Documentation
¶
Overview ¶
Package migration contains outdated configuration formats and their migration functions.
Index ¶
- Constants
- func V3ToV4(path string, fileHandler file.Handler) error
- type AWSConfig
- type AWSNitroTPM
- type AWSSEVSNP
- type AttestationConfig
- type AttestationVersion
- type AzureConfig
- type AzureSEVSNP
- type AzureTrustedLaunch
- type Certificate
- type Config
- type GCPConfig
- type GCPSEVES
- type OpenStackConfig
- type ProviderConfig
- type QEMUConfig
- type QEMUTDX
- type QEMUVTPM
- type SNPFirmwareSignerConfig
Constants ¶
View Source
const (
// Version3 is the third version number for Constellation config file.
Version3 = "v3"
)
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AWSConfig ¶
type AWSConfig struct {
Region string `yaml:"region" validate:"required,aws_region"`
Zone string `yaml:"zone" validate:"required,aws_zone"`
InstanceType string `yaml:"instanceType" validate:"lowercase,aws_instance_type"`
StateDiskType string `yaml:"stateDiskType" validate:"oneof=standard gp2 gp3 st1 sc1 io1"`
IAMProfileControlPlane string `yaml:"iamProfileControlPlane" validate:"required"`
IAMProfileWorkerNodes string `yaml:"iamProfileWorkerNodes" validate:"required"`
DeployCSIDriver *bool `yaml:"deployCSIDriver"`
}
AWSConfig are AWS specific configuration values used by the CLI.
type AWSNitroTPM ¶ added in v2.10.0
type AWSNitroTPM struct {
// description: |
// Expected TPM measurements.
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}
AWSNitroTPM is the configuration for AWS Nitro TPM attestation.
type AWSSEVSNP ¶ added in v2.10.0
type AWSSEVSNP struct {
// description: |
// Expected TPM measurements.
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}
AWSSEVSNP is the configuration for AWS SEV-SNP attestation.
type AttestationConfig ¶ added in v2.10.0
type AttestationConfig struct {
AWSSEVSNP *AWSSEVSNP `yaml:"awsSEVSNP,omitempty" validate:"omitempty,dive"`
AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty,dive"`
AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty,dive"`
AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty,dive"`
GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty,dive"`
QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty,dive"`
QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty,dive"`
}
AttestationConfig configuration values used for attestation. Fields should remain pointer-types so custom specific configs can nil them if not required.
type AttestationVersion ¶ added in v2.10.0
AttestationVersion is a type that represents a version of a SNP.
func (AttestationVersion) MarshalJSON ¶ added in v2.10.0
func (v AttestationVersion) MarshalJSON() ([]byte, error)
MarshalJSON implements a custom marshaller to resolve "latest" values.
func (AttestationVersion) MarshalYAML ¶ added in v2.10.0
func (v AttestationVersion) MarshalYAML() (any, error)
MarshalYAML implements a custom marshaller to resolve "latest" values.
func (*AttestationVersion) UnmarshalJSON ¶ added in v2.10.0
func (v *AttestationVersion) UnmarshalJSON(data []byte) (err error)
UnmarshalJSON implements a custom unmarshaller to resolve "latest" values.
func (*AttestationVersion) UnmarshalYAML ¶ added in v2.10.0
func (v *AttestationVersion) UnmarshalYAML(unmarshal func(any) error) error
UnmarshalYAML implements a custom unmarshaller to resolve "atest" values.
type AzureConfig ¶
type AzureConfig struct {
SubscriptionID string `yaml:"subscription" validate:"uuid"`
TenantID string `yaml:"tenant" validate:"uuid"`
Location string `yaml:"location" validate:"required"`
ResourceGroup string `yaml:"resourceGroup" validate:"required"`
UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
InstanceType string `yaml:"instanceType" validate:"azure_instance_type"`
StateDiskType string `yaml:"stateDiskType" validate:"oneof=Premium_LRS Premium_ZRS Standard_LRS StandardSSD_LRS StandardSSD_ZRS"`
DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
SecureBoot *bool `yaml:"secureBoot" validate:"required"`
}
AzureConfig are Azure specific configuration values used by the CLI.
type AzureSEVSNP ¶ added in v2.10.0
type AzureSEVSNP struct {
// description: |
// Expected TPM measurements.
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
// description: |
// Lowest acceptable bootloader version.
BootloaderVersion AttestationVersion `json:"bootloaderVersion" yaml:"bootloaderVersion"`
// description: |
// Lowest acceptable TEE version.
TEEVersion AttestationVersion `json:"teeVersion" yaml:"teeVersion"`
// description: |
// Lowest acceptable SEV-SNP version.
SNPVersion AttestationVersion `json:"snpVersion" yaml:"snpVersion"`
// description: |
// Lowest acceptable microcode version.
MicrocodeVersion AttestationVersion `json:"microcodeVersion" yaml:"microcodeVersion"`
// description: |
// Configuration for validating the firmware signature.
FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
// description: |
// AMD Root Key certificate used to verify the SEV-SNP certificate chain.
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
}
AzureSEVSNP is the configuration for Azure SEV-SNP attestation.
type AzureTrustedLaunch ¶ added in v2.10.0
type AzureTrustedLaunch struct {
// description: |
// Expected TPM measurements.
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}
AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.
type Certificate ¶ added in v2.10.0
type Certificate x509.Certificate
Certificate is a wrapper around x509.Certificate allowing custom marshaling.
func (Certificate) MarshalJSON ¶ added in v2.10.0
func (c Certificate) MarshalJSON() ([]byte, error)
MarshalJSON marshals the certificate to PEM.
func (Certificate) MarshalYAML ¶ added in v2.10.0
func (c Certificate) MarshalYAML() (any, error)
MarshalYAML marshals the certificate to PEM.
func (*Certificate) UnmarshalJSON ¶ added in v2.10.0
func (c *Certificate) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals the certificate from PEM.
func (*Certificate) UnmarshalYAML ¶ added in v2.10.0
func (c *Certificate) UnmarshalYAML(unmarshal func(any) error) error
UnmarshalYAML unmarshals the certificate from PEM.
type Config ¶
type Config struct {
Version string `yaml:"version" validate:"eq=v3"`
Image string `yaml:"image" validate:"required,image_compatibility"`
Name string `yaml:"name" validate:"valid_name,required"`
StateDiskSizeGB int `yaml:"stateDiskSizeGB" validate:"min=0"`
KubernetesVersion string `yaml:"kubernetesVersion" validate:"required,supported_k8s_version"`
MicroserviceVersion semver.Semver `yaml:"microserviceVersion" validate:"required"`
DebugCluster *bool `yaml:"debugCluster" validate:"required"`
Provider ProviderConfig `yaml:"provider" validate:"dive"`
Attestation AttestationConfig `yaml:"attestation" validate:"dive"`
}
Config defines configuration used by CLI.
type GCPConfig ¶
type GCPConfig struct {
Project string `yaml:"project" validate:"required"`
Region string `yaml:"region" validate:"required"`
Zone string `yaml:"zone" validate:"required"`
ServiceAccountKeyPath string `yaml:"serviceAccountKeyPath" validate:"required"`
InstanceType string `yaml:"instanceType" validate:"gcp_instance_type"`
StateDiskType string `yaml:"stateDiskType" validate:"oneof=pd-standard pd-balanced pd-ssd"`
DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
}
GCPConfig are GCP specific configuration values used by the CLI.
type GCPSEVES ¶ added in v2.10.0
type GCPSEVES struct {
// description: |
// Expected TPM measurements.
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}
GCPSEVES is the configuration for GCP SEV-ES attestation.
type OpenStackConfig ¶
type OpenStackConfig struct {
Cloud string `yaml:"cloud"`
AvailabilityZone string `yaml:"availabilityZone" validate:"required"`
FlavorID string `yaml:"flavorID" validate:"required"`
FloatingIPPoolID string `yaml:"floatingIPPoolID" validate:"required"`
StateDiskType string `yaml:"stateDiskType" validate:"required"`
AuthURL string `yaml:"authURL" validate:"required"`
ProjectID string `yaml:"projectID" validate:"required"`
ProjectName string `yaml:"projectName" validate:"required"`
UserDomainName string `yaml:"userDomainName" validate:"required"`
ProjectDomainName string `yaml:"projectDomainName" validate:"required"`
RegionName string `yaml:"regionName" validate:"required"`
Username string `yaml:"username" validate:"required"`
Password string `yaml:"password"`
DirectDownload *bool `yaml:"directDownload" validate:"required"`
DeployYawolLoadBalancer *bool `yaml:"deployYawolLoadBalancer" validate:"required"`
YawolImageID string `yaml:"yawolImageID"`
YawolFlavorID string `yaml:"yawolFlavorID"`
DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
}
OpenStackConfig holds config information for OpenStack based Constellation deployments.
type ProviderConfig ¶
type ProviderConfig struct {
AWS *AWSConfig `yaml:"aws,omitempty" validate:"omitempty,dive"`
Azure *AzureConfig `yaml:"azure,omitempty" validate:"omitempty,dive"`
GCP *GCPConfig `yaml:"gcp,omitempty" validate:"omitempty,dive"`
OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty,dive"`
QEMU *QEMUConfig `yaml:"qemu,omitempty" validate:"omitempty,dive"`
}
ProviderConfig are cloud-provider specific configuration values used by the CLI. Fields should remain pointer-types so custom specific configs can nil them if not required.
type QEMUConfig ¶
type QEMUConfig struct {
ImageFormat string `yaml:"imageFormat" validate:"oneof=qcow2 raw"`
VCPUs int `yaml:"vcpus" validate:"required"`
Memory int `yaml:"memory" validate:"required"`
MetadataAPIImage string `yaml:"metadataAPIServer" validate:"required"`
LibvirtURI string `yaml:"libvirtSocket"`
LibvirtContainerImage string `yaml:"libvirtContainerImage"`
NVRAM string `yaml:"nvram" validate:"required"`
Firmware string `yaml:"firmware"`
}
QEMUConfig holds config information for QEMU based Constellation deployments.
type QEMUTDX ¶ added in v2.10.0
type QEMUTDX struct {
// description: |
// Expected TDX measurements.
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}
QEMUTDX is the configuration for QEMU TDX attestation.
type QEMUVTPM ¶ added in v2.10.0
type QEMUVTPM struct {
// description: |
// Expected TPM measurements.
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}
QEMUVTPM is the configuration for QEMU vTPM attestation.
type SNPFirmwareSignerConfig ¶ added in v2.10.0
type SNPFirmwareSignerConfig struct {
// description: |
// List of accepted values for the firmware signing key digest.\nValues are enforced according to the 'enforcementPolicy'\n - 'equal' : Error if the reported signing key digest does not match any of the values in 'acceptedKeyDigests'\n - 'maaFallback' : Use 'equal' checking for validation, but fallback to using Microsoft Azure Attestation (MAA) for validation if the reported digest does not match any of the values in 'acceptedKeyDigests'. See the Azure docs for more details: https://learn.microsoft.com/en-us/azure/attestation/overview#amd-sev-snp-attestation\n - 'warnOnly' : Same as 'equal', but only prints a warning instead of returning an error if no match is found
AcceptedKeyDigests idkeydigest.List `json:"acceptedKeyDigests" yaml:"acceptedKeyDigests"`
// description: |
// Key digest enforcement policy. One of {'equal', 'maaFallback', 'warnOnly'}
EnforcementPolicy idkeydigest.Enforcement `json:"enforcementPolicy" yaml:"enforcementPolicy" validate:"required"`
// description: |
// URL of the Microsoft Azure Attestation (MAA) instance to use for fallback validation. Only used if 'enforcementPolicy' is set to 'maaFallback'.
MAAURL string `json:"maaURL,omitempty" yaml:"maaURL,omitempty" validate:"len=0"`
}
SNPFirmwareSignerConfig is the configuration for validating the firmware signer.
Source Files
Click to show internal directories.
Click to hide internal directories.