migration

package
v2.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: AGPL-3.0 Imports: 13 Imported by: 0

Documentation

Overview

Package migration contains outdated configuration formats and their migration functions.

Index

Constants

View Source
const (
	// Version3 is the third version number for Constellation config file.
	Version3 = "v3"
)

Variables

This section is empty.

Functions

func V3ToV4 added in v2.10.0

func V3ToV4(path string, fileHandler file.Handler) error

V3ToV4 converts an existing v3 config to a v4 config.

Types

type AWSConfig

type AWSConfig struct {
	Region                 string `yaml:"region" validate:"required,aws_region"`
	Zone                   string `yaml:"zone" validate:"required,aws_zone"`
	InstanceType           string `yaml:"instanceType" validate:"lowercase,aws_instance_type"`
	StateDiskType          string `yaml:"stateDiskType" validate:"oneof=standard gp2 gp3 st1 sc1 io1"`
	IAMProfileControlPlane string `yaml:"iamProfileControlPlane" validate:"required"`
	IAMProfileWorkerNodes  string `yaml:"iamProfileWorkerNodes" validate:"required"`
	DeployCSIDriver        *bool  `yaml:"deployCSIDriver"`
}

AWSConfig are AWS specific configuration values used by the CLI.

type AWSNitroTPM added in v2.10.0

type AWSNitroTPM struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

AWSNitroTPM is the configuration for AWS Nitro TPM attestation.

type AWSSEVSNP added in v2.10.0

type AWSSEVSNP struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

AWSSEVSNP is the configuration for AWS SEV-SNP attestation.

type AttestationConfig added in v2.10.0

type AttestationConfig struct {
	AWSSEVSNP          *AWSSEVSNP          `yaml:"awsSEVSNP,omitempty" validate:"omitempty,dive"`
	AWSNitroTPM        *AWSNitroTPM        `yaml:"awsNitroTPM,omitempty" validate:"omitempty,dive"`
	AzureSEVSNP        *AzureSEVSNP        `yaml:"azureSEVSNP,omitempty" validate:"omitempty,dive"`
	AzureTrustedLaunch *AzureTrustedLaunch `yaml:"azureTrustedLaunch,omitempty" validate:"omitempty,dive"`
	GCPSEVES           *GCPSEVES           `yaml:"gcpSEVES,omitempty" validate:"omitempty,dive"`
	QEMUTDX            *QEMUTDX            `yaml:"qemuTDX,omitempty" validate:"omitempty,dive"`
	QEMUVTPM           *QEMUVTPM           `yaml:"qemuVTPM,omitempty" validate:"omitempty,dive"`
}

AttestationConfig configuration values used for attestation. Fields should remain pointer-types so custom specific configs can nil them if not required.

type AttestationVersion added in v2.10.0

type AttestationVersion struct {
	Value      uint8
	WantLatest bool
}

AttestationVersion is a type that represents a version of a SNP.

func (AttestationVersion) MarshalJSON added in v2.10.0

func (v AttestationVersion) MarshalJSON() ([]byte, error)

MarshalJSON implements a custom marshaller to resolve "latest" values.

func (AttestationVersion) MarshalYAML added in v2.10.0

func (v AttestationVersion) MarshalYAML() (any, error)

MarshalYAML implements a custom marshaller to resolve "latest" values.

func (*AttestationVersion) UnmarshalJSON added in v2.10.0

func (v *AttestationVersion) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON implements a custom unmarshaller to resolve "latest" values.

func (*AttestationVersion) UnmarshalYAML added in v2.10.0

func (v *AttestationVersion) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML implements a custom unmarshaller to resolve "atest" values.

type AzureConfig

type AzureConfig struct {
	SubscriptionID       string `yaml:"subscription" validate:"uuid"`
	TenantID             string `yaml:"tenant" validate:"uuid"`
	Location             string `yaml:"location" validate:"required"`
	ResourceGroup        string `yaml:"resourceGroup" validate:"required"`
	UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
	InstanceType         string `yaml:"instanceType" validate:"azure_instance_type"`
	StateDiskType        string `yaml:"stateDiskType" validate:"oneof=Premium_LRS Premium_ZRS Standard_LRS StandardSSD_LRS StandardSSD_ZRS"`
	DeployCSIDriver      *bool  `yaml:"deployCSIDriver" validate:"required"`
	SecureBoot           *bool  `yaml:"secureBoot" validate:"required"`
}

AzureConfig are Azure specific configuration values used by the CLI.

type AzureSEVSNP added in v2.10.0

type AzureSEVSNP struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
	// description: |
	//   Lowest acceptable bootloader version.
	BootloaderVersion AttestationVersion `json:"bootloaderVersion" yaml:"bootloaderVersion"`
	// description: |
	//   Lowest acceptable TEE version.
	TEEVersion AttestationVersion `json:"teeVersion" yaml:"teeVersion"`
	// description: |
	//   Lowest acceptable SEV-SNP version.
	SNPVersion AttestationVersion `json:"snpVersion" yaml:"snpVersion"`
	// description: |
	//   Lowest acceptable microcode version.
	MicrocodeVersion AttestationVersion `json:"microcodeVersion" yaml:"microcodeVersion"`
	// description: |
	//   Configuration for validating the firmware signature.
	FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
	// description: |
	//   AMD Root Key certificate used to verify the SEV-SNP certificate chain.
	AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
}

AzureSEVSNP is the configuration for Azure SEV-SNP attestation.

type AzureTrustedLaunch added in v2.10.0

type AzureTrustedLaunch struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.

type Certificate added in v2.10.0

type Certificate x509.Certificate

Certificate is a wrapper around x509.Certificate allowing custom marshaling.

func (Certificate) MarshalJSON added in v2.10.0

func (c Certificate) MarshalJSON() ([]byte, error)

MarshalJSON marshals the certificate to PEM.

func (Certificate) MarshalYAML added in v2.10.0

func (c Certificate) MarshalYAML() (any, error)

MarshalYAML marshals the certificate to PEM.

func (*Certificate) UnmarshalJSON added in v2.10.0

func (c *Certificate) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals the certificate from PEM.

func (*Certificate) UnmarshalYAML added in v2.10.0

func (c *Certificate) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML unmarshals the certificate from PEM.

type Config

type Config struct {
	Version             string            `yaml:"version" validate:"eq=v3"`
	Image               string            `yaml:"image" validate:"required,image_compatibility"`
	Name                string            `yaml:"name" validate:"valid_name,required"`
	StateDiskSizeGB     int               `yaml:"stateDiskSizeGB" validate:"min=0"`
	KubernetesVersion   string            `yaml:"kubernetesVersion" validate:"required,supported_k8s_version"`
	MicroserviceVersion semver.Semver     `yaml:"microserviceVersion" validate:"required"`
	DebugCluster        *bool             `yaml:"debugCluster" validate:"required"`
	Provider            ProviderConfig    `yaml:"provider" validate:"dive"`
	Attestation         AttestationConfig `yaml:"attestation" validate:"dive"`
}

Config defines configuration used by CLI.

type GCPConfig

type GCPConfig struct {
	Project               string `yaml:"project" validate:"required"`
	Region                string `yaml:"region" validate:"required"`
	Zone                  string `yaml:"zone" validate:"required"`
	ServiceAccountKeyPath string `yaml:"serviceAccountKeyPath" validate:"required"`
	InstanceType          string `yaml:"instanceType" validate:"gcp_instance_type"`
	StateDiskType         string `yaml:"stateDiskType" validate:"oneof=pd-standard pd-balanced pd-ssd"`
	DeployCSIDriver       *bool  `yaml:"deployCSIDriver" validate:"required"`
}

GCPConfig are GCP specific configuration values used by the CLI.

type GCPSEVES added in v2.10.0

type GCPSEVES struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

GCPSEVES is the configuration for GCP SEV-ES attestation.

type OpenStackConfig

type OpenStackConfig struct {
	Cloud                   string `yaml:"cloud"`
	AvailabilityZone        string `yaml:"availabilityZone" validate:"required"`
	FlavorID                string `yaml:"flavorID" validate:"required"`
	FloatingIPPoolID        string `yaml:"floatingIPPoolID" validate:"required"`
	StateDiskType           string `yaml:"stateDiskType" validate:"required"`
	AuthURL                 string `yaml:"authURL" validate:"required"`
	ProjectID               string `yaml:"projectID" validate:"required"`
	ProjectName             string `yaml:"projectName" validate:"required"`
	UserDomainName          string `yaml:"userDomainName" validate:"required"`
	ProjectDomainName       string `yaml:"projectDomainName" validate:"required"`
	RegionName              string `yaml:"regionName" validate:"required"`
	Username                string `yaml:"username" validate:"required"`
	Password                string `yaml:"password"`
	DirectDownload          *bool  `yaml:"directDownload" validate:"required"`
	DeployYawolLoadBalancer *bool  `yaml:"deployYawolLoadBalancer" validate:"required"`
	YawolImageID            string `yaml:"yawolImageID"`
	YawolFlavorID           string `yaml:"yawolFlavorID"`
	DeployCSIDriver         *bool  `yaml:"deployCSIDriver" validate:"required"`
}

OpenStackConfig holds config information for OpenStack based Constellation deployments.

type ProviderConfig

type ProviderConfig struct {
	AWS       *AWSConfig       `yaml:"aws,omitempty" validate:"omitempty,dive"`
	Azure     *AzureConfig     `yaml:"azure,omitempty" validate:"omitempty,dive"`
	GCP       *GCPConfig       `yaml:"gcp,omitempty" validate:"omitempty,dive"`
	OpenStack *OpenStackConfig `yaml:"openstack,omitempty" validate:"omitempty,dive"`
	QEMU      *QEMUConfig      `yaml:"qemu,omitempty" validate:"omitempty,dive"`
}

ProviderConfig are cloud-provider specific configuration values used by the CLI. Fields should remain pointer-types so custom specific configs can nil them if not required.

type QEMUConfig

type QEMUConfig struct {
	ImageFormat           string `yaml:"imageFormat" validate:"oneof=qcow2 raw"`
	VCPUs                 int    `yaml:"vcpus" validate:"required"`
	Memory                int    `yaml:"memory" validate:"required"`
	MetadataAPIImage      string `yaml:"metadataAPIServer" validate:"required"`
	LibvirtURI            string `yaml:"libvirtSocket"`
	LibvirtContainerImage string `yaml:"libvirtContainerImage"`
	NVRAM                 string `yaml:"nvram" validate:"required"`
	Firmware              string `yaml:"firmware"`
}

QEMUConfig holds config information for QEMU based Constellation deployments.

type QEMUTDX added in v2.10.0

type QEMUTDX struct {
	// description: |
	//   Expected TDX measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

QEMUTDX is the configuration for QEMU TDX attestation.

type QEMUVTPM added in v2.10.0

type QEMUVTPM struct {
	// description: |
	//   Expected TPM measurements.
	Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
}

QEMUVTPM is the configuration for QEMU vTPM attestation.

type SNPFirmwareSignerConfig added in v2.10.0

type SNPFirmwareSignerConfig struct {
	// description: |
	//   List of accepted values for the firmware signing key digest.\nValues are enforced according to the 'enforcementPolicy'\n     - 'equal'       : Error if the reported signing key digest does not match any of the values in 'acceptedKeyDigests'\n     - 'maaFallback' : Use 'equal' checking for validation, but fallback to using Microsoft Azure Attestation (MAA) for validation if the reported digest does not match any of the values in 'acceptedKeyDigests'. See the Azure docs for more details: https://learn.microsoft.com/en-us/azure/attestation/overview#amd-sev-snp-attestation\n     - 'warnOnly'    : Same as 'equal', but only prints a warning instead of returning an error if no match is found
	AcceptedKeyDigests idkeydigest.List `json:"acceptedKeyDigests" yaml:"acceptedKeyDigests"`
	// description: |
	//   Key digest enforcement policy. One of {'equal', 'maaFallback', 'warnOnly'}
	EnforcementPolicy idkeydigest.Enforcement `json:"enforcementPolicy" yaml:"enforcementPolicy" validate:"required"`
	// description: |
	//   URL of the Microsoft Azure Attestation (MAA) instance to use for fallback validation. Only used if 'enforcementPolicy' is set to 'maaFallback'.
	MAAURL string `json:"maaURL,omitempty" yaml:"maaURL,omitempty" validate:"len=0"`
}

SNPFirmwareSignerConfig is the configuration for validating the firmware signer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL