-	0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f,
-	0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69,
-	0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_bootstrapper_initproto_init_proto_rawDesc = "" +
+	"\n" +
+	"!bootstrapper/initproto/init.proto\x12\x04init\x1a-internal/versions/components/components.proto\"\xd0\x03\n" +
+	"\vInitRequest\x12\x17\n" +
+	"\akms_uri\x18\x01 \x01(\tR\x06kmsUri\x12\x1f\n" +
+	"\vstorage_uri\x18\x02 \x01(\tR\n" +
+	"storageUri\x12)\n" +
+	"\x10measurement_salt\x18\x03 \x01(\fR\x0fmeasurementSalt\x12-\n" +
+	"\x12kubernetes_version\x18\x05 \x01(\tR\x11kubernetesVersion\x12)\n" +
+	"\x10conformance_mode\x18\x06 \x01(\bR\x0fconformanceMode\x12J\n" +
+	"\x15kubernetes_components\x18\a \x03(\v2\x15.components.ComponentR\x14kubernetesComponents\x12\x1f\n" +
+	"\vinit_secret\x18\b \x01(\fR\n" +
+	"initSecret\x12!\n" +
+	"\fcluster_name\x18\t \x01(\tR\vclusterName\x12.\n" +
+	"\x13apiserver_cert_sans\x18\n" +
+	" \x03(\tR\x11apiserverCertSans\x12!\n" +
+	"\fservice_cidr\x18\v \x01(\tR\vserviceCidrJ\x04\b\x04\x10\x05R\x19cloud_service_account_uri\"\xc1\x01\n" +
+	"\fInitResponse\x12>\n" +
+	"\finit_success\x18\x01 \x01(\v2\x19.init.InitSuccessResponseH\x00R\vinitSuccess\x12>\n" +
+	"\finit_failure\x18\x02 \x01(\v2\x19.init.InitFailureResponseH\x00R\vinitFailure\x12)\n" +
+	"\x03log\x18\x03 \x01(\v2\x15.init.LogResponseTypeH\x00R\x03logB\x06\n" +
+	"\x04kind\"o\n" +
+	"\x13InitSuccessResponse\x12\x1e\n" +
+	"\n" +
+	"kubeconfig\x18\x01 \x01(\fR\n" +
+	"kubeconfig\x12\x19\n" +
+	"\bowner_id\x18\x02 \x01(\fR\aownerId\x12\x1d\n" +
+	"\n" +
+	"cluster_id\x18\x03 \x01(\fR\tclusterId\"+\n" +
+	"\x13InitFailureResponse\x12\x14\n" +
+	"\x05error\x18\x01 \x01(\tR\x05error\"#\n" +
+	"\x0fLogResponseType\x12\x10\n" +
+	"\x03log\x18\x01 \x01(\fR\x03log\"x\n" +
+	"\x13KubernetesComponent\x12\x10\n" +
+	"\x03url\x18\x01 \x01(\tR\x03url\x12\x12\n" +
+	"\x04hash\x18\x02 \x01(\tR\x04hash\x12!\n" +
+	"\finstall_path\x18\x03 \x01(\tR\vinstallPath\x12\x18\n" +
+	"\aextract\x18\x04 \x01(\bR\aextract26\n" +
+	"\x03API\x12/\n" +
+	"\x04Init\x12\x11.init.InitRequest\x1a\x12.init.InitResponse0\x01B@Z>github.com/edgelesssys/constellation/v2/bootstrapper/initprotob\x06proto3"
 
 var (
 	file_bootstrapper_initproto_init_proto_rawDescOnce sync.Once

cli/internal/cloudcmd/iam.go

@@ -91,6 +91,7 @@ type GCPIAMConfig struct {
 	Zone             string
 	ProjectID        string
 	ServiceAccountID string
+	NamePrefix       string
 }
 
 // AzureIAMConfig holds the necessary values for Azure IAM configuration.
@@ -141,6 +142,7 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon
 
 	vars := terraform.GCPIAMVariables{
 		ServiceAccountID: opts.GCP.ServiceAccountID,
+		NamePrefix:       opts.GCP.NamePrefix,
 		Project:          opts.GCP.ProjectID,
 		Region:           opts.GCP.Region,
 		Zone:             opts.GCP.Zone,
@@ -158,7 +160,8 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon
 	return IAMOutput{
 		CloudProvider: cloudprovider.GCP,
 		GCPOutput: GCPIAMOutput{
-			ServiceAccountKey: iamOutput.GCP.SaKey,
+			ServiceAccountKey:   iamOutput.GCP.SaKey,
+			IAMServiceAccountVM: iamOutput.GCP.ServiceAccountVMMailAddress,
 		},
 	}, nil
 }
@@ -232,7 +235,8 @@ type IAMOutput struct {
 
 // GCPIAMOutput contains the output information of a GCP IAM configuration.
 type GCPIAMOutput struct {
-	ServiceAccountKey string `json:"serviceAccountID,omitempty"`
+	ServiceAccountKey   string `json:"serviceAccountID,omitempty"`
+	IAMServiceAccountVM string `json:"iamServiceAccountVM,omitempty"`
 }
 
 // AzureIAMOutput contains the output information of a Microsoft Azure IAM configuration.

cli/internal/cloudcmd/iamupgrade.go

@@ -22,6 +22,9 @@ import (
 // UpgradeRequiresIAMMigration returns true if the given cloud provider requires an IAM migration.
 func UpgradeRequiresIAMMigration(provider cloudprovider.Provider) bool {
 	switch provider {
+	case cloudprovider.GCP:
+		// TODO(@3u13r): remove this case after the v2.22.0 release
+		return true
 	default:
 		return false
 	}

cli/internal/cloudcmd/tfvars.go

@@ -231,6 +231,7 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste
 		InternalLoadBalancer: conf.InternalLoadBalancer,
 		CCTechnology:         ccTech,
 		AdditionalLabels:     conf.Tags,
+		IAMServiceAccountVM:  conf.Provider.GCP.IAMServiceAccountVM,
 	}
 }
 
@@ -240,6 +241,7 @@ func gcpTerraformIAMVars(conf *config.Config, oldVars terraform.GCPIAMVariables)
 		Region:           conf.Provider.GCP.Region,
 		Zone:             conf.Provider.GCP.Zone,
 		ServiceAccountID: oldVars.ServiceAccountID,
+		NamePrefix:       oldVars.NamePrefix,
 	}
 }
 

cli/internal/cmd/apply.go

@@ -368,7 +368,7 @@ func (a *applyCmd) apply(
 	// Check current Terraform state, if it exists and infrastructure upgrades are not skipped,
 	// and apply migrations if necessary.
 	if !a.flags.skipPhases.contains(skipInfrastructurePhase) {
-		if err := a.runTerraformApply(cmd, conf, stateFile, upgradeDir); err != nil {
+		if err := a.runTerraformApply(cmd, conf, stateFile, upgradeDir, a.flags.yes); err != nil {
 			return fmt.Errorf("applying Terraform configuration: %w", err)
 		}
 	}

cli/internal/cmd/apply_test.go

@@ -256,6 +256,7 @@ func TestValidateInputs(t *testing.T) {
 					ClientX509CertURL:       "client_cert",
 				}))
 				cfg.Provider.GCP.ServiceAccountKeyPath = "saKey.json"
+				cfg.Provider.GCP.IAMServiceAccountVM = "example@example.com"
 			}
 
 			require.NoError(fh.WriteYAML(constants.ConfigFilename, cfg))

cli/internal/cmd/applyterraform.go

@@ -22,7 +22,7 @@ import (
 )
 
 // runTerraformApply checks if changes to Terraform are required and applies them.
-func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, stateFile *state.State, upgradeDir string) error {
+func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, stateFile *state.State, upgradeDir string, yesFlag bool) error {
 	a.log.Debug("Checking if Terraform migrations are required")
 	terraformClient, removeClient, err := a.newInfraApplier(cmd.Context())
 	if err != nil {
@@ -36,6 +36,20 @@ func (a *applyCmd) runTerraformApply(cmd *cobra.Command, conf *config.Config, st
 		return fmt.Errorf("checking if Terraform workspace is empty: %w", err)
 	}
 
+	if !isNewCluster && cloudcmd.UpgradeRequiresIAMMigration(conf.GetProvider()) {
+		cmd.Println("WARNING: This upgrade requires an IAM migration. Please make sure you have applied the IAM migration using `iam upgrade apply` before continuing.")
+		if !yesFlag {
+			yes, err := askToConfirm(cmd, "Did you upgrade the IAM resources?")
+			if err != nil {
+				return fmt.Errorf("asking for confirmation: %w", err)
+			}
+			if !yes {
+				cmd.Println("Skipping upgrade.")
+				return nil
+			}
+		}
+	}
+
 	if changesRequired, err := a.planTerraformChanges(cmd, conf, terraformClient); err != nil {
 		return fmt.Errorf("planning Terraform migrations: %w", err)
 	} else if !changesRequired {

cli/internal/cmd/iamcreate.go

@@ -29,6 +29,9 @@ var (
 	regionRegex = regexp.MustCompile(`^\w+-\w+[0-9]$`)
 	// Source: https://cloud.google.com/resource-manager/reference/rest/v1/projects.
 	gcpIDRegex = regexp.MustCompile(`^[a-z][-a-z0-9]{4,28}[a-z0-9]$`)
+
+	// We currently append 6 characters to the prefix, therefore we remove 6 characters from the gcpIDRegex.
+	gcpPrefixRegex = regexp.MustCompile(`^[a-z][-a-z0-9]{4,22}[a-z0-9]$`)
 )
 
 // newIAMCreateCmd returns a new cobra.Command for the iam create parent command. It needs another verb, and does nothing on its own.

cli/internal/cmd/iamcreate_test.go

@@ -456,6 +456,7 @@ func TestIAMCreateGCP(t *testing.T) {
 		creator              *stubIAMCreator
 		zoneFlag             string
 		serviceAccountIDFlag string
+		namePrefixFlag       string
 		projectIDFlag        string
 		yesFlag              bool
 		updateConfigFlag     bool
@@ -466,6 +467,14 @@ func TestIAMCreateGCP(t *testing.T) {
 		wantErr              bool
 	}{
 		"iam create gcp": {
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			yesFlag:        true,
+		},
+		"iam create gcp with deprecated serice account flag": {
 			setupFs:              defaultFs,
 			creator:              &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:             "europe-west1-a",
@@ -474,91 +483,91 @@ func TestIAMCreateGCP(t *testing.T) {
 			yesFlag:              true,
 		},
 		"iam create gcp with existing config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			yesFlag:              true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			yesFlag:             true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"iam create gcp --update-config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			updateConfigFlag:     true,
-			yesFlag:              true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			updateConfigFlag:    true,
+			yesFlag:             true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"iam create gcp existing terraform dir": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
 
 			existingDirs: []string{constants.TerraformIAMWorkingDir},
 			yesFlag:      true,
 			wantErr:      true,
 		},
 		"iam create gcp invalid b64": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: invalidIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			yesFlag:              true,
-			wantErr:              true,
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: invalidIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			yesFlag:        true,
+			wantErr:        true,
 		},
 		"interactive": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "yes\n",
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			stdin:          "yes\n",
 		},
 		"interactive update config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "yes\n",
-			updateConfigFlag:     true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			stdin:               "yes\n",
+			updateConfigFlag:    true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"interactive abort": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "no\n",
-			wantAbort:            true,
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			stdin:          "no\n",
+			wantAbort:      true,
 		},
 		"interactive abort update config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "no\n",
-			wantAbort:            true,
-			updateConfigFlag:     true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			stdin:               "no\n",
+			wantAbort:           true,
+			updateConfigFlag:    true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"unwritable fs": {
-			setupFs:              readOnlyFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			yesFlag:              true,
-			updateConfigFlag:     true,
-			wantErr:              true,
+			setupFs:          readOnlyFs,
+			creator:          &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:         "europe-west1-a",
+			namePrefixFlag:   "constell-test",
+			projectIDFlag:    "constell-1234",
+			yesFlag:          true,
+			updateConfigFlag: true,
+			wantErr:          true,
 		},
 	}
 
@@ -590,6 +599,7 @@ func TestIAMCreateGCP(t *testing.T) {
 					flags: gcpIAMCreateFlags{
 						zone:             tc.zoneFlag,
 						serviceAccountID: tc.serviceAccountIDFlag,
+						namePrefix:       tc.serviceAccountIDFlag,
 						projectID:        tc.projectIDFlag,
 					},
 				},

cli/internal/cmd/iamcreategcp.go

@@ -31,13 +31,19 @@ func newIAMCreateGCPCmd() *cobra.Command {
 	cmd.Flags().String("zone", "", "GCP zone the cluster will be deployed in (required)\n"+
 		"Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "zone"))
-	cmd.Flags().String("serviceAccountID", "", "ID for the service account that will be created (required)\n"+
-		"Must be 6 to 30 lowercase letters, digits, or hyphens.")
-	must(cobra.MarkFlagRequired(cmd.Flags(), "serviceAccountID"))
+
+	cmd.Flags().String("serviceAccountID", "", "[Deprecated use \"--prefix\"]ID for the service account that will be created (required)\n"+
+		"Must be 6 to 30 lowercase letters, digits, or hyphens. This flag is mutually exclusive with --prefix.")
+	cmd.Flags().String("prefix", "", "Prefix for the service account ID and VM ID that will be created (required)\n"+
+		"Must be letters, digits, or hyphens.")
+
 	cmd.Flags().String("projectID", "", "ID of the GCP project the configuration will be created in (required)\n"+
 		"Find it on the welcome screen of your project: https://console.cloud.google.com/welcome")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "projectID"))
 
+	cmd.MarkFlagsMutuallyExclusive([]string{"prefix", "serviceAccountID"}...)
+	must(cmd.Flags().MarkDeprecated("serviceAccountID", "use --prefix instead"))
+
 	return cmd
 }
 
@@ -53,6 +59,7 @@ func runIAMCreateGCP(cmd *cobra.Command, _ []string) error {
 type gcpIAMCreateFlags struct {
 	rootFlags
 	serviceAccountID string
+	namePrefix       string
 	zone             string
 	region           string
 	projectID        string
@@ -91,9 +98,18 @@ func (f *gcpIAMCreateFlags) parse(flags *pflag.FlagSet) error {
 	if err != nil {
 		return fmt.Errorf("getting 'serviceAccountID' flag: %w", err)
 	}
-	if !gcpIDRegex.MatchString(f.serviceAccountID) {
+	if f.serviceAccountID != "" && !gcpIDRegex.MatchString(f.serviceAccountID) {
 		return fmt.Errorf("serviceAccountID %q doesn't match %s", f.serviceAccountID, gcpIDRegex)
 	}
+
+	f.namePrefix, err = flags.GetString("prefix")
+	if err != nil {
+		return fmt.Errorf("getting 'prefix' flag: %w", err)
+	}
+	if f.namePrefix != "" && !gcpPrefixRegex.MatchString(f.namePrefix) {
+		return fmt.Errorf("prefix %q doesn't match %s", f.namePrefix, gcpIDRegex)
+	}
+
 	return nil
 }
 
@@ -109,13 +125,19 @@ func (c *gcpIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 			Region:           c.flags.region,
 			ProjectID:        c.flags.projectID,
 			ServiceAccountID: c.flags.serviceAccountID,
+			NamePrefix:       c.flags.namePrefix,
 		},
 	}
 }
 
 func (c *gcpIAMCreator) printConfirmValues(cmd *cobra.Command) {
 	cmd.Printf("Project ID:\t\t%s\n", c.flags.projectID)
-	cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID)
+	if c.flags.namePrefix != "" {
+		cmd.Printf("Name Prefix:\t\t%s\n", c.flags.namePrefix)
+	}
+	if c.flags.serviceAccountID != "" {
+		cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID)
+	}
 	cmd.Printf("Region:\t\t\t%s\n", c.flags.region)
 	cmd.Printf("Zone:\t\t\t%s\n\n", c.flags.zone)
 }
@@ -127,11 +149,12 @@ func (c *gcpIAMCreator) printOutputValues(cmd *cobra.Command, _ cloudcmd.IAMOutp
 	cmd.Printf("serviceAccountKeyPath:\t%s\n\n", c.flags.pathPrefixer.PrefixPrintablePath(constants.GCPServiceAccountKeyFilename))
 }
 
-func (c *gcpIAMCreator) writeOutputValuesToConfig(conf *config.Config, _ cloudcmd.IAMOutput) {
+func (c *gcpIAMCreator) writeOutputValuesToConfig(conf *config.Config, out cloudcmd.IAMOutput) {
 	conf.Provider.GCP.Project = c.flags.projectID
 	conf.Provider.GCP.ServiceAccountKeyPath = constants.GCPServiceAccountKeyFilename // File was created in workspace, so only the filename is needed.
 	conf.Provider.GCP.Region = c.flags.region
 	conf.Provider.GCP.Zone = c.flags.zone
+	conf.Provider.GCP.IAMServiceAccountVM = out.GCPOutput.IAMServiceAccountVM
 	for groupName, group := range conf.NodeGroups {
 		group.Zone = c.flags.zone
 		conf.NodeGroups[groupName] = group

cli/internal/cmd/init_test.go

@@ -539,6 +539,7 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
 		conf.Provider.GCP.Project = "test-project"
 		conf.Provider.GCP.Zone = "test-zone"
 		conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
+		conf.Provider.GCP.IAMServiceAccountVM = "example@example.com"
 		conf.Attestation.GCPSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
 		conf.Attestation.GCPSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
 		conf.Attestation.GCPSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)

cli/internal/cmd/ssh.go

@@ -10,7 +10,6 @@ import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -28,12 +27,12 @@ import (
 func NewSSHCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "ssh",
-		Short: "Prepare your cluster for emergency ssh access",
-		Long:  "Prepare your cluster for emergency ssh access and sign a given key pair for authorization.",
+		Short: "Generate a certificate for emergency SSH access",
+		Long:  "Generate a certificate for emergency SSH access to your SSH-enabled constellation cluster.",
 		Args:  cobra.ExactArgs(0),
 		RunE:  runSSH,
 	}
-	cmd.Flags().String("key", "", "the path to an existing ssh public key")
+	cmd.Flags().String("key", "", "the path to an existing SSH public key")
 	must(cmd.MarkFlagRequired("key"))
 	return cmd
 }
@@ -54,18 +53,10 @@ func runSSH(cmd *cobra.Command, _ []string) error {
 }
 
 func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, debugLogger debugLog) error {
-	_, err := fh.Stat(constants.TerraformWorkingDir)
-	if os.IsNotExist(err) {
-		return fmt.Errorf("directory %q does not exist", constants.TerraformWorkingDir)
-	}
-	if err != nil {
-		return err
-	}
-
 	// NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly.
 	var mastersecret uri.MasterSecret
-	if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
-		return fmt.Errorf("reading master secret: %s", err)
+	if err := fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
+		return fmt.Errorf("reading master secret (does %q exist?): %w", constants.MasterSecretFilename, err)
 	}
 
 	mastersecretURI := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt}
@@ -80,7 +71,7 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler,
 
 	ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
 	if err != nil {
-		return fmt.Errorf("generating ssh emergency CA key: %s", err)
+		return fmt.Errorf("generating SSH emergency CA key: %s", err)
 	}
 
 	debugLogger.Debug("SSH CA KEY generated", "public-key", string(ssh.MarshalAuthorizedKey(ca.PublicKey())))
@@ -103,8 +94,8 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler,
 		ValidPrincipals: []string{"root"},
 		Permissions: ssh.Permissions{
 			Extensions: map[string]string{
-				"permit-port-forwarding": "yes",
-				"permit-pty":             "yes",
+				"permit-port-forwarding": "",
+				"permit-pty":             "",
 			},
 		},
 	}
@@ -113,10 +104,10 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler,
 	}
 
 	debugLogger.Debug("Signed certificate", "certificate", string(ssh.MarshalAuthorizedKey(&certificate)))
-	if err := fh.Write(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir), ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil {
+	if err := fh.Write("constellation_cert.pub", ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil {
 		return fmt.Errorf("writing certificate: %s", err)
 	}
-	cmd.Printf("You can now connect to a node using 'ssh -F %s/ssh_config -i <your private key> <node ip>'.\nYou can obtain the private node IP via the web UI of your CSP.\n", constants.TerraformWorkingDir)
+	cmd.Printf("You can now connect to a node using the \"constellation_cert.pub\" certificate.\nLook at the documentation for a how-to guide:\n\n\thttps://docs.edgeless.systems/constellation/workflows/troubleshooting#emergency-ssh-access\n")
 
 	return nil
 }

cli/internal/cmd/ssh_test.go

@@ -8,7 +8,6 @@ package cmd
 
 import (
 	"bytes"
-	"fmt"
 	"testing"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -29,18 +28,6 @@ func TestSSH(t *testing.T) {
 		"salt": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK"
 	}
 	`
-
-	newFsWithDirectory := func() file.Handler {
-		require := require.New(t)
-		fh := file.NewHandler(afero.NewMemMapFs())
-		require.NoError(fh.MkdirAll(constants.TerraformWorkingDir))
-		return fh
-	}
-	newFsNoDirectory := func() file.Handler {
-		fh := file.NewHandler(afero.NewMemMapFs())
-		return fh
-	}
-
 	testCases := map[string]struct {
 		fh           file.Handler
 		pubKey       string
@@ -48,38 +35,32 @@ func TestSSH(t *testing.T) {
 		wantErr      bool
 	}{
 		"everything exists": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			pubKey:       someSSHPubKey,
 			masterSecret: someMasterSecret,
 		},
 		"no public key": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			masterSecret: someMasterSecret,
 			wantErr:      true,
 		},
 		"no master secret": {
-			fh:      newFsWithDirectory(),
+			fh:      file.NewHandler(afero.NewMemMapFs()),
 			pubKey:  someSSHPubKey,
 			wantErr: true,
 		},
 		"malformed public key": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			pubKey:       "asdf",
 			masterSecret: someMasterSecret,
 			wantErr:      true,
 		},
 		"malformed master secret": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			masterSecret: "asdf",
 			pubKey:       someSSHPubKey,
 			wantErr:      true,
 		},
-		"directory does not exist": {
-			fh:           newFsNoDirectory(),
-			pubKey:       someSSHPubKey,
-			masterSecret: someMasterSecret,
-			wantErr:      true,
-		},
 	}
 
 	for name, tc := range testCases {
@@ -104,7 +85,7 @@ func TestSSH(t *testing.T) {
 				assert.Error(err)
 			} else {
 				assert.NoError(err)
-				cert, err := tc.fh.Read(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir))
+				cert, err := tc.fh.Read("constellation_cert.pub")
 				require.NoError(err)
 				_, _, _, _, err = ssh.ParseAuthorizedKey(cert)
 				require.NoError(err)

cli/internal/terraform/terraform.go

@@ -103,9 +103,18 @@ func (c *Client) ShowIAM(ctx context.Context, provider cloudprovider.Provider) (
 		if !ok {
 			return IAMOutput{}, errors.New("invalid type in service_account_key output: not a string")
 		}
+		IAMServiceAccountVMOutputRaw, ok := tfState.Values.Outputs["service_account_mail_vm"]
+		if !ok {
+			return IAMOutput{}, errors.New("no service_account_mail_vm output found")
+		}
+		IAMServiceAccountVMOutput, ok := IAMServiceAccountVMOutputRaw.Value.(string)
+		if !ok {
+			return IAMOutput{}, errors.New("invalid type in service_account_mail_vm output: not a string")
+		}
 		return IAMOutput{
 			GCP: GCPIAMOutput{
-				SaKey: saKeyOutput,
+				SaKey:                       saKeyOutput,
+				ServiceAccountVMMailAddress: IAMServiceAccountVMOutput,
 			},
 		}, nil
 	case cloudprovider.Azure:
@@ -539,7 +548,8 @@ type IAMOutput struct {
 
 // GCPIAMOutput contains the output information of the Terraform IAM operation on GCP.
 type GCPIAMOutput struct {
-	SaKey string
+	SaKey                       string
+	ServiceAccountVMMailAddress string
 }
 
 // AzureIAMOutput contains the output information of the Terraform IAM operation on Microsoft Azure.

cli/internal/terraform/terraform_test.go

@@ -120,6 +120,7 @@ func TestPrepareIAM(t *testing.T) {
 		Region:           "europe-west1",
 		Zone:             "europe-west1-a",
 		ServiceAccountID: "const-test-case",
+		NamePrefix:       "test_iam",
 	}
 	azureVars := &AzureIAMVariables{
 		Location:      "westus",
@@ -509,6 +510,9 @@ func TestCreateIAM(t *testing.T) {
 					"service_account_key": {
 						Value: "12345678_abcdefg",
 					},
+					"service_account_mail_vm": {
+						Value: "test_iam_service_account_vm",
+					},
 					"subscription_id": {
 						Value: "test_subscription_id",
 					},
@@ -581,7 +585,7 @@ func TestCreateIAM(t *testing.T) {
 			vars:     gcpVars,
 			tf:       &stubTerraform{showState: newTestState()},
 			fs:       afero.NewMemMapFs(),
-			want:     IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg"}},
+			want:     IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg", ServiceAccountVMMailAddress: "test_iam_service_account_vm"}},
 		},
 		"gcp init fails": {
 			pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"),
@@ -614,7 +618,25 @@ func TestCreateIAM(t *testing.T) {
 			tf: &stubTerraform{
 				showState: &tfjson.State{
 					Values: &tfjson.StateValues{
-						Outputs: map[string]*tfjson.StateOutput{},
+						Outputs: map[string]*tfjson.StateOutput{
+							"service_account_mail_vm": {Value: "test_iam_service_account_vm"},
+						},
+					},
+				},
+			},
+			fs:      afero.NewMemMapFs(),
+			wantErr: true,
+		},
+		"gcp no service_account_mail_vm": {
+			pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"),
+			provider: cloudprovider.GCP,
+			vars:     gcpVars,
+			tf: &stubTerraform{
+				showState: &tfjson.State{
+					Values: &tfjson.StateValues{
+						Outputs: map[string]*tfjson.StateOutput{
+							"service_account_key": {Value: "12345678_abcdefg"},
+						},
 					},
 				},
 			},
@@ -1129,7 +1151,8 @@ func TestShowIAM(t *testing.T) {
 		"GCP success": {
 			tf: &stubTerraform{
 				showState: getTfjsonState(map[string]any{
-					"service_account_key": "key",
+					"service_account_key":     "key",
+					"service_account_mail_vm": "example@example.com",
 				}),
 			},
 			csp: cloudprovider.GCP,
@@ -1137,7 +1160,8 @@ func TestShowIAM(t *testing.T) {
 		"GCP wrong data type": {
 			tf: &stubTerraform{
 				showState: getTfjsonState(map[string]any{
-					"service_account_key": map[string]any{},
+					"service_account_key":     map[string]any{},
+					"service_account_mail_vm": "example@example.com",
 				}),
 			},
 			csp:     cloudprovider.GCP,
@@ -1145,7 +1169,9 @@ func TestShowIAM(t *testing.T) {
 		},
 		"GCP missing key": {
 			tf: &stubTerraform{
-				showState: getTfjsonState(map[string]any{}),
+				showState: getTfjsonState(map[string]any{
+					"service_account_mail_vm": "example@example.com",
+				}),
 			},
 			csp:     cloudprovider.GCP,
 			wantErr: true,

cli/internal/terraform/variables.go

@@ -141,6 +141,8 @@ type GCPClusterVariables struct {
 	InternalLoadBalancer bool `hcl:"internal_load_balancer" cty:"internal_load_balancer"`
 	// CCTechnology is the confidential computing technology to use on the VMs. (`SEV` or `SEV_SNP`)
 	CCTechnology string `hcl:"cc_technology" cty:"cc_technology"`
+	// IAMServiceAccountControlPlane is the IAM service account mail address to attach to VMs.
+	IAMServiceAccountVM string `hcl:"iam_service_account_vm" cty:"iam_service_account_vm"`
 	// AdditionalLables are (optional) additional labels that should be applied to created resources.
 	AdditionalLabels cloudprovider.Tags `hcl:"additional_labels" cty:"additional_labels"`
 }
@@ -182,6 +184,9 @@ type GCPIAMVariables struct {
 	Zone string `hcl:"zone" cty:"zone"`
 	// ServiceAccountID is the ID of the service account to use.
 	ServiceAccountID string `hcl:"service_account_id" cty:"service_account_id"`
+	// IAMServiceAccountVM is the ID of the service account to attach to VMs.
+	// TODO(@3u13r): Eventually remove this field after v2.22 has been released.
+	NamePrefix string `hcl:"name_prefix,optional" cty:"name_prefix"`
 }
 
 // String returns a string representation of the IAM-specific variables, formatted as Terraform variables.

cli/internal/terraform/variables_test.go

@@ -122,8 +122,9 @@ func TestGCPClusterVariables(t *testing.T) {
 				DiskType:        "pd-ssd",
 			},
 		},
-		CustomEndpoint: "example.com",
-		CCTechnology:   "SEV_SNP",
+		CustomEndpoint:      "example.com",
+		CCTechnology:        "SEV_SNP",
+		IAMServiceAccountVM: "example@example.com",
 	}
 
 	// test that the variables are correctly rendered
@@ -151,10 +152,11 @@ node_groups = {
     zone          = "eu-central-1b"
   }
 }
-custom_endpoint        = "example.com"
-internal_load_balancer = false
-cc_technology          = "SEV_SNP"
-additional_labels        = null
+custom_endpoint        	= "example.com"
+internal_load_balancer	= false
+cc_technology           = "SEV_SNP"
+iam_service_account_vm	= "example@example.com"
+additional_labels      	= null
 `
 	got := vars.String()
 	assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences
@@ -173,9 +175,27 @@ func TestGCPIAMVariables(t *testing.T) {
 region             = "eu-central-1"
 zone               = "eu-central-1a"
 service_account_id = "my-service-account"
+name_prefix        = ""
 `
 	got := vars.String()
 	assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences
+
+	vars = GCPIAMVariables{
+		Project:    "my-project",
+		Region:     "eu-central-1",
+		Zone:       "eu-central-1a",
+		NamePrefix: "my-prefix",
+	}
+
+	// test that the variables are correctly rendered
+	want = `project_id         = "my-project"
+region             = "eu-central-1"
+zone               = "eu-central-1a"
+service_account_id = ""
+name_prefix        = "my-prefix"
+`
+	got = vars.String()
+	assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences
 }
 
 func TestAzureClusterVariables(t *testing.T) {

debugd/filebeat/Dockerfile

@@ -1,4 +1,4 @@
-FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release
+FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release
 
 RUN dnf install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-x86_64.rpm
 

debugd/logstash/Dockerfile

@@ -1,11 +1,11 @@
-FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS build
+FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS build
 
 ARG LOGSTASH_VER=8.6.1
 
 RUN curl -fsSLO https://artifacts.opensearch.org/logstash/logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
 RUN tar -zxvf logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
 
-FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release
+FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release
 
 COPY --from=build logstash-* /usr/share/logstash
 

debugd/metricbeat/Dockerfile

@@ -1,4 +1,4 @@
-FROM fedora:40@sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9 AS release
+FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release
 
 RUN dnf install -y https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-8.9.2-x86_64.rpm
 

debugd/service/debugd.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.4
+// 	protoc-gen-go v1.36.6
 // 	protoc        v5.29.1
 // source: debugd/service/debugd.proto
 
@@ -816,121 +816,62 @@ func (x *UploadSystemdServiceUnitsResponse) GetStatus() UploadSystemdServiceUnit
 
 var File_debugd_service_debugd_proto protoreflect.FileDescriptor
 
-var file_debugd_service_debugd_proto_rawDesc = string([]byte{
-	0x0a, 0x1b, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
-	0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x64,
-	0x65, 0x62, 0x75, 0x67, 0x64, 0x22, 0x32, 0x0a, 0x0e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x49,
-	0x6e, 0x66, 0x6f, 0x52, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x22, 0x40, 0x0a, 0x0f, 0x53, 0x65, 0x74,
-	0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2d, 0x0a, 0x06,
-	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x64,
-	0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x53, 0x74, 0x61,
-	0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x10, 0x0a, 0x0e, 0x47,
-	0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x33, 0x0a,
-	0x0f, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x20, 0x0a, 0x04, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c,
-	0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x04, 0x69, 0x6e,
-	0x66, 0x6f, 0x22, 0x2e, 0x0a, 0x04, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
-	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69,
-	0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x7a, 0x0a, 0x13, 0x46, 0x69,
-	0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x12, 0x34, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x1a, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54,
-	0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52,
-	0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x25, 0x0a, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e,
-	0x43, 0x68, 0x75, 0x6e, 0x6b, 0x48, 0x00, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x42, 0x06,
-	0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22, 0x97, 0x01, 0x0a, 0x12, 0x46, 0x69, 0x6c, 0x65, 0x54,
-	0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x1e, 0x0a,
-	0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a,
-	0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x6d, 0x6f, 0x64,
-	0x65, 0x12, 0x35, 0x0a, 0x13, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
-	0x52, 0x13, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
-	0x65, 0x55, 0x6e, 0x69, 0x74, 0x88, 0x01, 0x01, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x6f, 0x76, 0x65,
-	0x72, 0x72, 0x69, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74,
-	0x22, 0x35, 0x0a, 0x05, 0x43, 0x68, 0x75, 0x6e, 0x6b, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e,
-	0x74, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74,
-	0x65, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x61, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x04, 0x6c, 0x61, 0x73, 0x74, 0x22, 0x5e, 0x0a, 0x13, 0x55, 0x70, 0x6c, 0x6f, 0x61,
-	0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x31,
-	0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19,
-	0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69,
-	0x6c, 0x65, 0x73, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x3d, 0x0a, 0x0b, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x6f,
-	0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x6f,
-	0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x4d, 0x0a, 0x20, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64,
-	0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e,
-	0x69, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x29, 0x0a, 0x05, 0x75, 0x6e,
-	0x69, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x64, 0x65, 0x62, 0x75,
-	0x67, 0x64, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x52, 0x05,
-	0x75, 0x6e, 0x69, 0x74, 0x73, 0x22, 0x64, 0x0a, 0x21, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53,
-	0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69,
-	0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x06, 0x73, 0x74,
-	0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x62,
-	0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d,
-	0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x53, 0x74, 0x61,
-	0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2a, 0x3f, 0x0a, 0x0d, 0x53,
-	0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x10,
-	0x53, 0x45, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53,
-	0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x45, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x5f, 0x41,
-	0x4c, 0x52, 0x45, 0x41, 0x44, 0x59, 0x5f, 0x53, 0x45, 0x54, 0x10, 0x01, 0x2a, 0xb1, 0x01, 0x0a,
-	0x11, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x53, 0x74, 0x61, 0x74,
-	0x75, 0x73, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c,
-	0x45, 0x53, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x1e, 0x0a, 0x1a,
-	0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x55, 0x50, 0x4c,
-	0x4f, 0x41, 0x44, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c,
-	0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x41, 0x4c, 0x52,
-	0x45, 0x41, 0x44, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x52, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x21,
-	0x0a, 0x1d, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x53, 0x5f, 0x41,
-	0x4c, 0x52, 0x45, 0x41, 0x44, 0x59, 0x5f, 0x46, 0x49, 0x4e, 0x49, 0x53, 0x48, 0x45, 0x44, 0x10,
-	0x03, 0x12, 0x1d, 0x0a, 0x19, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x46, 0x49, 0x4c, 0x45,
-	0x53, 0x5f, 0x53, 0x54, 0x41, 0x52, 0x54, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04,
-	0x2a, 0x75, 0x0a, 0x1f, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d,
-	0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x53, 0x74, 0x61,
-	0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x24, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x53, 0x59,
-	0x53, 0x54, 0x45, 0x4d, 0x44, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e,
-	0x49, 0x54, 0x53, 0x5f, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x28, 0x0a,
-	0x24, 0x55, 0x50, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x53, 0x59, 0x53, 0x54, 0x45, 0x4d, 0x44, 0x5f,
-	0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, 0x49, 0x54, 0x53, 0x5f, 0x46, 0x41,
-	0x49, 0x4c, 0x55, 0x52, 0x45, 0x10, 0x01, 0x32, 0x94, 0x03, 0x0a, 0x06, 0x44, 0x65, 0x62, 0x75,
-	0x67, 0x64, 0x12, 0x3c, 0x0a, 0x07, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x16, 0x2e,
-	0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x53,
-	0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
-	0x12, 0x3c, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x16, 0x2e, 0x64, 0x65,
-	0x62, 0x75, 0x67, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x47, 0x65, 0x74,
-	0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b,
-	0x0a, 0x0b, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x1b, 0x2e,
-	0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73,
-	0x66, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1b, 0x2e, 0x64, 0x65, 0x62,
-	0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x12, 0x4e, 0x0a, 0x0d, 0x44,
-	0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x1c, 0x2e, 0x64,
-	0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x69,
-	0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x64, 0x65, 0x62,
-	0x75, 0x67, 0x64, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x65, 0x72,
-	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x71, 0x0a, 0x18, 0x55,
-	0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x12, 0x28, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64,
-	0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x6e, 0x69, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x29, 0x2e, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64, 0x2e, 0x55, 0x70, 0x6c, 0x6f, 0x61,
-	0x64, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55,
-	0x6e, 0x69, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x38,
-	0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67,
-	0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c,
-	0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x64,
-	0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_debugd_service_debugd_proto_rawDesc = "" +
+	"\n" +
+	"\x1bdebugd/service/debugd.proto\x12\x06debugd\"2\n" +
+	"\x0eSetInfoRequest\x12 \n" +
+	"\x04info\x18\x01 \x03(\v2\f.debugd.InfoR\x04info\"@\n" +
+	"\x0fSetInfoResponse\x12-\n" +
+	"\x06status\x18\x01 \x01(\x0e2\x15.debugd.SetInfoStatusR\x06status\"\x10\n" +
+	"\x0eGetInfoRequest\"3\n" +
+	"\x0fGetInfoResponse\x12 \n" +
+	"\x04info\x18\x01 \x03(\v2\f.debugd.InfoR\x04info\".\n" +
+	"\x04Info\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value\"\x16\n" +
+	"\x14DownloadFilesRequest\"z\n" +
+	"\x13FileTransferMessage\x124\n" +
+	"\x06header\x18\x01 \x01(\v2\x1a.debugd.FileTransferHeaderH\x00R\x06header\x12%\n" +
+	"\x05chunk\x18\x02 \x01(\v2\r.debugd.ChunkH\x00R\x05chunkB\x06\n" +
+	"\x04kind\"\x97\x01\n" +
+	"\x12FileTransferHeader\x12\x1e\n" +
+	"\n" +
+	"targetPath\x18\x01 \x01(\tR\n" +
+	"targetPath\x12\x12\n" +
+	"\x04mode\x18\x03 \x01(\rR\x04mode\x125\n" +
+	"\x13overrideServiceUnit\x18\x04 \x01(\tH\x00R\x13overrideServiceUnit\x88\x01\x01B\x16\n" +
+	"\x14_overrideServiceUnit\"5\n" +
+	"\x05Chunk\x12\x18\n" +
+	"\acontent\x18\x01 \x01(\fR\acontent\x12\x12\n" +
+	"\x04last\x18\x02 \x01(\bR\x04last\"^\n" +
+	"\x13UploadFilesResponse\x121\n" +
+	"\x06status\x18\x01 \x01(\x0e2\x19.debugd.UploadFilesStatusR\x06status\x12\x14\n" +
+	"\x05error\x18\x02 \x01(\tR\x05error\"=\n" +
+	"\vServiceUnit\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x1a\n" +
+	"\bcontents\x18\x02 \x01(\tR\bcontents\"M\n" +
+	" UploadSystemdServiceUnitsRequest\x12)\n" +
+	"\x05units\x18\x01 \x03(\v2\x13.debugd.ServiceUnitR\x05units\"d\n" +
+	"!UploadSystemdServiceUnitsResponse\x12?\n" +
+	"\x06status\x18\x01 \x01(\x0e2'.debugd.UploadSystemdServiceUnitsStatusR\x06status*?\n" +
+	"\rSetInfoStatus\x12\x14\n" +
+	"\x10SET_INFO_SUCCESS\x10\x00\x12\x18\n" +
+	"\x14SET_INFO_ALREADY_SET\x10\x01*\xb1\x01\n" +
+	"\x11UploadFilesStatus\x12\x18\n" +
+	"\x14UPLOAD_FILES_SUCCESS\x10\x00\x12\x1e\n" +
+	"\x1aUPLOAD_FILES_UPLOAD_FAILED\x10\x01\x12 \n" +
+	"\x1cUPLOAD_FILES_ALREADY_STARTED\x10\x02\x12!\n" +
+	"\x1dUPLOAD_FILES_ALREADY_FINISHED\x10\x03\x12\x1d\n" +
+	"\x19UPLOAD_FILES_START_FAILED\x10\x04*u\n" +
+	"\x1fUploadSystemdServiceUnitsStatus\x12(\n" +
+	"$UPLOAD_SYSTEMD_SERVICE_UNITS_SUCCESS\x10\x00\x12(\n" +
+	"$UPLOAD_SYSTEMD_SERVICE_UNITS_FAILURE\x10\x012\x94\x03\n" +
+	"\x06Debugd\x12<\n" +
+	"\aSetInfo\x12\x16.debugd.SetInfoRequest\x1a\x17.debugd.SetInfoResponse\"\x00\x12<\n" +
+	"\aGetInfo\x12\x16.debugd.GetInfoRequest\x1a\x17.debugd.GetInfoResponse\"\x00\x12K\n" +
+	"\vUploadFiles\x12\x1b.debugd.FileTransferMessage\x1a\x1b.debugd.UploadFilesResponse\"\x00(\x01\x12N\n" +
+	"\rDownloadFiles\x12\x1c.debugd.DownloadFilesRequest\x1a\x1b.debugd.FileTransferMessage\"\x000\x01\x12q\n" +
+	"\x18UploadSystemServiceUnits\x12(.debugd.UploadSystemdServiceUnitsRequest\x1a).debugd.UploadSystemdServiceUnitsResponse\"\x00B8Z6github.com/edgelesssys/constellation/v2/debugd/serviceb\x06proto3"
 
 var (
 	file_debugd_service_debugd_proto_rawDescOnce sync.Once

dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl

@@ -2,31 +2,31 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "4.21.0"
-  constraints = "4.21.0"
+  version     = "4.25.0"
+  constraints = "4.25.0"
   hashes = [
-    "h1:6Zce/bfJTubd9VZP+SduO6yD8B51yoeeUe5XyP+n8Tg=",
-    "h1:8VVtYcBaHWoyQw5DszL36a5Tbx7zGg8jsMPWDjNtkds=",
-    "h1:J1EF/O3HfSOSwhPEyXfXq1D1eOFySXSjQoElYWsUi9w=",
-    "h1:MkHYR2jMC/9CJQT9uZwHb3Lr2UTR+GSB1NVzSBd70MI=",
-    "h1:N2uMJqzYnR+aq7i75T6JX1pAI7Zg6zjpUIiaR2u36V4=",
-    "h1:SrzAtKrwc16XfEn7XLO8naHMr/q33SpHOEsnWN/L0HI=",
-    "h1:VaLnj0MaKBjPbAMwCyuJMYmKftnCU8q0XXQDaaAWQns=",
-    "h1:e1SrjIeLOMHizlsDugvd1qjRpeD1TFzLmU6k+yfztlA=",
-    "h1:fTq06csKOkoAqtkJn4FXn37wyRlJ0EJJgpe3CWMhIpU=",
-    "h1:gMu4FGlBedcPsbmKgqHRbT6HYanAqlpcozFAsnbrwhI=",
-    "h1:mo9aGGJoAiFRf5bBMPlsG6AsDaLqbvPgwkASgdHbiY8=",
-    "zh:166573ccd95258c761c5ee17ba53b1bf38aac59839fb67303489ca76a4fe39cf",
-    "zh:17ad468923b68620e0c976a51c512fedd640758f29647650fcdeff5fdfafb731",
-    "zh:4bb4c6674c3f4776da7fc193a78f929e872144e90821e9e834f02898a0a5b64d",
-    "zh:5be6d97f17709829fdac01067c5a793a3e3a01d5253107a43b8b94d6837a684b",
-    "zh:5d9a332a4854ec3e3c5fd185fade10c1b4b71ab8b1ee5d18e26fc29bb5648d83",
-    "zh:6bfb004b4eb8e041190f8ded8facd2530482eb83af0dead8cd1634abc831510b",
-    "zh:8b0c42fcd58370e3e4531ab721a09931af857043ee0b3f45404020fd1fdf7382",
-    "zh:9271775dffaea0d902e41acee737e95e1016a28f168792d06679cfc93e843ed5",
-    "zh:9cf0b0c48d9a3b21e74eda4f6198c117f52348768e9d0fcf8af933a2a15b6f83",
-    "zh:a0454a9f08b9de55382715d915be5f56e060e1c11dbd4304e5452518f402d9c1",
-    "zh:d9b4ea1a8ac558c09484d70f94a16deed35902e06943edb0b1f4ea5bca81feff",
+    "h1:0ngEPvgsbXdQ6feo/6WqVkxDj1zsDx2jdsB2bl+R1Rg=",
+    "h1:3ZxcyUNfYBb49d6tw584RWmYbYozgqueZLHaJi9BLDA=",
+    "h1:6dUCvh+kYsKRVeqIEtcVdMgInojZqVV86R7DHkVXHq4=",
+    "h1:F0sulaJhPHnLbwWcKlsXP7DDAVQi9+93fFxjEoZQaKo=",
+    "h1:RvLXu5xam1B4u5TWEPdvKIc2lLNUekACXxl3OnplvLw=",
+    "h1:SG57DX+kbbsSlLr1y9Z/n/2F57aPlzSBi9tP+Y4ltD4=",
+    "h1:UMRdLJ+HHUIxHYrbguIJrsRUN3xGrf92Q53UGZi3fM4=",
+    "h1:fKYoZJBpyKMkoN46eGto3qG+IvD/SP2cjTD4AxGxJxg=",
+    "h1:kTMYggdpy3ozYocnK7SI6217nh8FAJQEVP8+93nVjEs=",
+    "h1:r3wbLuv+ZOTFgYna274nvJD41bUBrIEq3XrvzeZar5c=",
+    "h1:xNXSfbZ3U4IIYp9ttN+uDQqptNM7Ynk19283z0+2pww=",
+    "zh:05e9243872f174ec7e7bd58c92b986464d516d9281e28e6abe4b57fa9fd58b3c",
+    "zh:1b124540c947410e9334e64912bce4e3b5b164ae7734927fb093178081e67011",
+    "zh:2daaeadd33305a1e700682a1d369d52b1376c64a44e680c2fccdc3e58cd86edb",
+    "zh:3767cfeeaae01a5c263d863d1c8b58eca9a4fa8ada8dbdf41222d1b143694065",
+    "zh:3c69f63583468366fb641f606c23a269fd04b6f1603e06c20568ffc28e6581bd",
+    "zh:7b3afd2827ed6def9ce46dcb9ce8603db493606d1d2b50da9c09f8ef44b2545c",
+    "zh:8d37210d2a738c755da60dbdf26f6cb2d719ce8711aeea838bc961257d921e0e",
+    "zh:9096e89a61d1d04123075a4ef429fb52d2d22b9786f82c1d52db172c9a67e563",
+    "zh:9fcf345164043fd8147b5f8ec084a57e50ebdf0a5c48c2d49660ce461db650ae",
+    "zh:cbb5738bca019d8539432cb20b680781c3870d60a4e057ad178bc2ddc6f40e67",
+    "zh:ed49bf0d5875fcfb39dd739b79877ba2738bfb61c39546b02d5d0278f960da9e",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }

dev-docs/howto/vpn/on-prem-terraform/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "4.21.0"
+      version = "4.25.0"
     }
     random = {
       source  = "hashicorp/random"

dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl

@@ -2,31 +2,31 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "4.21.0"
-  constraints = "4.21.0"
+  version     = "4.25.0"
+  constraints = "4.25.0"
   hashes = [
-    "h1:6Zce/bfJTubd9VZP+SduO6yD8B51yoeeUe5XyP+n8Tg=",
-    "h1:8VVtYcBaHWoyQw5DszL36a5Tbx7zGg8jsMPWDjNtkds=",
-    "h1:J1EF/O3HfSOSwhPEyXfXq1D1eOFySXSjQoElYWsUi9w=",
-    "h1:MkHYR2jMC/9CJQT9uZwHb3Lr2UTR+GSB1NVzSBd70MI=",
-    "h1:N2uMJqzYnR+aq7i75T6JX1pAI7Zg6zjpUIiaR2u36V4=",
-    "h1:SrzAtKrwc16XfEn7XLO8naHMr/q33SpHOEsnWN/L0HI=",
-    "h1:VaLnj0MaKBjPbAMwCyuJMYmKftnCU8q0XXQDaaAWQns=",
-    "h1:e1SrjIeLOMHizlsDugvd1qjRpeD1TFzLmU6k+yfztlA=",
-    "h1:fTq06csKOkoAqtkJn4FXn37wyRlJ0EJJgpe3CWMhIpU=",
-    "h1:gMu4FGlBedcPsbmKgqHRbT6HYanAqlpcozFAsnbrwhI=",
-    "h1:mo9aGGJoAiFRf5bBMPlsG6AsDaLqbvPgwkASgdHbiY8=",
-    "zh:166573ccd95258c761c5ee17ba53b1bf38aac59839fb67303489ca76a4fe39cf",
-    "zh:17ad468923b68620e0c976a51c512fedd640758f29647650fcdeff5fdfafb731",
-    "zh:4bb4c6674c3f4776da7fc193a78f929e872144e90821e9e834f02898a0a5b64d",
-    "zh:5be6d97f17709829fdac01067c5a793a3e3a01d5253107a43b8b94d6837a684b",
-    "zh:5d9a332a4854ec3e3c5fd185fade10c1b4b71ab8b1ee5d18e26fc29bb5648d83",
-    "zh:6bfb004b4eb8e041190f8ded8facd2530482eb83af0dead8cd1634abc831510b",
-    "zh:8b0c42fcd58370e3e4531ab721a09931af857043ee0b3f45404020fd1fdf7382",
-    "zh:9271775dffaea0d902e41acee737e95e1016a28f168792d06679cfc93e843ed5",
-    "zh:9cf0b0c48d9a3b21e74eda4f6198c117f52348768e9d0fcf8af933a2a15b6f83",
-    "zh:a0454a9f08b9de55382715d915be5f56e060e1c11dbd4304e5452518f402d9c1",
-    "zh:d9b4ea1a8ac558c09484d70f94a16deed35902e06943edb0b1f4ea5bca81feff",
+    "h1:0ngEPvgsbXdQ6feo/6WqVkxDj1zsDx2jdsB2bl+R1Rg=",
+    "h1:3ZxcyUNfYBb49d6tw584RWmYbYozgqueZLHaJi9BLDA=",
+    "h1:6dUCvh+kYsKRVeqIEtcVdMgInojZqVV86R7DHkVXHq4=",
+    "h1:F0sulaJhPHnLbwWcKlsXP7DDAVQi9+93fFxjEoZQaKo=",
+    "h1:RvLXu5xam1B4u5TWEPdvKIc2lLNUekACXxl3OnplvLw=",
+    "h1:SG57DX+kbbsSlLr1y9Z/n/2F57aPlzSBi9tP+Y4ltD4=",
+    "h1:UMRdLJ+HHUIxHYrbguIJrsRUN3xGrf92Q53UGZi3fM4=",
+    "h1:fKYoZJBpyKMkoN46eGto3qG+IvD/SP2cjTD4AxGxJxg=",
+    "h1:kTMYggdpy3ozYocnK7SI6217nh8FAJQEVP8+93nVjEs=",
+    "h1:r3wbLuv+ZOTFgYna274nvJD41bUBrIEq3XrvzeZar5c=",
+    "h1:xNXSfbZ3U4IIYp9ttN+uDQqptNM7Ynk19283z0+2pww=",
+    "zh:05e9243872f174ec7e7bd58c92b986464d516d9281e28e6abe4b57fa9fd58b3c",
+    "zh:1b124540c947410e9334e64912bce4e3b5b164ae7734927fb093178081e67011",
+    "zh:2daaeadd33305a1e700682a1d369d52b1376c64a44e680c2fccdc3e58cd86edb",
+    "zh:3767cfeeaae01a5c263d863d1c8b58eca9a4fa8ada8dbdf41222d1b143694065",
+    "zh:3c69f63583468366fb641f606c23a269fd04b6f1603e06c20568ffc28e6581bd",
+    "zh:7b3afd2827ed6def9ce46dcb9ce8603db493606d1d2b50da9c09f8ef44b2545c",
+    "zh:8d37210d2a738c755da60dbdf26f6cb2d719ce8711aeea838bc961257d921e0e",
+    "zh:9096e89a61d1d04123075a4ef429fb52d2d22b9786f82c1d52db172c9a67e563",
+    "zh:9fcf345164043fd8147b5f8ec084a57e50ebdf0a5c48c2d49660ce461db650ae",
+    "zh:cbb5738bca019d8539432cb20b680781c3870d60a4e057ad178bc2ddc6f40e67",
+    "zh:ed49bf0d5875fcfb39dd739b79877ba2738bfb61c39546b02d5d0278f960da9e",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }

dev-docs/miniconstellation/azure-terraform/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "4.21.0"
+      version = "4.25.0"
     }
     random = {
       source  = "hashicorp/random"

dev-docs/security-overview.md

@@ -79,12 +79,16 @@ Abstractly, a remote-attestation statement `R` from a CVM looks as follows:
 R = Sig-CPU(<launch digest>, <auxiliary data>, <payload>)
 ```
 
-The `payload` is controlled by the software running inside the CVM.
+The field `payload` is controlled by the software running inside the CVM.
 In the case of a Constellation node, the `payload` is always the public key of the respective Bootstrapper running inside the CVM.
 Thus, `R` can be seen as a certificate for that public key issued by the CPU.
 Based on this, nodes establish attested TLS (aTLS) connections.
 aTLS is used during [cluster creation](#cluster-creation) and when [growing a cluster](#cluster-growth).
 
+The field `auxiliary data` is populated automatically by the CVM platform and, among others, includes information like CPU firmware versions. 
+
+Note that this description of `R` is highly abstract.
+
 ### Measurements
 
 In the ideal case, the underlying CVM platform does not inject any of its own software into a CVM.
@@ -97,16 +101,26 @@ In this case, the launch digest is the only measurement that's required to verif
 However, currently, all supported CVM platforms (AWS, Azure, and GCP) inject custom firmware into CVMs.
 Thus, in practice, Constellation relies on conventional [measured boot](https://docs.edgeless.systems/constellation/architecture/images#measured-boot) to reflect the identity and integrity of nodes.
 
-In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 registers of a Trusted Platform Module (TPM).
+In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 platform configuration registers (PCRs) of a Trusted Platform Module (TPM).
 The values of these registers are also called "runtime measurements".
-All supported CVM platforms provide TPMs to CVMs.
-Constellation nodes use these to measure their boot process.
-They include the 16 runtime measurements as `auxiliary data` in `R`.
-On each CVM platform, runtime measurements are taken differently.
-Details on this are given in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements).
+All supported CVM platforms provide TPMs to CVMs. 
+
+With measured boot, Constellation relies on TPM-based remote attestation for nodes. 
+TPM-based remote attestation is similar to confidential computing-based remote attestation. Instead of the value `R`, the value `R'` is used.
+
+```
+R' = Sig-TPM(<auxiliary data>, <payload>)
+```
+
+The field `auxiliary data` is populated automatically by the TPM and most notably contains the 16 PCRs. 
+Constellation uses the field `payload` as usual and sets it to the public key of the respective CVM's Bootstrapper. 
+When verifying `R'`, Constellation compares the 16 PCRs to those given in the attestation config.
+
+#### Differences between CVM platforms
+
+Each supported CVM platform populates the 16 PCRs in different ways. Details can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements).
+Sig-TPM itself is also verified differently for each cloud.
 
-With measured boot, Constellation only checks the 16 runtime measurements during the verification of a node's remote-attestation statement.
-The launch digest is not considered, because it only covers the firmware injected by the CVM platform and may change whenever the CVM platform is updated.
 Currently, on AWS and GCP the TPM implementation resides outside the CVM.
 On Azure, the TPM implementation is part of the injected firmware and resides inside the CVM.
 More information can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/overview/clouds).

dev-docs/workflows/marketplace-publishing.md

@@ -0,0 +1,33 @@
+# Publishing Marketplace Images
+
+Constellation release images need to be manually published to AWS and Azure marketplaces due to the lack of automation features.
+On GCP, marketplace image publishing is automated and takes place on release.
+
+This document explains how to perform the uploading on AWS and Azure.
+
+## AWS
+
+1. Log in to the [AWS marketplace management portal](https://aws.amazon.com/marketplace/management/) with your regular developer AWS account.
+2. Select "Products -> Server -> Constellation" in the top menu.
+3. Select "Versions" in the main menu and press "Add version".
+4. Fill in the form.
+    1. Enter the semantic version of the release (i.e. `vX.Y.Z`) as "Version title".
+    2. Set the version tag in "Release notes" to the same version.
+    3. For the "Amazon Machine Image (AMI) ID", enter the AMI ID of the release (SEV-SNP) image. This can be found in the regular
+       [AWS console](https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#Images:visibility=owned-by-me;search=:constellation-v;v=3;$case=tags:false%5C,client:false;$regex=tags:false%5C,client:false;sort=desc:creationDate).
+    4. For "IAM access role ARN", enter `arn:aws:iam::795746500882:role/constellation-marketplace-ingest`.
+5. Leave the other fields as they are and press "Add version".
+6. Wait for the [request](https://aws.amazon.com/marketplace/management/requests) to be processed and available before publishing the release.
+
+## Azure
+
+1. Log in to the [Microsoft partner center](https://partner.microsoft.com/en-us/dashboard/home) with your regular developer Microsoft account.
+2. Select "Marketplace offers -> Constellation -> Constellation Node" in the main menu.
+3. Select "Technical configuration" in the sidebar on the left.
+4. Select "Add VM Image".
+    1. For the "Version number", enter the semantic version of the release without the `v` prefix. If the release version is `vX.Y.Z`, enter `X.Y.Z`.
+    2. Press "Add a gallery image" and select the corresponding "Constellation_CVM" image version in the menu.
+    3. Press "Save VM image".
+5. **IMPORTANT**: Hit **Save draft**. Do **NOT** hit "Review and publish" directly.
+6. **After** saving the draft, hit "Review and publish".
+7. Go back to the [offer's home page](https://partner.microsoft.com/en-us/dashboard/commercial-marketplace/offers/a53ac90b-06f7-4a20-a845-8607ca352e61/overview) and wait for the process to complete before publishing the release.

dev-docs/workflows/release.md

@@ -86,15 +86,7 @@ Releases should be performed using [the automated release pipeline](https://gith
 
 1. Publish the [provider release](https://github.com/edgelesssys/terraform-provider-constellation/releases)
 2. Merge the automated post release PR
-3. Write an email to STACKIT to inform them of the new release. For this, you require the name and UUID of the release image. You can find the email address in our internal [wiki](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/stackit.md):
-
-    ```shell-session
-    export OS_CLOUD=stackit
-    openstack image list | grep constellation
-    # the output should look similar to this, where the first column is the UUID and the second column is the name
-    # | 25edf48d-161f-452b-b420-963c3a80abd8 | constellation-stable-v2.16.4-qemu-vtpm | active |
-    ```
-
+3. Publish the [AWS and Azure marketplace images](./marketplace-publishing.md).
 4. Close fixed "known issues"
 5. Move open issues and PRs from this release's closed milestone to next milestone
 6. Reset `UpgradeRequiresIAMMigration`  in [`iamupgrade.go`](https://github.com/edgelesssys/constellation/blob/a88a731576184e3c5ee8527741c4a0cdaa4e9b24/cli/internal/cloudcmd/iamupgrade.go#L23).

disk-mapper/recoverproto/recover.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.4
+// 	protoc-gen-go v1.36.6
 // 	protoc        v5.29.1
 // source: disk-mapper/recoverproto/recover.proto
 
@@ -115,28 +115,16 @@ func (*RecoverResponse) Descriptor() ([]byte, []int) {
 
 var File_disk_mapper_recoverproto_recover_proto protoreflect.FileDescriptor
 
-var file_disk_mapper_recoverproto_recover_proto_rawDesc = string([]byte{
-	0x0a, 0x26, 0x64, 0x69, 0x73, 0x6b, 0x2d, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x72, 0x65,
-	0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x72, 0x65, 0x63, 0x6f, 0x76,
-	0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0c, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65,
-	0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x4a, 0x0a, 0x0e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65,
-	0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f,
-	0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x55, 0x72,
-	0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x5f, 0x75, 0x72, 0x69,
-	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x55,
-	0x72, 0x69, 0x22, 0x11, 0x0a, 0x0f, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x4f, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x48, 0x0a, 0x07,
-	0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x12, 0x1c, 0x2e, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65,
-	0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x4d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1d, 0x2e, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x42, 0x5a, 0x40, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
-	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73,
-	0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76,
-	0x32, 0x2f, 0x64, 0x69, 0x73, 0x6b, 0x2d, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x72, 0x65,
-	0x63, 0x6f, 0x76, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-})
+const file_disk_mapper_recoverproto_recover_proto_rawDesc = "" +
+	"\n" +
+	"&disk-mapper/recoverproto/recover.proto\x12\frecoverproto\"J\n" +
+	"\x0eRecoverMessage\x12\x17\n" +
+	"\akms_uri\x18\x03 \x01(\tR\x06kmsUri\x12\x1f\n" +
+	"\vstorage_uri\x18\x04 \x01(\tR\n" +
+	"storageUri\"\x11\n" +
+	"\x0fRecoverResponse2O\n" +
+	"\x03API\x12H\n" +
+	"\aRecover\x12\x1c.recoverproto.RecoverMessage\x1a\x1d.recoverproto.RecoverResponse\"\x00BBZ@github.com/edgelesssys/constellation/v2/disk-mapper/recoverprotob\x06proto3"
 
 var (
 	file_disk_mapper_recoverproto_recover_proto_rawDescOnce sync.Once

docs/docs/architecture/versions.md

@@ -16,6 +16,6 @@ Subsequent Constellation releases drop support for the oldest (and deprecated) K
 The following Kubernetes versions are currently supported:
 <!--AUTO_GENERATED_BY_BAZEL-->
 <!--DO_NOT_EDIT-->
-* v1.29.14
-* v1.30.10
-* v1.31.6
+* v1.29.15
+* v1.30.11
+* v1.31.7

docs/docs/getting-started/first-steps.md

@@ -102,7 +102,7 @@ If you encounter any problem with the following steps, make sure to use the [lat
     <TabItem value="gcp" label="GCP">
 
     ```bash
-    constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
+    constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --prefix=constell-test --update-config
     ```
 
     This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in.