mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-29 01:16:12 -05:00
8f21972aec
* variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic.
290 lines
11 KiB
Go
290 lines
11 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"io/fs"
|
|
|
|
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
|
|
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
|
|
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
|
"github.com/edgelesssys/constellation/v2/internal/file"
|
|
"github.com/spf13/afero"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
// NewCreateCmd returns a new cobra.Command for the create command.
|
|
func NewCreateCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "create",
|
|
Short: "Create instances on a cloud platform for your Constellation cluster",
|
|
Long: "Create instances on a cloud platform for your Constellation cluster.",
|
|
Args: cobra.ExactArgs(0),
|
|
RunE: runCreate,
|
|
}
|
|
cmd.Flags().BoolP("yes", "y", false, "create the cluster without further confirmation")
|
|
cmd.Flags().IntP("control-plane-nodes", "c", 0, "number of control-plane nodes (required)")
|
|
must(cobra.MarkFlagRequired(cmd.Flags(), "control-plane-nodes"))
|
|
cmd.Flags().IntP("worker-nodes", "w", 0, "number of worker nodes (required)")
|
|
must(cobra.MarkFlagRequired(cmd.Flags(), "worker-nodes"))
|
|
return cmd
|
|
}
|
|
|
|
type createCmd struct {
|
|
log debugLog
|
|
}
|
|
|
|
func runCreate(cmd *cobra.Command, _ []string) error {
|
|
log, err := newCLILogger(cmd)
|
|
if err != nil {
|
|
return fmt.Errorf("creating logger: %w", err)
|
|
}
|
|
defer log.Sync()
|
|
spinner, err := newSpinnerOrStderr(cmd)
|
|
if err != nil {
|
|
return fmt.Errorf("creating spinner: %w", err)
|
|
}
|
|
defer spinner.Stop()
|
|
|
|
fileHandler := file.NewHandler(afero.NewOsFs())
|
|
creator := cloudcmd.NewCreator(spinner)
|
|
c := &createCmd{log: log}
|
|
fetcher := attestationconfigapi.NewFetcher()
|
|
return c.create(cmd, creator, fileHandler, spinner, fetcher)
|
|
}
|
|
|
|
func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler, spinner spinnerInterf, fetcher attestationconfigapi.Fetcher) (retErr error) {
|
|
flags, err := c.parseCreateFlags(cmd)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
c.log.Debugf("Using flags: %+v", flags)
|
|
if err := c.checkDirClean(fileHandler); err != nil {
|
|
return err
|
|
}
|
|
|
|
c.log.Debugf("Loading configuration file from %q", flags.configPath)
|
|
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
|
|
c.log.Debugf("Configuration file loaded: %+v", conf)
|
|
var configValidationErr *config.ValidationError
|
|
if errors.As(err, &configValidationErr) {
|
|
cmd.PrintErrln(configValidationErr.LongMessage())
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
c.log.Debugf("Checking configuration for warnings")
|
|
var printedAWarning bool
|
|
if !conf.IsReleaseImage() {
|
|
cmd.PrintErrln("Configured image doesn't look like a released production image. Double check image before deploying to production.")
|
|
printedAWarning = true
|
|
}
|
|
|
|
if conf.IsDebugCluster() {
|
|
cmd.PrintErrln("WARNING: Creating a debug cluster. This cluster is not secure and should only be used for debugging purposes.")
|
|
cmd.PrintErrln("DO NOT USE THIS CLUSTER IN PRODUCTION.")
|
|
printedAWarning = true
|
|
}
|
|
|
|
if conf.GetAttestationConfig().GetVariant().Equal(variant.AzureTrustedLaunch{}) {
|
|
cmd.PrintErrln("Disabling Confidential VMs is insecure. Use only for evaluation purposes.")
|
|
printedAWarning = true
|
|
}
|
|
|
|
// Print an extra new line later to separate warnings from the prompt message of the create command
|
|
if printedAWarning {
|
|
cmd.PrintErrln("")
|
|
}
|
|
|
|
provider := conf.GetProvider()
|
|
var instanceType string
|
|
switch provider {
|
|
case cloudprovider.AWS:
|
|
c.log.Debugf("Configuring instance type for AWS")
|
|
instanceType = conf.Provider.AWS.InstanceType
|
|
case cloudprovider.Azure:
|
|
c.log.Debugf("Configuring instance type for Azure")
|
|
instanceType = conf.Provider.Azure.InstanceType
|
|
case cloudprovider.GCP:
|
|
c.log.Debugf("Configuring instance type for GCP")
|
|
instanceType = conf.Provider.GCP.InstanceType
|
|
case cloudprovider.OpenStack:
|
|
c.log.Debugf("Configuring instance type for OpenStack")
|
|
instanceType = conf.Provider.OpenStack.FlavorID
|
|
case cloudprovider.QEMU:
|
|
c.log.Debugf("Configuring instance type for QEMU")
|
|
cpus := conf.Provider.QEMU.VCPUs
|
|
instanceType = fmt.Sprintf("%d-vCPU", cpus)
|
|
}
|
|
c.log.Debugf("Configured with instance type %q", instanceType)
|
|
|
|
if !flags.yes {
|
|
// Ask user to confirm action.
|
|
cmd.Printf("The following Constellation cluster will be created:\n")
|
|
cmd.Printf("%d control-plane node%s of type %s will be created.\n", flags.controllerCount, isPlural(flags.controllerCount), instanceType)
|
|
cmd.Printf("%d worker node%s of type %s will be created.\n", flags.workerCount, isPlural(flags.workerCount), instanceType)
|
|
ok, err := askToConfirm(cmd, "Do you want to create this cluster?")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !ok {
|
|
cmd.Println("The creation of the cluster was aborted.")
|
|
return nil
|
|
}
|
|
}
|
|
|
|
spinner.Start("Creating", false)
|
|
opts := cloudcmd.CreateOptions{
|
|
Provider: provider,
|
|
Config: conf,
|
|
InsType: instanceType,
|
|
ControlPlaneCount: flags.controllerCount,
|
|
WorkerCount: flags.workerCount,
|
|
TFLogLevel: flags.tfLogLevel,
|
|
}
|
|
idFile, err := creator.Create(cmd.Context(), opts)
|
|
spinner.Stop()
|
|
if err != nil {
|
|
return translateCreateErrors(cmd, err)
|
|
}
|
|
c.log.Debugf("Successfully created the cloud resources for the cluster")
|
|
|
|
if err := fileHandler.WriteJSON(constants.ClusterIDsFileName, idFile, file.OptNone); err != nil {
|
|
return err
|
|
}
|
|
|
|
cmd.Println("Your Constellation cluster was created successfully.")
|
|
return nil
|
|
}
|
|
|
|
// parseCreateFlags parses the flags of the create command.
|
|
func (c *createCmd) parseCreateFlags(cmd *cobra.Command) (createFlags, error) {
|
|
controllerCount, err := cmd.Flags().GetInt("control-plane-nodes")
|
|
if err != nil {
|
|
return createFlags{}, fmt.Errorf("parsing number of control-plane nodes: %w", err)
|
|
}
|
|
c.log.Debugf("Control-plane nodes flag is %d", controllerCount)
|
|
if controllerCount < constants.MinControllerCount {
|
|
return createFlags{}, fmt.Errorf("number of control-plane nodes must be at least %d", constants.MinControllerCount)
|
|
}
|
|
|
|
workerCount, err := cmd.Flags().GetInt("worker-nodes")
|
|
if err != nil {
|
|
return createFlags{}, fmt.Errorf("parsing number of worker nodes: %w", err)
|
|
}
|
|
c.log.Debugf("Worker nodes flag is %d", workerCount)
|
|
if workerCount < constants.MinWorkerCount {
|
|
return createFlags{}, fmt.Errorf("number of worker nodes must be at least %d", constants.MinWorkerCount)
|
|
}
|
|
|
|
yes, err := cmd.Flags().GetBool("yes")
|
|
if err != nil {
|
|
return createFlags{}, fmt.Errorf("parsing yes bool: %w", err)
|
|
}
|
|
c.log.Debugf("Yes flag is %t", yes)
|
|
|
|
configPath, err := cmd.Flags().GetString("config")
|
|
if err != nil {
|
|
return createFlags{}, fmt.Errorf("parsing config path argument: %w", err)
|
|
}
|
|
c.log.Debugf("Configuration path flag is %q", configPath)
|
|
|
|
force, err := cmd.Flags().GetBool("force")
|
|
if err != nil {
|
|
return createFlags{}, fmt.Errorf("parsing force argument: %w", err)
|
|
}
|
|
c.log.Debugf("force flag is %t", force)
|
|
|
|
logLevelString, err := cmd.Flags().GetString("tf-log")
|
|
if err != nil {
|
|
return createFlags{}, fmt.Errorf("parsing tf-log string: %w", err)
|
|
}
|
|
logLevel, err := terraform.ParseLogLevel(logLevelString)
|
|
if err != nil {
|
|
return createFlags{}, fmt.Errorf("parsing Terraform log level %s: %w", logLevelString, err)
|
|
}
|
|
c.log.Debugf("Terraform logs will be written into %s at level %s", constants.TerraformLogFile, logLevel.String())
|
|
|
|
return createFlags{
|
|
controllerCount: controllerCount,
|
|
workerCount: workerCount,
|
|
configPath: configPath,
|
|
tfLogLevel: logLevel,
|
|
force: force,
|
|
yes: yes,
|
|
}, nil
|
|
}
|
|
|
|
// createFlags contains the parsed flags of the create command.
|
|
type createFlags struct {
|
|
controllerCount int
|
|
workerCount int
|
|
configPath string
|
|
tfLogLevel terraform.LogLevel
|
|
force bool
|
|
yes bool
|
|
}
|
|
|
|
// checkDirClean checks if files of a previous Constellation are left in the current working dir.
|
|
func (c *createCmd) checkDirClean(fileHandler file.Handler) error {
|
|
c.log.Debugf("Checking admin configuration file")
|
|
if _, err := fileHandler.Stat(constants.AdminConfFilename); !errors.Is(err, fs.ErrNotExist) {
|
|
return fmt.Errorf("file '%s' already exists in working directory, run 'constellation terminate' before creating a new one", constants.AdminConfFilename)
|
|
}
|
|
c.log.Debugf("Checking master secrets file")
|
|
if _, err := fileHandler.Stat(constants.MasterSecretFilename); !errors.Is(err, fs.ErrNotExist) {
|
|
return fmt.Errorf("file '%s' already exists in working directory. Constellation won't overwrite previous master secrets. Move it somewhere or delete it before creating a new cluster", constants.MasterSecretFilename)
|
|
}
|
|
c.log.Debugf("Checking cluster IDs file")
|
|
if _, err := fileHandler.Stat(constants.ClusterIDsFileName); !errors.Is(err, fs.ErrNotExist) {
|
|
return fmt.Errorf("file '%s' already exists in working directory. Constellation won't overwrite previous cluster IDs. Move it somewhere or delete it before creating a new cluster", constants.ClusterIDsFileName)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func translateCreateErrors(cmd *cobra.Command, err error) error {
|
|
switch {
|
|
case errors.Is(err, terraform.ErrTerraformWorkspaceDifferentFiles):
|
|
cmd.PrintErrln("\nYour current working directory contains an existing Terraform workspace which does not match the expected state.")
|
|
cmd.PrintErrln("This can be due to a mix up between providers, versions or an otherwise corrupted workspace.")
|
|
cmd.PrintErrln("Before creating a new cluster, try \"constellation terminate\".")
|
|
cmd.PrintErrf("If this does not work, either move or delete the directory %q.\n", constants.TerraformWorkingDir)
|
|
cmd.PrintErrln("Please only delete the directory if you made sure that all created cloud resources have been terminated.")
|
|
return err
|
|
case errors.Is(err, terraform.ErrTerraformWorkspaceExistsWithDifferentVariables):
|
|
cmd.PrintErrln("\nYour current working directory contains an existing Terraform workspace which was initiated with different input variables.")
|
|
cmd.PrintErrln("This can be the case if you have tried to create a cluster before with different options which did not complete, or the workspace is corrupted.")
|
|
cmd.PrintErrln("Before creating a new cluster, try \"constellation terminate\".")
|
|
cmd.PrintErrf("If this does not work, either move or delete the directory %q.\n", constants.TerraformWorkingDir)
|
|
cmd.PrintErrln("Please only delete the directory if you made sure that all created cloud resources have been terminated.")
|
|
return err
|
|
default:
|
|
return err
|
|
}
|
|
}
|
|
|
|
func isPlural(count int) string {
|
|
if count == 1 {
|
|
return ""
|
|
}
|
|
return "s"
|
|
}
|
|
|
|
func must(err error) {
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}
|