Skip to content

Commit

Permalink
cleanup: various minor debugging improvements (#2889)
Browse files Browse the repository at this point in the history
* ci: improve constellation_create error message

When we hit a timeout due to nodes not coming up, the actual error
message is hard to make out because it's buried in a group. With the
right formatting, the error message will be highlighted in the UI.

Another improvement is to output the state of nodes, which helps
debugging the cause of nodes not joining or not becoming ready.

* cleanup: use NodeVersionResourceName constant

... instead of literal strings.

* ci: correctly notify on e2e upgrade error

* atls: report cert extension OIDs on mismatch

If the certificate contains an attestation document for SEV-SNP, but the
given validator is for Nitro, verifyEmbeddedReport should not claim that
there is no attestation document, but that there is no _compatible_ one
and what the incompatible ones were.
  • Loading branch information
burgerdev authored Feb 2, 2024
1 parent 711b53d commit c020f7a
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 6 deletions.
4 changes: 3 additions & 1 deletion .github/actions/constellation_create/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,9 @@ runs:
sleep 30
done
if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then
echo "Timed out waiting for nodes to join"
kubectl get nodes -o wide
echo "::error::Timed out waiting for nodes to join"
echo "::endgroup::"
exit 1
fi
echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined"
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/e2e-upgrade.yml
Original file line number Diff line number Diff line change
Expand Up @@ -524,8 +524,7 @@ jobs:
- name: Notify about failure
if: |
always() &&
needs.create-cluster.result != 'success' &&
needs.e2e-upgrade.result != 'success' &&
( needs.create-cluster.result != 'success' || needs.e2e-upgrade.result != 'success' ) &&
github.ref == 'refs/heads/main' &&
inputs.scheduled
continue-on-error: true
Expand Down
4 changes: 3 additions & 1 deletion internal/atls/atls.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ func processCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) (*x509.Certi

// verifyEmbeddedReport verifies an aTLS certificate by validating the attestation document embedded in the TLS certificate.
func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash, nonce []byte) error {
var exts []string
for _, ex := range cert.Extensions {
for _, validator := range validators {
if ex.Id.Equal(validator.OID()) {
Expand All @@ -216,9 +217,10 @@ func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash,
return nil
}
}
exts = append(exts, ex.Id.String())
}

return errors.New("certificate does not contain attestation document")
return fmt.Errorf("certificate does not contain compatible attestation documents: got extension OIDs %#v", exts)
}

func hashPublicKey(pub any) ([]byte, error) {
Expand Down
2 changes: 1 addition & 1 deletion internal/constellation/kubecmd/kubecmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ func (k *KubeCmd) getConstellationVersion(ctx context.Context) (updatev1alpha1.N
Group: "update.edgeless.systems",
Version: "v1alpha1",
Resource: "nodeversions",
}, "constellation-version")
}, constants.NodeVersionResourceName)
if err != nil {
return updatev1alpha1.NodeVersion{}, err
}
Expand Down
2 changes: 1 addition & 1 deletion joinservice/internal/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo

// getK8sComponentsConfigMapName reads the k8s components config map name from a VolumeMount that is backed by the k8s-version ConfigMap.
func (s *Server) getK8sComponentsConfigMapName(ctx context.Context) (string, error) {
k8sComponentsRef, err := s.kubeClient.GetK8sComponentsRefFromNodeVersionCRD(ctx, "constellation-version")
k8sComponentsRef, err := s.kubeClient.GetK8sComponentsRefFromNodeVersionCRD(ctx, constants.NodeVersionResourceName)
if err != nil {
return "", fmt.Errorf("could not get k8s components config map name: %w", err)
}
Expand Down

0 comments on commit c020f7a

Please sign in to comment.