mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
a87b7894db
* add current chart add current helm chart * disable service controller for aws ccm * add new iam roles * doc AWS internet LB + add to LB test * pass clusterName to helm for AWS LB * fix update-aws-lb chart to also include .helmignore * move chart outside services * working state * add subnet tags for AWS subnet discovery * fix .helmignore load rule with file in subdirectory * upgrade iam profile * revert new loader impl since cilium is not correctly loaded * install chart if not already present during `upgrade apply` * cleanup PR + fix build + add todos cleanup PR + add todos * shared helm pkg for cli install and bootstrapper * add link to eks docs * refactor iamMigrationCmd * delete unused helm.symwallk * move iammigrate to upgrade pkg * fixup! delete unused helm.symwallk * add to upgradecheck * remove nodeSelector from go code (Otto) * update iam docs and sort permission + remove duplicate roles * fix bug in `upgrade check` * better upgrade check output when svc version upgrade not possible * pr feedback * remove force flag in upgrade_test * use upgrader.GetUpgradeID instead of extra type * remove todos + fix check * update doc lb (leo) * remove bootstrapper helm package * Update cli/internal/cmd/upgradecheck.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * final nits * add docs for e2e upgrade test setup * Apply suggestions from code review Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/helm/loader.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/cmd/tfmigrationclient.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * fix daniel review * link to the iam permissions instead of manually updating them (agreed with leo) * disable iam upgrade in upgrade apply --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll
264 lines
11 KiB
Go
264 lines
11 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
/*
|
|
Package constants contains the constants used by Constellation.
|
|
Constants should never be overwritable by command line flags or configuration files.
|
|
*/
|
|
package constants
|
|
|
|
import (
|
|
"time"
|
|
)
|
|
|
|
const (
|
|
//
|
|
// Constellation.
|
|
//
|
|
|
|
// ConstellationNameLength is the maximum length of a Constellation's name.
|
|
ConstellationNameLength = 37
|
|
// AWSConstellationNameLength is the maximum length of a Constellation's name on AWS.
|
|
AWSConstellationNameLength = 10
|
|
// ConstellationMasterSecretStoreName is the name for the Constellation secrets in Kubernetes.
|
|
ConstellationMasterSecretStoreName = "constellation-mastersecret"
|
|
// ConstellationMasterSecretKey is the name of the key for the master secret in the master secret kubernetes secret.
|
|
ConstellationMasterSecretKey = "mastersecret"
|
|
// ConstellationSaltKey is the name of the key for the salt in the master secret kubernetes secret.
|
|
ConstellationSaltKey = "salt"
|
|
// ConstellationVerifyServiceUserData is the user data that the verification service includes in the attestation.
|
|
ConstellationVerifyServiceUserData = "VerifyService"
|
|
// AttestationVariant is the name of the environment variable that contains the attestation variant.
|
|
AttestationVariant = "CONSTEL_ATTESTATION_VARIANT"
|
|
|
|
//
|
|
// Ports.
|
|
//
|
|
|
|
// JoinServicePort is the port for reaching the join service within Kubernetes.
|
|
JoinServicePort = 9090
|
|
// JoinServiceNodePort is the port for reaching the join service outside of Kubernetes.
|
|
JoinServiceNodePort = 30090
|
|
// VerifyServicePortHTTP HTTP port for verification service.
|
|
VerifyServicePortHTTP = 8080
|
|
// VerifyServicePortGRPC GRPC port for verification service.
|
|
VerifyServicePortGRPC = 9090
|
|
// VerifyServiceNodePortHTTP HTTP node port for verification service.
|
|
VerifyServiceNodePortHTTP = 30080
|
|
// VerifyServiceNodePortGRPC GRPC node port for verification service.
|
|
VerifyServiceNodePortGRPC = 30081
|
|
// KeyServicePort is the port the KMS server listens on.
|
|
KeyServicePort = 9000
|
|
// BootstrapperPort port of bootstrapper.
|
|
BootstrapperPort = 9000
|
|
// KubernetesPort port for Kubernetes API.
|
|
KubernetesPort = 6443
|
|
// RecoveryPort port for Constellation recovery server.
|
|
RecoveryPort = 9999
|
|
// DebugdPort port for debugd process.
|
|
DebugdPort = 4000
|
|
// KonnectivityPort port for konnectivity k8s service.
|
|
KonnectivityPort = 8132
|
|
|
|
//
|
|
// Filenames.
|
|
//
|
|
|
|
// ClusterIDsFileName filename that contains Constellation clusterID and IP.
|
|
ClusterIDsFileName = "constellation-id.json"
|
|
// ConfigFilename filename of Constellation config file.
|
|
ConfigFilename = "constellation-conf.yaml"
|
|
// LicenseFilename filename of Constellation license file.
|
|
LicenseFilename = "constellation.license"
|
|
// AdminConfFilename filename of KubeConfig for admin access to Constellation.
|
|
AdminConfFilename = "constellation-admin.conf"
|
|
// MasterSecretFilename filename of Constellation mastersecret.
|
|
MasterSecretFilename = "constellation-mastersecret.json"
|
|
// TerraformWorkingDir is the directory name for the TerraformClient workspace.
|
|
TerraformWorkingDir = "constellation-terraform"
|
|
// TerraformIAMWorkingDir is the directory name for the Terraform IAM Client workspace.
|
|
TerraformIAMWorkingDir = "constellation-iam-terraform"
|
|
// GCPServiceAccountKeyFile is the file name for the GCP service account key file.
|
|
GCPServiceAccountKeyFile = "gcpServiceAccountKey.json"
|
|
// ErrorLog file which contains server errors during init.
|
|
ErrorLog = "constellation-cluster.log"
|
|
// ControlPlaneAdminConfFilename filepath to control plane kubernetes admin config.
|
|
ControlPlaneAdminConfFilename = "/etc/kubernetes/admin.conf"
|
|
// KubectlPath path to kubectl binary.
|
|
KubectlPath = "/run/state/bin/kubectl"
|
|
// UpgradeAgentSocketPath is the path to the UDS that is used for the gRPC connection to the upgrade agent.
|
|
UpgradeAgentSocketPath = "/run/constellation-upgrade-agent.sock"
|
|
// UpgradeAgentMountPath is the path inside the operator container where the UDS is mounted.
|
|
UpgradeAgentMountPath = "/etc/constellation-upgrade-agent.sock"
|
|
// CniPluginsDir path directory for CNI plugins.
|
|
CniPluginsDir = "/opt/cni/bin"
|
|
// BinDir install path for CNI config.
|
|
BinDir = "/run/state/bin"
|
|
// KubeadmPath install path for kubeadm.
|
|
KubeadmPath = "/run/state/bin/kubeadm"
|
|
// KubeletPath install path for kubelet.
|
|
KubeletPath = "/run/state/bin/kubelet"
|
|
|
|
//
|
|
// Filenames for Constellation's micro services.
|
|
//
|
|
|
|
// ServiceBasePath is the base path for the mounted micro service's files.
|
|
ServiceBasePath = "/var/config"
|
|
// AttestationConfigFilename is the filename of the config used for CC validation.
|
|
AttestationConfigFilename = "attestationConfig"
|
|
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
|
|
MeasurementSaltFilename = "measurementSalt"
|
|
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
|
|
MeasurementSecretFilename = "measurementSecret"
|
|
|
|
// K8sVersionFieldName is the name of the of the key holding the wanted Kubernetes version.
|
|
K8sVersionFieldName = "cluster-version"
|
|
// ComponentsListKey is the name of the key holding the list of components in the components configMap.
|
|
ComponentsListKey = "components"
|
|
// NodeVersionResourceName resource name used for NodeVersion in constellation-operator and CLI.
|
|
NodeVersionResourceName = "constellation-version"
|
|
// NodeKubernetesComponentsAnnotationKey is the name of the annotation holding the reference to the ConfigMap listing all K8s components.
|
|
NodeKubernetesComponentsAnnotationKey = "constellation.edgeless.systems/kubernetes-components"
|
|
// JoiningNodesConfigMapName is the name of the configMap holding the joining nodes with the components hashes the node-operator should annotate the nodes with.
|
|
JoiningNodesConfigMapName = "joining-nodes"
|
|
|
|
//
|
|
// CLI.
|
|
//
|
|
|
|
// MinControllerCount is the minimum number of control nodes.
|
|
MinControllerCount = 1
|
|
// MinWorkerCount is the minimum number of worker nodes.
|
|
MinWorkerCount = 1
|
|
// EnvVarPrefix is expected prefix for environment variables used to overwrite config parameters.
|
|
EnvVarPrefix = "CONSTELL_"
|
|
// EnvVarAzureClientSecretValue is environment variable to overwrite
|
|
// provider.azure.clientSecretValue .
|
|
EnvVarAzureClientSecretValue = EnvVarPrefix + "AZURE_CLIENT_SECRET_VALUE"
|
|
// EnvVarOpenStackPassword is environment variable to overwrite
|
|
// provider.openstack.password .
|
|
EnvVarOpenStackPassword = EnvVarPrefix + "OS_PASSWORD"
|
|
// EnvVarNoSpinner is environment variable used to disable the loading indicator (spinner)
|
|
// displayed in Constellation CLI. Any non-empty value, e.g., CONSTELL_NO_SPINNER=1,
|
|
// can be used to disable the spinner.
|
|
EnvVarNoSpinner = EnvVarPrefix + "NO_SPINNER"
|
|
// MiniConstellationUID is a sentinel value for the UID of a mini constellation.
|
|
MiniConstellationUID = "mini"
|
|
// TerraformLogFile is the file name of the Terraform log file.
|
|
TerraformLogFile = "terraform.log"
|
|
// TerraformUpgradePlanFile is the file name of the zipfile created by Terraform plan for Constellation upgrades.
|
|
TerraformUpgradePlanFile = "plan.zip"
|
|
// TerraformUpgradeWorkingDir is the directory name for the Terraform workspace being used in an upgrade.
|
|
TerraformUpgradeWorkingDir = "terraform"
|
|
// TerraformIAMUpgradeWorkingDir is the directory name for the Terraform IAM workspace being used in an upgrade.
|
|
TerraformIAMUpgradeWorkingDir = "terraform-iam"
|
|
// TerraformUpgradeBackupDir is the directory name being used to backup the pre-upgrade state in an upgrade.
|
|
TerraformUpgradeBackupDir = "terraform-backup"
|
|
// TerraformIAMUpgradeBackupDir is the directory name being used to backup the pre-upgrade state of iam in an upgrade.
|
|
TerraformIAMUpgradeBackupDir = "terraform-iam-backup"
|
|
// UpgradeDir is the name of the directory being used for cluster upgrades.
|
|
UpgradeDir = "constellation-upgrade"
|
|
// ControlPlaneDefault is the name of the default control plane worker group.
|
|
ControlPlaneDefault = "control_plane_default"
|
|
// WorkerDefault is the name of the default worker group.
|
|
WorkerDefault = "worker_default"
|
|
|
|
//
|
|
// Kubernetes.
|
|
//
|
|
|
|
// KubernetesJoinTokenTTL time to live for Kubernetes join token.
|
|
KubernetesJoinTokenTTL = 15 * time.Minute
|
|
// ConstellationNamespace namespace to deploy Constellation components into.
|
|
ConstellationNamespace = "kube-system"
|
|
// JoinConfigMap k8s config map with node join config.
|
|
JoinConfigMap = "join-config"
|
|
// InternalConfigMap k8s config map with internal Constellation config.
|
|
InternalConfigMap = "internal-config"
|
|
// KubeadmConfigMap k8s config map with kubeadm config
|
|
// (holds ClusterConfiguration).
|
|
KubeadmConfigMap = "kubeadm-config"
|
|
// ClusterConfigurationKey key in kubeadm config map with ClusterConfiguration.
|
|
ClusterConfigurationKey = "ClusterConfiguration"
|
|
|
|
//
|
|
// Helm.
|
|
//
|
|
|
|
// HelmNamespace namespace for helm charts.
|
|
HelmNamespace = "kube-system"
|
|
|
|
//
|
|
// Releases.
|
|
//
|
|
|
|
// CDNRepositoryURL is the base URL of the Constellation CDN artifact repository.
|
|
CDNRepositoryURL = "https://cdn.confidential.cloud"
|
|
// CDNAPIBase is the (un-versioned) prefix of the Constellation API.
|
|
CDNAPIBase = "constellation"
|
|
// CDNAPIPrefix is the prefix of the Constellation API (V1).
|
|
CDNAPIPrefix = CDNAPIBase + "/v1"
|
|
// CDNAPIPrefixV2 is the prefix of the Constellation API (v2).
|
|
CDNAPIPrefixV2 = CDNAPIBase + "/v2"
|
|
// CDNAttestationConfigPrefixV1 is the prefix of the Constellation AttestationConfig API (v1).
|
|
CDNAttestationConfigPrefixV1 = CDNAPIPrefix + "/attestation"
|
|
// CDNMeasurementsFile is name of file containing image measurements.
|
|
CDNMeasurementsFile = "measurements.json"
|
|
// CDNMeasurementsSignature is name of file containing signature for CDNMeasurementsFile.
|
|
CDNMeasurementsSignature = "measurements.json.sig"
|
|
// CDNDefaultDistributionID is the default CloudFront distribution ID to use.
|
|
CDNDefaultDistributionID = "E1H77EZTHC3NE4"
|
|
|
|
//
|
|
// PKI.
|
|
//
|
|
|
|
// CosignPublicKeyReleases signs all our releases.
|
|
CosignPublicKeyReleases = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
|
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
|
-----END PUBLIC KEY-----
|
|
`
|
|
// CosignPublicKeyDev signs all our development builds.
|
|
CosignPublicKeyDev = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELcPl4Ik+qZuH4K049wksoXK/Os3Z
|
|
b92PDCpM7FZAINQF88s1TZS/HmRXYk62UJ4eqPduvUnJmXhNikhLbMi6fw==
|
|
-----END PUBLIC KEY-----
|
|
`
|
|
)
|
|
|
|
// VersionInfo returns the version of a binary.
|
|
func VersionInfo() string {
|
|
return versionInfo
|
|
}
|
|
|
|
// Timestamp returns the commit timestamp of a binary.
|
|
func Timestamp() string {
|
|
return timestamp
|
|
}
|
|
|
|
// Commit returns the commit hash of a binary.
|
|
func Commit() string {
|
|
return commit
|
|
}
|
|
|
|
// State returns the git state of the working directory.
|
|
func State() string {
|
|
return state
|
|
}
|
|
|
|
var (
|
|
// versionInfo is the version of a binary. Left as a separate variable to allow override during build.
|
|
versionInfo = "0.0.0"
|
|
// timestamp is the commit timestamp of a binary. Left as a separate variable to allow override during build.
|
|
timestamp = "1970-01-01T00:00:00Z"
|
|
// commit is the commit hash of a binary. Left as a separate variable to allow override during build.
|
|
commit = "0000000000000000000000000000000000000000"
|
|
// state is the git state of the working directory. Left as a separate variable to allow override during build.
|
|
state = "unknown"
|
|
)
|