config

package
v2.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: AGPL-3.0 Imports: 37 Imported by: 0

Documentation

Overview

Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only

SPDX-License-Identifier: AGPL-3.0-only

Definitions for Constellation's user config file.

The config file is used by the CLI to create and manage a Constellation cluster.

All config relevant definitions, parsing and validation functions should go here.

Index

Constants

View Source
const (
	// Version4 is the fourth version number for Constellation config file.
	Version4 = "v4"
)

Variables

View Source
var (
	ConfigDoc                          encoder.Doc
	ProviderConfigDoc                  encoder.Doc
	AWSConfigDoc                       encoder.Doc
	AzureConfigDoc                     encoder.Doc
	GCPConfigDoc                       encoder.Doc
	OpenStackConfigDoc                 encoder.Doc
	QEMUConfigDoc                      encoder.Doc
	AttestationConfigDoc               encoder.Doc
	NodeGroupDoc                       encoder.Doc
	UnsupportedAppRegistrationErrorDoc encoder.Doc
	SNPFirmwareSignerConfigDoc         encoder.Doc
	GCPSEVESDoc                        encoder.Doc
	GCPSEVSNPDoc                       encoder.Doc
	QEMUVTPMDoc                        encoder.Doc
	QEMUTDXDoc                         encoder.Doc
	AWSSEVSNPDoc                       encoder.Doc
	AWSNitroTPMDoc                     encoder.Doc
	AzureSEVSNPDoc                     encoder.Doc
	AzureTrustedLaunchDoc              encoder.Doc
	AzureTDXDoc                        encoder.Doc
)

Functions

func GetConfigurationDoc

func GetConfigurationDoc() *encoder.FileDoc

GetConfigurationDoc returns documentation for the file ./config_doc.go.

func ValidateAWSRegion added in v2.9.0

func ValidateAWSRegion(region string) bool

ValidateAWSRegion validates that the region is in the correct format.

func ValidateAWSZone added in v2.9.0

func ValidateAWSZone(zone string) bool

ValidateAWSZone validates that the zone is in the correct format.

func ValidateAzureZone added in v2.10.0

func ValidateAzureZone(zone string) bool

ValidateAzureZone validates that the zone is in the correct format.

func ValidateGCPZone added in v2.10.0

func ValidateGCPZone(zone string) bool

ValidateGCPZone validates that the zone is in the correct format.

func ValidateMicroserviceVersion added in v2.15.0

func ValidateMicroserviceVersion(binaryVersion, version consemver.Semver) error

ValidateMicroserviceVersion checks that the version of the microservice is compatible with the binary version.

func ValidateOpenStackRegion added in v2.10.0

func ValidateOpenStackRegion(region string) bool

ValidateOpenStackRegion validates that the region is in the correct format.

Types

type AWSConfig added in v2.2.0

type AWSConfig struct {
	// description: |
	//   AWS data center region. See: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions
	Region string `yaml:"region" validate:"required,aws_region"`
	// description: |
	//   AWS data center zone name in defined region. See: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones
	Zone string `yaml:"zone" validate:"required,aws_zone"`
	// description: |
	//   Name of the IAM profile to use for the control-plane nodes.
	IAMProfileControlPlane string `yaml:"iamProfileControlPlane" validate:"required"`
	// description: |
	//   Name of the IAM profile to use for the worker nodes.
	IAMProfileWorkerNodes string `yaml:"iamProfileWorkerNodes" validate:"required"`
	// description: |
	//   Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
	DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
	// description: |
	//   Use the specified AWS Marketplace image offering.
	UseMarketplaceImage *bool `yaml:"useMarketplaceImage" validate:"omitempty"`
}

AWSConfig are AWS specific configuration values used by the CLI.

func (AWSConfig) Doc added in v2.2.0

func (_ AWSConfig) Doc() *encoder.Doc

type AWSNitroTPM added in v2.8.0

type AWSNitroTPM struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

AWSNitroTPM is the configuration for AWS Nitro TPM attestation.

func (AWSNitroTPM) Doc added in v2.8.0

func (_ AWSNitroTPM) Doc() *encoder.Doc

func (AWSNitroTPM) EqualTo added in v2.8.0

func (c AWSNitroTPM) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (AWSNitroTPM) GetMeasurements added in v2.8.0

func (c AWSNitroTPM) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (AWSNitroTPM) GetVariant added in v2.8.0

func (AWSNitroTPM) GetVariant() variant.Variant

GetVariant returns aws-nitro-tpm as the variant.

func (*AWSNitroTPM) SetMeasurements added in v2.8.0

func (c *AWSNitroTPM) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type AWSSEVSNP added in v2.9.0

type AWSSEVSNP struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
	// description: |
	//   Lowest acceptable bootloader version.
	BootloaderVersion AttestationVersion[uint8] `json:"bootloaderVersion" yaml:"bootloaderVersion"`
	// description: |
	//   Lowest acceptable TEE version.
	TEEVersion AttestationVersion[uint8] `json:"teeVersion" yaml:"teeVersion"`
	// description: |
	//   Lowest acceptable SEV-SNP version.
	SNPVersion AttestationVersion[uint8] `json:"snpVersion" yaml:"snpVersion"`
	// description: |
	//   Lowest acceptable microcode version.
	MicrocodeVersion AttestationVersion[uint8] `json:"microcodeVersion" yaml:"microcodeVersion"`
	// description: |
	//   AMD Root Key certificate used to verify the SEV-SNP certificate chain.
	AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
	// description: |
	//   AMD Signing Key certificate used to verify the SEV-SNP VCEK / VLEK certificate.
	AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty"`
}

AWSSEVSNP is the configuration for AWS SEV-SNP attestation.

func DefaultForAWSSEVSNP added in v2.14.0

func DefaultForAWSSEVSNP() *AWSSEVSNP

DefaultForAWSSEVSNP provides a valid default configuration for AWS SEV-SNP attestation.

func (AWSSEVSNP) Doc added in v2.9.0

func (_ AWSSEVSNP) Doc() *encoder.Doc

func (AWSSEVSNP) EqualTo added in v2.9.0

func (c AWSSEVSNP) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (*AWSSEVSNP) FetchAndSetLatestVersionNumbers added in v2.14.0

func (c *AWSSEVSNP) FetchAndSetLatestVersionNumbers(ctx context.Context, fetcher attestationconfigapi.Fetcher) error

FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.

func (AWSSEVSNP) GetMeasurements added in v2.9.0

func (c AWSSEVSNP) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (AWSSEVSNP) GetVariant added in v2.9.0

func (AWSSEVSNP) GetVariant() variant.Variant

GetVariant returns aws-sev-snp as the variant.

func (*AWSSEVSNP) SetMeasurements added in v2.9.0

func (c *AWSSEVSNP) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type AttestationCfg added in v2.8.0

type AttestationCfg interface {
	// GetMeasurements returns the measurements that should be used for attestation.
	GetMeasurements() measurements.M
	// SetMeasurements updates a config's measurements using the given measurements.
	SetMeasurements(m measurements.M)
	// GetVariant returns the variant of the attestation config.
	GetVariant() variant.Variant
	// EqualTo returns true if the config is equal to the given config.
	// If the variant differs, an error must be returned.
	EqualTo(AttestationCfg) (bool, error)
}

AttestationCfg is the common interface for passing attestation configs.

func UnmarshalAttestationConfig added in v2.8.0

func UnmarshalAttestationConfig(data []byte, attestVariant variant.Variant) (AttestationCfg, error)

UnmarshalAttestationConfig unmarshals the config file into the correct type.

type AttestationConfig added in v2.8.0

type AttestationConfig struct {
	// description: |
	//   AWS SEV-SNP attestation.
	AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty"`
	// description: |
	//   AWS Nitro TPM attestation.
	AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty"`
	// description: |
	//   Azure SEV-SNP attestation.\nFor details see: https://docs.edgeless.systems/constellation/architecture/attestation#cvm-verification
	AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty"`
	// description: |
	//   Azure TDX attestation.
	AzureTDX *AzureTDX `yaml:"azureTDX,omitempty" validate:"omitempty"`
	// description: |
	//   Azure TPM attestation (Trusted Launch).
	AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty"`
	// description: |
	//   GCP SEV-ES attestation.
	GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty"`
	// description: |
	//   GCP SEV-SNP attestation.
	GCPSEVSNP *GCPSEVSNP `yaml:"gcpSEVSNP,omitempty" validate:"omitempty"`
	// description: |
	//   QEMU tdx attestation.
	QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty"`
	// description: |
	//   QEMU vTPM attestation.
	QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty"`
}

AttestationConfig configuration values used for attestation. Fields should remain pointer-types so custom specific configs can nil them if not required.

func (AttestationConfig) Doc added in v2.8.0

func (_ AttestationConfig) Doc() *encoder.Doc

type AttestationVersion added in v2.8.0

type AttestationVersion[T versionValue] struct {
	Value      T
	WantLatest bool
}

AttestationVersion holds version information.

func NewLatestPlaceholderVersion added in v2.8.0

func NewLatestPlaceholderVersion[T versionValue]() AttestationVersion[T]

NewLatestPlaceholderVersion returns the latest version with a placeholder version value.

func (AttestationVersion[T]) MarshalJSON added in v2.8.0

func (v AttestationVersion[T]) MarshalJSON() ([]byte, error)

MarshalJSON implements a custom marshaller to write "latest" as the type's value, if set.

func (AttestationVersion[T]) MarshalYAML added in v2.8.0

func (v AttestationVersion[T]) MarshalYAML() (any, error)

MarshalYAML implements a custom marshaller to write "latest" as the type's value, if set.

func (*AttestationVersion[T]) UnmarshalJSON added in v2.8.0

func (v *AttestationVersion[T]) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON implements a custom unmarshaller to resolve "latest" values.

func (*AttestationVersion[T]) UnmarshalYAML added in v2.8.0

func (v *AttestationVersion[T]) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML implements a custom unmarshaller to resolve "latest" values.

type AzureConfig

type AzureConfig struct {
	// description: |
	//   Subscription ID of the used Azure account. See: https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription
	SubscriptionID string `yaml:"subscription" validate:"uuid"`
	// description: |
	//   Tenant ID of the used Azure account. See: https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant
	TenantID string `yaml:"tenant" validate:"uuid"`
	// description: |
	//   Azure datacenter region to be used. See: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#azure-regions-with-availability-zones
	Location string `yaml:"location" validate:"required"`
	// description: |
	//   Resource group for the cluster's resources. Must already exist.
	ResourceGroup string `yaml:"resourceGroup" validate:"required"`
	// description: |
	//   Authorize spawned VMs to access Azure API.
	UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
	// description: |
	//   Deploy Azure Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
	DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
	// description: |
	//   Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob.
	SecureBoot *bool `yaml:"secureBoot" validate:"required"`
	// description: |
	//   Use the specified Azure Marketplace image offering.
	UseMarketplaceImage *bool `yaml:"useMarketplaceImage" validate:"omitempty"`
}

AzureConfig are Azure specific configuration values used by the CLI.

func (AzureConfig) Doc

func (_ AzureConfig) Doc() *encoder.Doc

type AzureSEVSNP added in v2.8.0

type AzureSEVSNP struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
	// description: |
	//   Lowest acceptable bootloader version.
	BootloaderVersion AttestationVersion[uint8] `json:"bootloaderVersion" yaml:"bootloaderVersion"`
	// description: |
	//   Lowest acceptable TEE version.
	TEEVersion AttestationVersion[uint8] `json:"teeVersion" yaml:"teeVersion"`
	// description: |
	//   Lowest acceptable SEV-SNP version.
	SNPVersion AttestationVersion[uint8] `json:"snpVersion" yaml:"snpVersion"`
	// description: |
	//   Lowest acceptable microcode version.
	MicrocodeVersion AttestationVersion[uint8] `json:"microcodeVersion" yaml:"microcodeVersion"`
	// description: |
	//   Configuration for validating the firmware signature.
	FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
	// description: |
	//   AMD Root Key certificate used to verify the SEV-SNP certificate chain.
	AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
	// description: |
	//   AMD Signing Key certificate used to verify the SEV-SNP VCEK / VLEK certificate.
	AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty"`
}

AzureSEVSNP is the configuration for Azure SEV-SNP attestation.

func DefaultForAzureSEVSNP added in v2.8.0

func DefaultForAzureSEVSNP() *AzureSEVSNP

DefaultForAzureSEVSNP returns the default configuration for Azure SEV-SNP attestation. Version numbers have placeholder values and the latest available values can be fetched using AzureSEVSNP.FetchAndSetLatestVersionNumbers.

func (AzureSEVSNP) Doc added in v2.9.0

func (_ AzureSEVSNP) Doc() *encoder.Doc

func (AzureSEVSNP) EqualTo added in v2.8.0

func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (*AzureSEVSNP) FetchAndSetLatestVersionNumbers added in v2.8.0

func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(ctx context.Context, fetcher attestationconfigapi.Fetcher) error

FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.

func (AzureSEVSNP) GetMeasurements added in v2.8.0

func (c AzureSEVSNP) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (AzureSEVSNP) GetVariant added in v2.8.0

func (AzureSEVSNP) GetVariant() variant.Variant

GetVariant returns azure-sev-snp as the variant.

func (*AzureSEVSNP) SetMeasurements added in v2.8.0

func (c *AzureSEVSNP) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type AzureTDX added in v2.15.0

type AzureTDX struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
	// description: |
	//   Minimum required QE security version number (SVN).
	QESVN AttestationVersion[uint16] `json:"qeSVN" yaml:"qeSVN"`
	// description: |
	//   Minimum required PCE security version number (SVN).
	PCESVN AttestationVersion[uint16] `json:"pceSVN" yaml:"pceSVN"`
	// description: |
	//   Component-wise minimum required 16 byte hex-encoded TEE_TCB security version number (SVN).
	TEETCBSVN AttestationVersion[encoding.HexBytes] `json:"teeTCBSVN" yaml:"teeTCBSVN"`
	// description: |
	//   Expected 16 byte hex-encoded QE_VENDOR_ID field.
	QEVendorID AttestationVersion[encoding.HexBytes] `json:"qeVendorID" yaml:"qeVendorID"`
	// description: |
	//   Expected 48 byte hex-encoded MR_SEAM value.
	MRSeam encoding.HexBytes `json:"mrSeam,omitempty" yaml:"mrSeam,omitempty"`
	// description: |
	//   Expected 8 byte hex-encoded eXtended Features Available Mask (XFAM) field. Defaults to the latest available XFAM on Azure VMs. Unset to disable validation.
	XFAM AttestationVersion[encoding.HexBytes] `json:"xfam" yaml:"xfam"`
	// description: |
	//   Intel Root Key certificate used to verify the TDX certificate chain.
	IntelRootKey Certificate `json:"intelRootKey" yaml:"intelRootKey"`
}

AzureTDX is the configuration for Azure TDX attestation.

func DefaultForAzureTDX added in v2.15.0

func DefaultForAzureTDX() *AzureTDX

DefaultForAzureTDX returns the default configuration for Azure TDX attestation.

func (AzureTDX) Doc added in v2.15.0

func (_ AzureTDX) Doc() *encoder.Doc

func (AzureTDX) EqualTo added in v2.15.0

func (c AzureTDX) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (*AzureTDX) FetchAndSetLatestVersionNumbers added in v2.17.0

func (c *AzureTDX) FetchAndSetLatestVersionNumbers(ctx context.Context, fetcher attestationconfigapi.Fetcher) error

FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.

func (AzureTDX) GetMeasurements added in v2.15.0

func (c AzureTDX) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (AzureTDX) GetVariant added in v2.15.0

func (AzureTDX) GetVariant() variant.Variant

GetVariant returns azure-tdx as the variant.

func (*AzureTDX) SetMeasurements added in v2.15.0

func (c *AzureTDX) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type AzureTrustedLaunch added in v2.8.0

type AzureTrustedLaunch struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.

func (AzureTrustedLaunch) Doc added in v2.9.0

func (_ AzureTrustedLaunch) Doc() *encoder.Doc

func (AzureTrustedLaunch) EqualTo added in v2.8.0

func (c AzureTrustedLaunch) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (AzureTrustedLaunch) GetMeasurements added in v2.8.0

func (c AzureTrustedLaunch) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (AzureTrustedLaunch) GetVariant added in v2.8.0

func (AzureTrustedLaunch) GetVariant() variant.Variant

GetVariant returns azure-trusted-launch as the variant.

func (*AzureTrustedLaunch) SetMeasurements added in v2.8.0

func (c *AzureTrustedLaunch) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type Certificate added in v2.8.0

type Certificate x509.Certificate

Certificate is a wrapper around x509.Certificate allowing custom marshaling.

func (Certificate) Equal added in v2.14.0

func (c Certificate) Equal(other Certificate) bool

Equal returns true if the embedded Raw values are equal.

func (Certificate) MarshalJSON added in v2.8.0

func (c Certificate) MarshalJSON() ([]byte, error)

MarshalJSON marshals the certificate to PEM.

func (Certificate) MarshalYAML added in v2.8.0

func (c Certificate) MarshalYAML() (any, error)

MarshalYAML marshals the certificate to PEM.

func (*Certificate) UnmarshalJSON added in v2.8.0

func (c *Certificate) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals the certificate from PEM.

func (*Certificate) UnmarshalYAML added in v2.8.0

func (c *Certificate) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML unmarshals the certificate from PEM.

type Config

type Config struct {
	// description: |
	//   Schema version of this configuration file.
	Version string `yaml:"version" validate:"eq=v4"`
	// description: |
	//   Machine image version used to create Constellation nodes.
	Image string `yaml:"image" validate:"required,image_compatibility"`
	// description: |
	//   Name of the cluster.
	Name string `yaml:"name" validate:"valid_name,required"`
	// description: |
	//   Kubernetes version to be installed into the cluster.
	KubernetesVersion versions.ValidK8sVersion `yaml:"kubernetesVersion" validate:"required,supported_k8s_version"`
	// description: |
	//   Microservice version to be installed into the cluster. Defaults to the version of the CLI.
	MicroserviceVersion semver.Semver `yaml:"microserviceVersion" validate:"required"`
	// description: |
	//   DON'T USE IN PRODUCTION: enable debug mode and use debug images.
	DebugCluster *bool `yaml:"debugCluster" validate:"required"`
	// description: |
	//   Optional custom endpoint (DNS name) for the Constellation API server.
	//   This can be used to point a custom dns name at the Constellation API server
	//   and is added to the Subject Alternative Name (SAN) field of the TLS certificate used by the API server.
	//   A fallback to DNS name is always available.
	CustomEndpoint string `yaml:"customEndpoint" validate:"omitempty,hostname_rfc1123"`
	// description: |
	//   Flag to enable/disable the internal load balancer. If enabled, the Constellation is only accessible from within the VPC.
	InternalLoadBalancer bool `yaml:"internalLoadBalancer" validate:"omitempty"`
	// description: |
	//   The Kubernetes Service CIDR to be used for the cluster. This value will only be used during the first initialization of the Constellation.
	ServiceCIDR string `yaml:"serviceCIDR" validate:"omitempty,cidrv4"`
	// description: |
	//   Additional tags that are applied to created resources.
	Tags cloudprovider.Tags `yaml:"tags" validate:"omitempty"`
	// description: |
	//   Supported cloud providers and their specific configurations.
	Provider ProviderConfig `yaml:"provider"`
	// description: |
	//   Node groups to be created in the cluster.
	NodeGroups map[string]NodeGroup `yaml:"nodeGroups" validate:"required,dive"`
	// description: |
	//   Configuration for attestation validation. This configuration provides sensible defaults for the Constellation version it was created for.\nSee the docs for an overview on attestation: https://docs.edgeless.systems/constellation/architecture/attestation
	Attestation AttestationConfig `yaml:"attestation"`
}

Config defines configuration used by CLI.

func Default

func Default() *Config

Default returns a struct with the default config. IMPORTANT: Ensure that any state mutation is followed by a call to Validate() to ensure that the config is always in a valid state. Avoid usage outside of tests.

func MiniDefault added in v2.9.0

func MiniDefault() (*Config, error)

MiniDefault returns a default config for a mini cluster.

func New added in v2.3.0

func New(fileHandler file.Handler, name string, fetcher attestationconfigapi.Fetcher, force bool) (*Config, error)

New creates a new config by: 1. Reading config file via provided fileHandler from file with name. 2. For "latest" version values of the attestation variants fetch the version numbers. 3. Read secrets from environment variables. 4. Validate config. If `--force` is set the version validation will be disabled and any version combination is allowed.

func (*Config) DeployCSIDriver added in v2.3.0

func (c *Config) DeployCSIDriver() bool

DeployCSIDriver returns whether the CSI driver should be deployed for a given cloud provider.

func (*Config) DeployYawolLoadBalancer added in v2.8.0

func (c *Config) DeployYawolLoadBalancer() bool

DeployYawolLoadBalancer returns whether the Yawol load balancer should be deployed.

func (Config) Doc

func (_ Config) Doc() *encoder.Doc

func (*Config) GetAttestationConfig added in v2.8.0

func (c *Config) GetAttestationConfig() AttestationCfg

GetAttestationConfig returns the configured attestation config.

func (*Config) GetProvider

func (c *Config) GetProvider() cloudprovider.Provider

GetProvider returns the configured cloud provider.

func (*Config) GetRegion added in v2.8.0

func (c *Config) GetRegion() string

GetRegion returns the configured region.

func (*Config) GetZone added in v2.9.0

func (c *Config) GetZone() string

GetZone returns the configured zone or location for providers without zone support (Azure).

func (*Config) HasProvider

func (c *Config) HasProvider(provider cloudprovider.Provider) bool

HasProvider checks whether the config contains the provider.

func (*Config) IsDebugCluster

func (c *Config) IsDebugCluster() bool

IsDebugCluster checks whether the cluster is configured as a debug cluster.

func (*Config) IsNamedLikeDebugImage added in v2.9.0

func (c *Config) IsNamedLikeDebugImage() bool

IsNamedLikeDebugImage checks whether image name looks like a debug image.

func (*Config) IsReleaseImage added in v2.3.0

func (c *Config) IsReleaseImage() bool

IsReleaseImage checks whether image name looks like a release image.

func (*Config) RemoveProviderAndAttestationExcept added in v2.8.0

func (c *Config) RemoveProviderAndAttestationExcept(provider cloudprovider.Provider)

RemoveProviderAndAttestationExcept calls RemoveProviderExcept and sets the default attestations for the provider (only used for convenience in tests).

func (*Config) RemoveProviderExcept

func (c *Config) RemoveProviderExcept(provider cloudprovider.Provider)

RemoveProviderExcept removes all provider specific configurations, i.e., sets them to nil, except the one specified. If an unknown provider is passed, the same configuration is returned.

func (*Config) SetAttestation added in v2.8.0

func (c *Config) SetAttestation(attestation variant.Variant)

SetAttestation sets the attestation config for the given attestation variant and removes all other attestation configs.

func (*Config) SetCSPNodeGroupDefaults added in v2.15.0

func (c *Config) SetCSPNodeGroupDefaults(csp cloudprovider.Provider)

SetCSPNodeGroupDefaults sets the default values for the node groups based on the configured CSP.

func (*Config) UpdateMAAURL added in v2.8.0

func (c *Config) UpdateMAAURL(maaURL string)

UpdateMAAURL updates the MAA URL in the config.

func (*Config) UpdateMeasurements

func (c *Config) UpdateMeasurements(newMeasurements measurements.M)

UpdateMeasurements overwrites measurements in config with the provided ones.

func (*Config) UseMarketplaceImage added in v2.14.0

func (c *Config) UseMarketplaceImage() bool

UseMarketplaceImage returns whether a marketplace image should be used.

func (*Config) Validate

func (c *Config) Validate(force bool) error

Validate checks the config values and returns validation errors.

func (*Config) WithOpenStackProviderDefaults added in v2.8.0

func (c *Config) WithOpenStackProviderDefaults(csp cloudprovider.Provider, openStackProvider string) *Config

WithOpenStackProviderDefaults fills the default values for the specific OpenStack provider. If the provider is not supported or not an OpenStack provider, the config is returned unchanged.

type DummyCfg added in v2.8.0

type DummyCfg struct {
	// description: |
	//   The measurements that should be used for attestation.
	Measurements measurements.M `json:"measurements,omitempty"`
}

DummyCfg is a placeholder for unknown attestation configs.

func (DummyCfg) EqualTo added in v2.8.0

func (c DummyCfg) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if measurements of the configs are equal.

func (DummyCfg) GetMeasurements added in v2.8.0

func (c DummyCfg) GetMeasurements() measurements.M

GetMeasurements returns the configs measurements.

func (DummyCfg) GetVariant added in v2.8.0

func (DummyCfg) GetVariant() variant.Variant

GetVariant returns a dummy variant.

func (*DummyCfg) SetMeasurements added in v2.8.0

func (c *DummyCfg) SetMeasurements(m measurements.M)

SetMeasurements sets the configs measurements.

type GCPConfig

type GCPConfig struct {
	// description: |
	//   GCP project. See: https://support.google.com/googleapi/answer/7014113?hl=en
	Project string `yaml:"project" validate:"required"`
	// description: |
	//   GCP datacenter region. See: https://cloud.google.com/compute/docs/regions-zones#available
	Region string `yaml:"region" validate:"required"`
	// description: |
	//   GCP datacenter zone. See: https://cloud.google.com/compute/docs/regions-zones#available
	Zone string `yaml:"zone" validate:"required"`
	// description: |
	//   Path of service account key file. For required service account roles, see https://docs.edgeless.systems/constellation/getting-started/install#authorization
	ServiceAccountKeyPath string `yaml:"serviceAccountKeyPath" validate:"required"`
	// description: |
	//   Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
	DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
	// description: |
	//   Use the specified GCP Marketplace image offering.
	UseMarketplaceImage *bool `yaml:"useMarketplaceImage" validate:"omitempty"`
}

GCPConfig are GCP specific configuration values used by the CLI.

func (GCPConfig) Doc

func (_ GCPConfig) Doc() *encoder.Doc

type GCPSEVES added in v2.8.0

type GCPSEVES struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

GCPSEVES is the configuration for GCP SEV-ES attestation.

func (GCPSEVES) Doc added in v2.8.0

func (_ GCPSEVES) Doc() *encoder.Doc

func (GCPSEVES) EqualTo added in v2.8.0

func (c GCPSEVES) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (GCPSEVES) GetMeasurements added in v2.8.0

func (c GCPSEVES) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (GCPSEVES) GetVariant added in v2.8.0

func (GCPSEVES) GetVariant() variant.Variant

GetVariant returns gcp-sev-es as the variant.

func (*GCPSEVES) SetMeasurements added in v2.8.0

func (c *GCPSEVES) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type GCPSEVSNP added in v2.17.0

type GCPSEVSNP struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
	// description: |
	//   Lowest acceptable bootloader version.
	BootloaderVersion AttestationVersion[uint8] `json:"bootloaderVersion" yaml:"bootloaderVersion"`
	// description: |
	//   Lowest acceptable TEE version.
	TEEVersion AttestationVersion[uint8] `json:"teeVersion" yaml:"teeVersion"`
	// description: |
	//   Lowest acceptable SEV-SNP version.
	SNPVersion AttestationVersion[uint8] `json:"snpVersion" yaml:"snpVersion"`
	// description: |
	//   Lowest acceptable microcode version.
	MicrocodeVersion AttestationVersion[uint8] `json:"microcodeVersion" yaml:"microcodeVersion"`
	// description: |
	//   AMD Root Key certificate used to verify the SEV-SNP certificate chain.
	AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
	// description: |
	//   AMD Signing Key certificate used to verify the SEV-SNP VCEK / VLEK certificate.
	AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty"`
}

GCPSEVSNP is the configuration for GCP SEV-SNP attestation.

func DefaultForGCPSEVSNP added in v2.17.0

func DefaultForGCPSEVSNP() *GCPSEVSNP

DefaultForGCPSEVSNP provides a valid default configuration for GCP SEV-SNP attestation.

func (GCPSEVSNP) Doc added in v2.17.0

func (_ GCPSEVSNP) Doc() *encoder.Doc

func (GCPSEVSNP) EqualTo added in v2.17.0

func (c GCPSEVSNP) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (*GCPSEVSNP) FetchAndSetLatestVersionNumbers added in v2.17.0

func (c *GCPSEVSNP) FetchAndSetLatestVersionNumbers(ctx context.Context, fetcher attestationconfigapi.Fetcher) error

FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.

func (GCPSEVSNP) GetMeasurements added in v2.17.0

func (c GCPSEVSNP) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (GCPSEVSNP) GetVariant added in v2.17.0

func (GCPSEVSNP) GetVariant() variant.Variant

GetVariant returns gcp-sev-snp as the variant.

func (*GCPSEVSNP) SetMeasurements added in v2.17.0

func (c *GCPSEVSNP) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type NodeGroup added in v2.10.0

type NodeGroup struct {
	// description: |
	//   Role of the nodes in this group. Valid values are "control-plane" and "worker".
	Role string `yaml:"role" validate:"required,oneof=control-plane worker"`
	// description: |
	//   Availability zone to place the VMs in.
	Zone string `yaml:"zone" validate:"valid_zone"`
	// description: |
	//   VM instance type to use for the nodes.
	InstanceType string `yaml:"instanceType" validate:"instance_type"`
	// description: |
	//   Size (in GB) of a node's disk to store the non-volatile state.
	StateDiskSizeGB int `yaml:"stateDiskSizeGB" validate:"min=0"`
	// description: |
	//   Type of a node's state disk. The type influences boot time and I/O performance.
	StateDiskType string `yaml:"stateDiskType" validate:"disk_type"`
	// description: |
	//   Number of nodes to be initially created.
	InitialCount int `yaml:"initialCount" validate:"min=0"`
}

NodeGroup defines a group of nodes with the same role and configuration. Cloud providers use scaling groups to manage nodes of a group.

func (NodeGroup) Doc added in v2.10.0

func (_ NodeGroup) Doc() *encoder.Doc

type OpenStackConfig added in v2.6.0

type OpenStackConfig struct {
	// description: |
	//   OpenStack cloud name to select from "clouds.yaml". Only required if config file for OpenStack is used. Fallback authentication uses environment variables. For details see: https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html.
	Cloud string `yaml:"cloud"`
	// description: |
	//   Path to OpenStack "clouds.yaml" file. Only required if automatic detection fails.
	CloudsYAMLPath string `yaml:"cloudsYAMLPath"`
	// description: |
	//   Availability zone to place the VMs in. For details see: https://docs.openstack.org/nova/latest/admin/availability-zones.html
	AvailabilityZone string `yaml:"availabilityZone" validate:"required"`
	// description: |
	//   Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html
	FloatingIPPoolID string `yaml:"floatingIPPoolID" validate:"required"`
	// description: |
	//   STACKITProjectID is the ID of the STACKIT project where a user resides.
	//   Only used if cloud is "stackit".
	STACKITProjectID string `yaml:"stackitProjectID"`
	// description: |
	// RegionName is the name of the region to use inside the cluster.
	RegionName string `yaml:"regionName" validate:"required"`
	// description: |
	//   Deploy Yawol loadbalancer. For details see: https://github.com/stackitcloud/yawol
	DeployYawolLoadBalancer *bool `yaml:"deployYawolLoadBalancer" validate:"required"`
	// description: |
	//   OpenStack OS image used by the yawollet. For details see: https://github.com/stackitcloud/yawol
	YawolImageID string `yaml:"yawolImageID"`
	// description: |
	//   OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol
	YawolFlavorID string `yaml:"yawolFlavorID"`
	// description: |
	//   Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
	DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
}

OpenStackConfig holds config information for OpenStack based Constellation deployments.

func (OpenStackConfig) Doc added in v2.6.0

func (_ OpenStackConfig) Doc() *encoder.Doc

type ProviderConfig

type ProviderConfig struct {
	// description: |
	//   Configuration for AWS as provider.
	AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty"`
	// description: |
	//   Configuration for Azure as provider.
	Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty"`
	// description: |
	//   Configuration for Google Cloud as provider.
	GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty"`
	// description: |
	//   Configuration for OpenStack as provider.
	OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty"`
	// description: |
	//   Configuration for QEMU as provider.
	QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty"`
}

ProviderConfig are cloud-provider specific configuration values used by the CLI. Fields should remain pointer-types so custom specific configs can nil them if not required.

func (ProviderConfig) Doc

func (_ ProviderConfig) Doc() *encoder.Doc

type QEMUConfig

type QEMUConfig struct {
	// description: |
	//   Format of the image to use for the VMs. Should be either qcow2 or raw.
	ImageFormat string `yaml:"imageFormat" validate:"oneof=qcow2 raw"`
	// description: |
	//   vCPU count for the VMs.
	VCPUs int `yaml:"vcpus" validate:"required"`
	// description: |
	//   Amount of memory per instance (MiB).
	Memory int `yaml:"memory" validate:"required"`
	// description: |
	//   Container image to use for the QEMU metadata server.
	MetadataAPIImage string `yaml:"metadataAPIServer" validate:"required"`
	// description: |
	//   Libvirt connection URI. Leave empty to start a libvirt instance in Docker.
	LibvirtURI string `yaml:"libvirtSocket"`
	// description: |
	//   Container image to use for launching a containerized libvirt daemon. Only relevant if `libvirtSocket = ""`.
	LibvirtContainerImage string `yaml:"libvirtContainerImage"`
	// description: |
	//   NVRAM template to be used for secure boot. Can be sentinel value "production", "testing" or a path to a custom NVRAM template
	NVRAM string `yaml:"nvram" validate:"required"`
	// description: |
	//   Path to the OVMF firmware. Leave empty for auto selection.
	Firmware string `yaml:"firmware"`
}

QEMUConfig holds config information for QEMU based Constellation deployments.

func (QEMUConfig) Doc

func (_ QEMUConfig) Doc() *encoder.Doc

type QEMUTDX added in v2.8.0

type QEMUTDX struct {
	// description: |
	//   Expected TDX measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

QEMUTDX is the configuration for QEMU TDX attestation.

func (QEMUTDX) Doc added in v2.9.0

func (_ QEMUTDX) Doc() *encoder.Doc

func (QEMUTDX) EqualTo added in v2.8.0

func (c QEMUTDX) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (QEMUTDX) GetMeasurements added in v2.8.0

func (c QEMUTDX) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (QEMUTDX) GetVariant added in v2.8.0

func (QEMUTDX) GetVariant() variant.Variant

GetVariant returns qemu-tdx as the variant.

func (*QEMUTDX) SetMeasurements added in v2.8.0

func (c *QEMUTDX) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type QEMUVTPM added in v2.8.0

type QEMUVTPM struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

QEMUVTPM is the configuration for QEMU vTPM attestation.

func (QEMUVTPM) Doc added in v2.9.0

func (_ QEMUVTPM) Doc() *encoder.Doc

func (QEMUVTPM) EqualTo added in v2.8.0

func (c QEMUVTPM) EqualTo(other AttestationCfg) (bool, error)

EqualTo returns true if the config is equal to the given config.

func (QEMUVTPM) GetMeasurements added in v2.8.0

func (c QEMUVTPM) GetMeasurements() measurements.M

GetMeasurements returns the measurements used for attestation.

func (QEMUVTPM) GetVariant added in v2.8.0

func (QEMUVTPM) GetVariant() variant.Variant

GetVariant returns qemu-vtpm as the variant.

func (*QEMUVTPM) SetMeasurements added in v2.8.0

func (c *QEMUVTPM) SetMeasurements(m measurements.M)

SetMeasurements updates a config's measurements using the given measurements.

type SNPFirmwareSignerConfig added in v2.8.0

type SNPFirmwareSignerConfig struct {
	// description: |
	//   List of accepted values for the firmware signing key digest.\nValues are enforced according to the 'enforcementPolicy'\n     - 'equal'       : Error if the reported signing key digest does not match any of the values in 'acceptedKeyDigests'\n     - 'maaFallback' : Use 'equal' checking for validation, but fallback to using Microsoft Azure Attestation (MAA) for validation if the reported digest does not match any of the values in 'acceptedKeyDigests'. See the Azure docs for more details: https://learn.microsoft.com/en-us/azure/attestation/overview#amd-sev-snp-attestation\n     - 'warnOnly'    : Same as 'equal', but only prints a warning instead of returning an error if no match is found
	AcceptedKeyDigests idkeydigest.List `json:"acceptedKeyDigests" yaml:"acceptedKeyDigests"`
	// description: |
	//   Key digest enforcement policy. One of {'equal', 'maaFallback', 'warnOnly'}
	EnforcementPolicy idkeydigest.Enforcement `json:"enforcementPolicy" yaml:"enforcementPolicy" validate:"required"`
	// description: |
	//   URL of the Microsoft Azure Attestation (MAA) instance to use for fallback validation. Only used if 'enforcementPolicy' is set to 'maaFallback'.
	MAAURL string `json:"maaURL,omitempty" yaml:"maaURL,omitempty" validate:"len=0"`
}

SNPFirmwareSignerConfig is the configuration for validating the firmware signer.

func (SNPFirmwareSignerConfig) Doc added in v2.8.0

func (SNPFirmwareSignerConfig) EqualTo added in v2.8.0

EqualTo returns true if the config is equal to the given config.

type UnsupportedAppRegistrationError added in v2.9.0

type UnsupportedAppRegistrationError struct{}

UnsupportedAppRegistrationError is returned when the config contains configuration related to now unsupported app registrations.

func (UnsupportedAppRegistrationError) Doc added in v2.9.0

func (*UnsupportedAppRegistrationError) Error added in v2.9.0

type ValidationError added in v2.6.0

type ValidationError struct {
	// contains filtered or unexported fields
}

ValidationError occurs when the validation of a config fails. It contains a list of errors that occurred during validation.

func (*ValidationError) Error added in v2.6.0

func (e *ValidationError) Error() string

func (*ValidationError) LongMessage added in v2.6.0

func (e *ValidationError) LongMessage() string

LongMessage prints the errors that occurred during validation in a verbose and user friendly way.

Directories

Path Synopsis
Package imageversion contains the pinned container images for the config.
Package imageversion contains the pinned container images for the config.
Package migration contains outdated configuration formats and their migration functions.
Package migration contains outdated configuration formats and their migration functions.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL