config: add separate option for handling attestation parameters #1623

daniel-weisse · 2023-04-06T13:05:03Z

Proposed change(s)

Add new attestation option to the Constellation config file
- Use it to control specific aspects of the attestation validation. For example, a user may specify their own minimum acceptable microcode version for Azure SEV-SNP atestation
Move measurements option from the provider option to attestation
Move and rename idkeydigests and enforceIDKeyDigest option into attestation
Always create MAA provider/provider to allow users switching from Equal or WarnOnly policy to MAAFallback

Additional info

Since this is a breaking change for existing config files, we either need a migration guide, or an option for automatic config migration. Ticket has been created

Checklist

Update docs
Add labels (e.g., for changelog category)
Link to Milestone

...nal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml

internal/config/attestation.go

internal/config/attestation_test.go

internal/config/config.go

internal/watcher/validator.go

internal/watcher/validator_test.go

internal/config/config.go

cli/internal/cmd/upgradeapply.go

internal/config/attestation.go

internal/config/config.go

thomasten

LGTM. I'd like @derpsteb to have a look at the changes to the upgrade code of the CLI if he hasn't done that yet.

cli/internal/cmd/upgradeapply.go

cli/internal/kubernetes/upgrade.go

derpsteb

Azure, 1+1, 2.7.0--> head
GCP, 1+1, 2.7.0 --> head

Code lgtm. Would wait for the upgrade to go through before merging. Should test the migration pretty acurately imo.
EDIT: ugh. we need migrations for the upgrade tests 😁

Tests do not support migration chaining (2.6.0 -> 2.7.0 -> 2.8.0), yet. We should implement that soon.

daniel-weisse · 2023-04-25T11:21:39Z

Fix for the upgrade e2e test and config migration in general available here: #1678

daniel-weisse · 2023-05-02T09:52:21Z

e2e upgrade tests:
Azure: v2.7.0 --> HEAD
GCP: v2.7.0 --> HEAD

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

…ptions Signed-off-by: Daniel Weiße <dw@edgeless.systems>

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Add config migration command * Use config migration in e2e test * Auto accept upgrade in e2e test * Delete GCP storageclass for migration * Add container image pushing to upgrade e2e test --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

daniel-weisse added feature This introduces new functionality breaking change Change breaks existing API or configuration. labels Apr 6, 2023

daniel-weisse added this to the v2.8.0 milestone Apr 6, 2023

daniel-weisse force-pushed the feat/attestation/config branch from 3e2fa54 to 188f4f2 Compare April 6, 2023 14:36

Base automatically changed from feat/attestation/config to main April 6, 2023 15:00

daniel-weisse force-pushed the feat/config/attestation-options branch from 6b4e9b0 to 9232e79 Compare April 11, 2023 06:59

This comment was marked as spam.

Sign in to view

daniel-weisse force-pushed the feat/config/attestation-options branch 2 times, most recently from 44c81b6 to af32533 Compare April 11, 2023 07:58

daniel-weisse marked this pull request as ready for review April 11, 2023 08:03

daniel-weisse requested review from derpsteb and katexochen as code owners April 11, 2023 08:03

daniel-weisse requested a review from thomasten April 11, 2023 08:03

thomasten reviewed Apr 13, 2023

View reviewed changes