Merge branch 'main' into feat/gcp-marketplace-images

edgelesssys · Jan 8, 2024 · 6d9fc9d · 6d9fc9d
2 parents 466dc8f + d3b9513
commit 6d9fc9d
Show file tree

Hide file tree

Showing 167 changed files with 4,097 additions and 24,169 deletions.
diff --git a/.envrc b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml
@@ -90,17 +90,3 @@ runs:
         helm repo update
         helm install filebeat elastic/filebeat \
           --wait --timeout=1200s --values values.yml
-
-    - name: Deploy Metricbeat
-      id: deploy-metricbeat
-      shell: bash
-      working-directory: ./metricbeat
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: |
-        helm repo add elastic https://helm.elastic.co
-        helm repo update
-        helm install metricbeat-k8s elastic/metricbeat \
-          --wait --timeout=1200s --values values-control-plane.yml
-        helm install metricbeat-system elastic/metricbeat \
-          --wait --timeout=1200s --values values-all-nodes.yml
diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml
@@ -26,7 +26,7 @@ runs:
 
   steps:
     - name: Setup python
-      uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: "3.10"
 

diff --git a/.github/actions/e2e_s3proxy/action.yml b/.github/actions/e2e_s3proxy/action.yml
@@ -46,7 +46,9 @@ runs:
       shell: bash
       run: |
         bazel run //bazel/release:s3proxy_push
-        echo s3proxyImage=$(cat ./bazel-bin/bazel/release/s3proxy_tag.txt) | tee -a "$GITHUB_OUTPUT"
+        bazel build //bazel/release:s3proxy_tag.txt
+        tagpath=$(bazel cquery --output=files //bazel/release:s3proxy_tag.txt)
+        echo s3proxyImage=$(cat "${tagpath}") | tee -a "$GITHUB_OUTPUT"
 
     - name: Setup s3proxy
       shell: bash

diff --git a/.github/actions/setup_bazel_nix/action.yml b/.github/actions/setup_bazel_nix/action.yml
@@ -281,6 +281,7 @@ runs:
       if: inputs.nixTools != ''
       shell: bash
       env:
+        NIXPKGS_ALLOW_UNFREE: 1
         tools: ${{ inputs.nixTools }}
         repository: ${{ github.repository }}
         gitSha: ${{ github.sha }}

diff --git a/.github/actions/terraform_apply/action.yml b/.github/actions/terraform_apply/action.yml
@@ -83,6 +83,7 @@ runs:
           measurement_salt                   = random_bytes.measurement_salt.hex
           out_of_cluster_endpoint            = "$(yq '.infrastructure.clusterEndpoint' constellation-state.yaml)"
           in_cluster_endpoint                = "$(yq '.infrastructure.inClusterEndpoint' constellation-state.yaml)"
+          kubernetes_version                 = "$(yq '.kubernetesVersion' constellation-conf.yaml)"
           azure = {
             count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "azure" ? 1 : 0
             tenant_id                   = "$(yq '.provider.azure.tenant' constellation-conf.yaml)"

diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml
@@ -1,10 +1,5 @@
 name: Upload Terraform infrastructure module
 description: "Upload the Terraform infrastructure module as an artifact."
-inputs:
-  encryptionSecret:
-      description: 'The secret to use for encrypting the artifact.'
-      required: true
-
 
 runs:
   using: "composite"

diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml
@@ -27,7 +27,5 @@ jobs:
       - name: Link Checker
         uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 # v1.8.0
         with:
-          args: "--verbose --no-progress --max-concurrency 5 --exclude-path './internal/constellation/helm/charts/cilium' './**/*.md' './**/*.html'"
+          args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
           fail: true
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
@@ -175,8 +175,6 @@ jobs:
 
       - name: Upload Terraform infrastructure module
         uses: ./.github/actions/upload_terraform_module
-        with:
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
   push-containers:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/e2e-test-provider-example.yml b/.github/workflows/e2e-test-provider-example.yml
@@ -0,0 +1,286 @@
+name: e2e test Terraform provider example
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        type: string
+        description: "Git ref to checkout"
+      cloudProvider:
+        description: "Which cloud provider to use."
+        type: choice
+        options:
+          - "aws"
+          - "azure"
+          - "gcp"
+        required: true
+      regionZone:
+        description: "Region or zone to create the cluster in. Leave empty for default region/zone."
+        type: string
+      image:
+        description: "OS Image version used in the cluster's VMs. If not set, the latest nightly image from main is used."
+        type: string
+      providerVersion:
+        description: "Constellation Terraform provider version to use (with v prefix). Empty value means build from source."
+        type: string
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        description: "Git ref to checkout"
+      cloudProvider:
+        description: "Which cloud provider to use."
+        type: string
+        required: true
+      regionZone:
+        description: "Which zone to use."
+        type: string
+      image:
+        description: "OS Image version used in the cluster's VMs, as specified in the Constellation config. If not set, the latest nightly image from main is used."
+        type: string
+      providerVersion:
+        description: "Constellation Terraform provider version to use (with v prefix). Empty value means build from source."
+        type: string
+
+jobs:
+  provider-example-test:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          ref: ${{ inputs.ref || github.head_ref }}
+
+      - name: Get Latest Image
+        id: find-latest-image
+        uses: ./.github/actions/find_latest_image
+        with:
+          git-ref: ${{ inputs.ref }}
+          imageVersion: ${{ inputs.image }}
+          ref: main
+          stream: nightly
+
+      - name: Upload Terraform module
+        uses: ./.github/actions/upload_terraform_module
+
+      - name: Download Terraform module
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: terraform-module
+
+      - name: Unzip Terraform module
+        shell: bash
+        run: |
+          unzip terraform-module.zip -d ${{ github.workspace }}
+          rm terraform-module.zip
+
+      - name: Create resource prefix
+        id: create-prefix
+        shell: bash
+        run: |
+          run_id=${{ github.run_id }}
+          last_three="${run_id: -3}"
+          echo "prefix=e2e-${last_three}" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          useCache: "true"
+          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+          nixTools: terraform
+
+      - name: Build Constellation provider and CLI # CLI is needed for the upgrade assert and container push is needed for the microservice upgrade
+        working-directory: ${{ github.workspace }}
+        id: build
+        shell: bash
+        run: |
+          mkdir build
+          cd build
+          bazel run //:devbuild --cli_edition=enterprise
+
+          bazel build //bazel/settings:tag
+          repository_root=$(git rev-parse --show-toplevel)
+          out_rel=$(bazel cquery --output=files //bazel/settings:tag)
+          build_version=$(cat "$(realpath "${repository_root}/${out_rel}")")
+          echo "build_version=${build_version}" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Remove local Terraform registry # otherwise the local registry would be used instead of the public registry
+        if: inputs.providerVersion != ''
+        shell: bash
+        run: |
+          bazel build //bazel/settings:tag
+          repository_root=$(git rev-parse --show-toplevel)
+          out_rel=$(bazel cquery --output=files //bazel/settings:tag)
+          build_version=$(cat "$(realpath "${repository_root}/${out_rel}")")
+
+          terraform_provider_dir="${HOME}/.terraform.d/plugins/registry.terraform.io/edgelesssys/constellation/${build_version#v}/linux_amd64/"
+          rm -rf "${terraform_provider_dir}"
+
+      - name: Login to AWS (IAM + Cluster role)
+        if: inputs.cloudProvider == 'aws'
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        with:
+          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
+          aws-region: eu-central-1
+          # extend token expiry to 6 hours to ensure constellation can terminate
+          role-duration-seconds: 21600
+
+      - name: Login to Azure (IAM + Cluster service principal)
+        if: inputs.cloudProvider == 'azure'
+        uses: ./.github/actions/login_azure
+        with:
+          azure_credentials: ${{ secrets.AZURE_E2E_TF_CREDENTIALS }}
+
+      - name: Login to GCP (IAM + Cluster service account)
+        if: inputs.cloudProvider == 'gcp'
+        uses: ./.github/actions/login_gcp
+        with:
+          service_account: "[email protected]"
+
+      - name: Common CSP Terraform overrides
+        working-directory: ${{ github.workspace }}
+        shell: bash
+        run: |
+          mkdir cluster
+          cd cluster
+          if [[ "${{ inputs.providerVersion }}" == "" ]]; then
+            prefixed_version=${{ steps.build.outputs.build_version }}
+          else
+            prefixed_version="${{ inputs.providerVersion }}"
+          fi
+          version=${prefixed_version#v} # remove v prefix
+
+          if [[ "${{ inputs.providerVersion }}" == "" ]]; then
+            iam_src="../terraform-module/iam/${{ inputs.cloudProvider }}"
+            infra_src="../terraform-module/${{ inputs.cloudProvider }}"
+          else
+            iam_src="https://github.com/edgelesssys/constellation/releases/download/${{ inputs.providerVersion }}/terraform-module.zip//terraform-module/iam/${{ inputs.cloudProvider }}"
+            infra_src="https://github.com/edgelesssys/constellation/releases/download/${{ inputs.providerVersion }}/terraform-module.zip//terraform-module/${{ inputs.cloudProvider }}"
+          fi
+
+          # by default use latest nightly image for devbuilds and release image otherwise
+          if [[ "${{ inputs.providerVersion }}" == "" ]]; then
+            if [[ "${{ inputs.image }}" == "" ]]; then
+              image_version="${{ steps.find-latest-image.outputs.image }}"
+            else
+              image_version="${{ inputs.image }}"
+            fi
+          else
+            if [[ "${{ inputs.image }}" == "" ]]; then
+              image_version="${prefixed_version}"
+            else
+              image_version="${{ inputs.image }}"
+            fi
+          fi
+
+          # take the middle (2nd) supported Kubernetes version (default)
+          kubernetes_version="$(../build/constellation config kubernetes-versions | awk 'NR==3{print $1}')"
+
+          cat > _override.tf <<EOF
+          terraform {
+            required_providers {
+              constellation = {
+                source  = "edgelesssys/constellation"
+                version            = "${version}"
+              }
+            }
+          }
+          locals {
+            name                = "${{ steps.create-prefix.outputs.prefix }}"
+            version            = "${image_version}"
+            microservice_version= "${prefixed_version}"
+            kubernetes_version = "${kubernetes_version}"
+          }
+          module "${{ inputs.cloudProvider }}_iam" {
+            source = "${iam_src}"
+          }
+          module "${{ inputs.cloudProvider }}_infrastructure" {
+            source = "${infra_src}"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create GCP Terraform overrides
+        if: inputs.cloudProvider == 'gcp'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          region=$(echo ${{ inputs.regionZone || 'europe-west3-b' }} | rev | cut -c 3- | rev)
+
+          cat >> _override.tf <<EOF
+          locals {
+            project_id         = "constellation-e2e"
+            region = "${region}"
+            zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create AWS Terraform overrides
+        if: inputs.cloudProvider == 'aws'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          region=$(echo ${{ inputs.regionZone || 'us-east-2c' }} | rev | cut -c 2- | rev)
+
+          cat >> _override.tf <<EOF
+          locals {
+            region = "${region}"
+            zone = "${{ inputs.regionZone || 'us-east-2c' }}"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Copy example Terraform file
+        working-directory: ${{ github.workspace }}
+        shell: bash
+        run: |
+          cp ${{ github.workspace }}/terraform-provider-constellation/examples/full/${{ inputs.cloudProvider }}/main.tf ${{ github.workspace }}/cluster/main.tf
+
+      - name: Apply Terraform Cluster
+        id: apply_terraform
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          terraform init
+          if [[ "${{ inputs.cloudProvider }}" == "azure" ]]; then
+            terraform apply -target module.azure_iam -auto-approve
+            terraform apply -target module.azure_infrastructure -auto-approve
+            ../build/constellation maa-patch "$(terraform output -raw maa_url)"
+            TF_LOG=INFO terraform apply -target constellation_cluster.azure_example -auto-approve
+          else
+            TF_LOG=INFO terraform apply -auto-approve
+          fi
+
+      - name: Destroy Terraform Cluster
+      # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
+        if: always() && steps.apply_terraform.outcome != 'skipped'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          terraform init
+          terraform destroy -auto-approve
+
+      - name: Notify about failure
+        if: |
+          failure() &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_e2e_failure
+        with:
+          projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
+          test: "terraform-provider-example"
+          provider: ${{ inputs.cloudProvider }}